Process Safety and its Management
Process Safety and its Management
Process safety is a disciplined framework for managing the integrity of operating systems and processes which operates under hazardous conditions and handle hazardous materials. It relies on good design principles, engineering, and operating and maintenance practices. It deals with the prevention and control of undesirable events which have the potential to release hazardous materials and energy to the surrounding environment. It is normally accepted that ‘process safety’ is about preventing incidents which, while having a low likelihood of their occurrence, are associated with severe potential consequences. Process safety is needed for the protection of people and property from episodic and catastrophic incidents which can result from unplanned or unexpected deviations in process conditions.
Process safety is about managing the integrity of operating systems by applying inherently safer design principles, engineering, and disciplined operating practices. It deals with the prevention and mitigation of incidents which have the potential for a loss of control of a hazardous material or energy. Such loss of control can lead to severe consequences with fire, explosion and / or toxic effects, and can ultimately result in loss of life, serious injury, extensive property damage, environmental impact, and lost production with associated financial and reputational impacts.
By definition, process safety events have the potential for catastrophic loss of life. Process safety incidents can also impact organizational profitability, reputation, and viability. Negative business and reputational impact can also arise from those process safety incidents which do not have major impact on human or environmental health, but rather erode people confidence in the operation of process.
Unexpected releases of very hot materials, liquid metals, corrosive substances, as well as toxic, reactive, flammable, or explosive substances such as liquids and gases in processes involving highly hazardous materials are the outcomes of the process safety violations. Unsafe Incidents occur in hazardous industry such as the iron and steel plants if there are safety violations during the design, installation, and operation of the processes. In such processes, there is a high potential of the process safety related accidents and a possibility of a disaster.
Process safety incidents can have catastrophic effects and can results multiple injuries and fatalities, major damage to the plant and equipment, and substantial damage to the surrounding environment. Such incidents also have substantial economical impact on the organization. Process safety incidents can harm employees within the plant boundaries as well as the people residing in the surrounding areas of the plant. Hence, process safety management focuses on the (i) design and engineering of the facilities related to the process, (ii) strict adherence to the operating and maintenance procedures, (iii) proper working of the safety interlocks and alarms, (iv) employees training in various aspects of the process, (v) hazard assessment, (vi) incidents investigation, (vii) regular inspection, testing, and maintenance of the plant and equipment, (viii) effective and disciplined process control, and (ix) human related factors.
Good performance in personal safety does not ensure good process safety performance. While there are some common things such as good safety culture and employees’ attitude, process safety needs a total knowledge of the process and its equipment, the process operations, and a thorough knowledge of the hazards associated with it. Traditional safety measures such as injury rates, lost time accident rates, and days lost from work are normally not good indicators of process safety performance.
Process safety is a blend of engineering and management skills focused on preventing catastrophic accidents and near misses, particularly structural collapse, explosions, fires and toxic releases associated with loss of containment of energy or dangerous substances such as liquid metals, and toxic gases. These engineering and management skills exceed those needed for the management of the workplace safety. For addressing the risks relating to process plant, US regulating agency for occupational safety and health administration (OSHA) have zeroed on to the process safety management elements which are (i) process safety information, (ii) process hazard analysis, (iii) employee participation and training, (iv) operating procedure, (v) personal safety, (vi) mechanical integrity and hot work permit, (vii) management of change, (viii) emergency planning, and (ix) accident investigation. These elements are shown in Fig 1.
Fig 1 Elements of process safety management
The three things which are involved in the process safety are (i) process (systems and risk process), (ii) people (including training and competency, human factors, leadership, and culture), and (iii) plant (inherently safer plant, layers of protection, design and operating limits, etc.). Plant aspects are normally under the control of process safety personnel having engineering capabilities. Process and people are frequently under the control of the occupational health and safety personnel of the plant (with many elements shared across the organization), but with deference to process safety expertise relating to matters such as process hazard analysis, operator competency requirements, risk modelling and quantification, design which ensures safety and operating integrity (e.g. pressure relief valves, emergency shutdown systems and flaring design), risk based inspection, testing and maintenance procedures and programmes which ensure process plant integrity. Process safety personnel are also custodians of process safety knowledge and the development of sound process safety information (e.g. operations and maintenance procedures, process and instrumentation diagrams and schematics, hazardous area dossiers, process safety critical equipment, barriers and performance standards).
Three key factors which distinguish process safety from the occupational health and safety are (i) the mechanisms of causation i.e. while both process safety and occupational health and safety are concerned with a potential loss of control of hazardous energy, process safety is normally about managing higher levels of energy, (ii) the scale of potential consequences i.e. while process safety incidents are less common than the occupational health and safety incidents, their consequences are more likely to be severe, and (iii) The focus on engineering and design i.e. the process safety focuses on the safety of the system while the occupational health and safety is about the safety of those who interact with the system. Failure to identify these differences and develop appropriate management practices has been a considerable factor in several process safety disasters. Fig 2 shows factors distinguishing process safety from occupational health and safety.
Fig 2 Factors distinguishing process safety from occupational health and safety
There are several catastrophes on records where catastrophes because of the violation o process safety have adversely impact ecosystems with widespread and / or long-lasting environmental consequences for agriculture, biodiversity, water sources, and other natural resources.
There are also similarities and overlaps with the occupational health and safety. The management of process safety within the organization needs leadership across functional elements of(i) knowledge and competence, (ii) engineering and design, (iii) equipment of the process, (iv) systems and procedures, (v) assurance, (vi) human factors, and (vii) culture. Fig 3 shows management of process safety in the organization.
Fig 3 Management of process safety in the organization
Information on the hazards associated with the highly hazardous substances in the process consists of at least the (i) toxicity, (ii) permissible exposure limits, (iii) physical data, (iv) reactivity data, (v) corrosivity data, (vi) thermal and chemical stability data, and (vii) hazardous effects of inadvertent mixing of different materials. Information on the technology of the process is needed to include at least (i) a block flow diagram or simplified process flow diagram, (ii) process technology which includes the chemical and metallurgical aspects, (iii) maximum intended inventory, (iv) safe upper and lower limits for such items as temperatures, pressures, flows, or compositions, and (v) an evaluation of the consequences of deviations, including those affecting the safety and health of the employees.
Where the original technical information no longer exists, such information can be developed in conjunction with the process hazard analysis in sufficient detail to support the analysis. Information on the equipment in the process is to include (i) materials of construction, (ii) piping and instrument diagrams (P&IDs), (iii) electrical classification, (iv) relief system design and design basis, (v) ventilation system design, (vi) design codes and standards employed, (vii) material and energy balances for processes, and (viii) safety systems (e.g., interlocks, detection, or suppression systems).
Around the world, the statutory regulations which seek to govern the activities related to the process safety risks are either prescriptive or performance-based. Prescriptive regulations have seen the emergence of specific standards which provide useful benchmarks across jurisdictions. On the other hand, the performance based regulations need high-hazard activities to be managed through the regulated safety activities, in addition to the normal activities under the occupational health and safety regulations which govern all the workplaces. The complexity in regulating facilities from process safety and environmental perspectives across these multiple jurisdictions can sometimes result in conflicting requirements, a challenge which is to be managed effectively to ensure compliance with the required regulations.
The regulated safety activity approach is enshrined in specific statutory regulation for the major hazard facilities (MHFs). A safety activity approach needs analysis and documentation detailing all hazards which can lead to a major incident, implementation of control measures to prevent or mitigate the hazards, provision of a safety management system, and monitoring of the efficacy of the ongoing control measures. An essential element of such performance-based regulations is that the facility or the organization is required to identify relevant standards and processes to reduce safety risks so far as is reasonably practicable.
The organization is to ensure and document that the process equipment complies with the recognized and normally accepted good engineering practices. For existing equipment designed and constructed in accordance with the codes, standards, or practices which are no longer in normal use, the organization is required to determine and document that the equipment is designed, maintained, inspected, tested, and operated in a safe manner.
The compilation of the process safety information provides the basis for identifying and understanding the hazards of a process and is necessary in developing the process hazard analysis and can be necessary for complying with other provisions of the process safety management such as management of change and incident investigations.
Process safety and, to some extent general safety normally have suffered from the siloed approach of the process safety and the occupational health and safety professions and structures within corporate management. Silos can arise for a range of reasons, including differences in professional ‘culture’, levels of technical knowledge and specialist language.
Operating personnel of MHFs have obligations to (i) identify all major incidents and major incident hazards for the facility, (ii) conduct and document a safety assessment in relation to the operation of the facility which involves a comprehensive and systematic investigation and analysis of all aspects of risks to health and safety which can occur in the operation of the MHF, (iii) implement control measures which eliminate or minimize the risk of a major incident occurring at the MHF, (iv) prepare an emergency plan, (v) establish a ‘safety management system’ (SMS) for the operation of the MHF, and (vi) prepare a ‘safety event’ for the MHF which demonstrates that the MHF’s SMS is capable of controlling risks arising from major incidents and major incident hazards and demonstrates the adequacy of the measures to be implemented by the operating personnel to control risks associated with the occurrence of major incidents.
Active participation in process hazard identification and risk assessment needs underpinning knowledge and skills relating to (i) chemical, physical, and metallurgical characteristics of hazardous substances, including chemical incompatibility and descriptive parameters such as lower flammable / explosion limit (LFL / LEL), upper flammable / explosion limit (UFL / UEL), auto ignition temperature (AIT), flash point, fire point, and toxicity measures, (ii) potential mechanisms and consequences of a loss of control, (iii) reading and understanding the basic engineering drawings, (iv) failure modes and rates, (v) various process hazard identification and risk assessment tools and the potential for the generalist occupational health and safety personnel to contribute to use of such tools.
While engineers use many types of technical drawings, those most relevant to the generalist occupational health and safety person participating in process safety risk assessments are the ‘process flow diagrams’ (PFDs), ‘process safety flow schematics (PSFSs)’, and ‘piping and Instrumentation diagrams’ (P&IDs). The generalist occupational health and safety personnel are not expected to be able to work in depth with such diagrams, but are required to be familiar with their use. Some suggestions for the occupational health and safety person likely to be involved in a risk assessment or discussion based on a PFD, PSFS or P&ID are (i) to ask for a legend and explanation of symbols since different legends and / or meanings can apply in different organizations, and (ii) to develop an appreciation for how the drawing reflects what is in the field. PFDs, PSFSs and P&IDs are ‘not to scale’ drawings.
One strategy is to ‘walk the lines’ accompanied by an engineer or operator with the drawing in hand. Some questions while walking the lines can be (i) what is the material in the vessel / pipe, (ii) what can happen if —-, (iii) how is the integrity of the equipment managed, (iv) how can cross contamination /mixing of materials occur, (v) what happens if such contamination /mixing has occurred, (vi) how the equipment can be safely isolated for the maintenance, (vii) how can the maintenance personnel can safely access the equipment to maintain it, and (viii) in what ways are the operating personnel needed to directly interact with the equipment.
Process flow diagram – A PFD is a logic diagram showing major items of equipment and how they relate to the process route. It normally indicates considerable process piping, major equipment (pumps, vessels, and heat exchangers etc.) and control loops. A PFD is normally matched with a ‘heat and mass balance’ data table, which indicates mass flows, temperatures, pressures, and compositional changes through the process.
Process safety flow schematic – PFDs are frequently used as the basis for PSFSs on which process safeguarding equipment is shown. Such equipment includes trip sensors, emergency shutdown valves, pressure relief valves (PRVs), non-return valves, locked open / closed values, restriction orifices, and excess-flow valves.
Piping and instrumentation diagram – A P&ID is historically called an ‘engineering line diagram’ (ELD). It is the master drawing for a process plant. Typically, it covers one or more pieces of equipment and all related piping and control / safeguarding systems related to the equipment. It includes (i) a representation of the item(s) of pressurised equipment, showing piping and instrument connections with flow directions, (ii) basic operating and design data for the equipment, (iii) equipment and instrument tag numbers, line numbers, valve types, and normal operating status with alarms and trip functions, (iv) piping size, class (pressure rating and material of construction), insulation and other key specifications, and (v) connecting links to other P&IDs for associated equipment.
P&IDs are used in engineering design and as a basis for risk assessments of the process operation, such as HAZOP (hazard and operability analysis). The diagram elements are indicative and ‘not to scale’. While they do not indicate spatial layout, the relative location of piping connections are to be correct. This means that some relatively short lines on a P&ID can actually be several metres long.
Other engineering diagrams and documents – Other types of documents routinely used by process safety personnel in risk assessment or the presentation of safety activities include cause and effect diagrams, Bow-Tie diagrams, fault trees, event trees, consequence-model diagrams, and safety critical element (SCE) registers. The diagrams can be used to calculate and show the risks or the consequences of an incident while SCE registers are used to ensure there is a comprehensive list of items needing monitoring and to connect the monitoring data for the identification of the trends.
Failure modes and rates
Understanding the different modes of failure of equipment being risk assessed as well as the estimated frequency of such failures is essential for valid risk assessments.
Failure modes – Plant and equipment can fail for a variety of reasons including but not limited to (i) faulty manufacture, (ii) as part of commissioning and early operation, (iii) operation outside design parameters, (iv) deterioration as a result of wear, corrosion, etc., (iv) poor or no maintenance.
The activities and management strategies within key elements of the occupational health and safety systems important in identifying potential failures are (i) inspection activities and (ii) system review. The inspection activities are important to identify (i) significant corrosion, damage, and leaks, etc., not only in parts of the plant itself but also in associated equipment and structures, (ii) gauges reading outside normal parameters or damaged, (iii) cooling systems having flow of considerable quantities of water, (iv) unusual process noises, vapour / steam cloud, smokes, and temperature / dew, and (v) so on.
The system review is important to verify (i) preventive maintenance is taking place as scheduled, (ii) inspections are taking place as scheduled and the findings are addressed in accordance with the risk, (iii) management of change processes are vigorously implemented, (iv) employees are trained and competent to do their allocated work, (v) emergency preparedness, including ensuring local emergency services are fully briefed on process hazards, and (vi) identification of potential adverse impacts from thunderstorms, cyclones, floods and other natural disasters, loss of power, industrial action (such as strikes, lock outs etc.) and cyber interference, and preparation for such events.
Failure rates and reliability – When managing process safety risks, it is frequently essential to quantify the failure rate of the equipment which can result in (i) a loss of control or containment of a hazard (e.g. number of seal failures per annum) and (ii) of the safety equipment designed to prevent or mitigate the hazardous event (e.g. probability of high-level trip on tank) not working when needed. Similarly, failure of procedures, frequently due to the operating personnel making mistakes, can impact on process safety in the same two ways.
Failure rates of equipment or procedures which can lead to loss of control or containment of a hazard allows the initiating event frequency to be calculated. This is always reported as a failure rate per unit time, typically incidents / annum. Examples of these types of failure rates are the number of seal failures per annum, or an estimate of how many times per annum the operating person can give a wrong command for controlling a parameter. Both examples are typically known as the primary causes of a hazardous event or scenario, since they are the initiating step which begins the scenario developing, and leads to the incident, if not prevented or mitigated by suitably designed safety systems.
Equipment or systems designed to prevent or mitigate the incident are known as the layers of the protection. These can include hardware such as pressure safety valves or a high-level trip on a tank, together with operating procedures describing the required response to an alarm. The failure probability of equipment or systems designed to prevent or mitigate the hazardous event (i.e. layers of protection) is known as the ‘probability of failure on demand’ (PFD) and is a dimensionless number with a value of zero to one (e.g. probability of a high level trip on a tank not working when needed). The main difference between the initiating event and the layer of protection is that the initiating event ‘causes’ the hazardous scenario to start whereas the layers of protection stop it from developing.
Determining failure rates and probabilities needs quality data and an understanding of the reliability mathematics. Failure rate data is typically unavailable within many iron and steel plants and is rarely available from component manufacturers. Engineers normally use standard industry norms to estimate failure rates and probabilities backed up with on-site operating experience of the particular equipment and location when this is available. The same equipment can fail in a number of ways with only some of which can lead to the loss of control or failure of the safety system, so it is important that any data used is interpreted carefully. Integrated iron and steel plants normally issue internal guidelines on what failure rate data and probabilities are to be used, but even these are to be used with care.
Reliability mathematics can be quite complex and various techniques are available to perform the calculations. For some complex situations, especially when there is a high or perceived high underlying risk or consequence, detailed ‘fault trees’ and ‘event trees’ can be developed. For simpler systems a simplified technique known as layers of protection analysis (LOPA) can be used. This is a technique which has come into widespread use in recent years and is preferred by many regulating agencies as it balances ease of use with a reasonable degree of rigor.
For the ‘safety instrumented functions’ (SIF) such as trips and interlocks, ‘safety integrity level’ (SIL) analysis is performed to determine the required reliability of the system. This is known as ‘SIL assessment’ or ‘SIL determination’. This is typically led by process safety personnel with input from a multi-disciplinary team including process engineers, operating personnel, instrument and control engineers, and the occupational health and safety personnel. It is a form of risk assessment since the exercise is aimed at determining the required layers of protection to achieve a required risk target. The most common methodology for performing SIL assessment studies is LOPA in which each hazard is considered, existing controls (layers of protection) are examined and a gap is identified to achieve the target risk level.
The SIF PFD and SIL are then specified to close this gap. It is important that each layer of protection is independent of each other and from the initiating cause. Both the SIL and the needed probability of demand are required to be specified for the SIF to be designed. It is possible for the SIF to meet the SIL requirement but not to meet the PFD requirement.
The target risk level is typically organization specific and varies across organizations depending on their risk appetite and the approach by the relevant regulating agencies. The target risk level applies per loop or system under consideration and differs from the organization’s overall individual risk criteria, typically by an order of magnitude. This is since an employee is likely to be exposed to multiple risks whereas the LOPA calculation applies only to a single incident or risk. For different potential consequences (multiple fatalities, single fatality, and serious injury etc.), there can be different target risk criteria and so different reliability requirements. Meeting the target risk level does not necessarily mean that the risk is managed and ‘so far as is reasonably practicable’ additional controls can be necessary to achieve this statutory required standard.
The design of SIFs and their components are to be checked (verified) and if the failure rate does not meet the PFD requirements, then there can be the need for more reliable components, different configurations, or additional devices. Once the equipment is installed and operated, it is to be checked again (validated) to ensure it meets the specified design requirements. Verification and validation is normally performed by specialist instrument and control engineers. Just as importantly, the SIF is to be maintained and tested throughout its lifetime to ensure that it meets the needed reliability during the ongoing operation.
When identifying failure modes or when undertaking a SIL study, it is important to identify the independence or linkage of potential failures. If a backup or separate protection system has a similar failure mode, and these can be linked in an actual failure, it is not independent and the protection is not likely to work as needed. For example, a high-level alarm and a high level shut down trip, both reading from the same level sensor are not independent as they have a common mode of failure, the high-level sensor. Independent operation needs a separate sensor for the high-level shutdown trip. Independence can also be traced further, for example, if both sensors are powered from the same source, the level of independence is reduced. This independence, or otherwise, is demonstrated using ‘and / or’ logic in failure modelling such as ‘fault trees’. When using LOPA, multiple layers which are not independent are typically discounted and only one layer is credited.
Organizational and human factors – Since the process safety and the occupational health and safety occurs within a socio-technical system, the relationships of the employees with each other, with the management, and with the technical system are to be considered as a functioning whole. Hence, while process safety has a focus on technical analysis and engineering design, this is to be consciously placed in the context of the organization taking account of the operating and other key personnel. In addition, technical performance is influenced by management decisions, organizational and safety culture, and external socio-political pressures.
Human factors play a major role in process safety incidents and in the management of process safety. An understanding of human factors and organizational impact on human behaviour and response is vital in considering modes of failure. This approach is quite different to a focus on humans as the source of the problem or error.
A study identifies ‘errors’ in engineering and process safety activities. These errors include (i) simple slips (e.g. forgetting to open / close a valve, error in calculation, wrong connection, failure to notice), (ii) errors related to training or instructions (e.g. knowledge of what is not known, inappropriate reliance on training, and contradictory instructions), (iii) failure to follow the instructions (including non-compliance by managers and operating personnel), (iv) errors in design and / or construction (e.g. faulty conceptual design, pipe failures, and defective construction etc.), (v) maintenance errors (lack of understanding of how equipment works, incompetence, short cuts, and poor maintenance practices etc.), (vi) operational and communication errors (e.g. inadequate use of permit-to-work systems), (vii) errors in automated plants (e.g. software errors, entering wrong data, misjudging response by computer, changes to programmes without management of change), and (viii) errors related to management environment (including cost and production pressure). However, the study challenges the value of talking about human error as a cause and suggests focusing on the action needed to prevent the ‘error’ occurring.
The focusing on the action needed to prevent the ‘error’ occurring has been taken up in another study which has explored ‘old’ and ‘new’ views of human error. While the old view attributes error to mishap, the new view sees it as symptomatic of deeper trouble and, rather than focusing on where the employees have gone wrong. In the study, it has been advocated the finding out of ‘how the employees’ assessments and actions have made sense at the time, given the circumstances’.
Characteristics of the new view of human error are based on the concept of work as a socio-technical system and resonate in a process safety environment which considers that (i) complex systems are not basically safe, (ii) complex systems are trade-offs between multiple irreconcilable goals (e.g. safety and efficiency), and (iii) employees have to create safety through practice at all levels of the organization.
Approaches and tools
Hazard identification and risk assessment are core activities for both the process safety personnel and the occupational health and safety personnel. While these activities are similar in concept for both the process safety and the occupational health and safety, they differ in the detail and, in some cases, the types of tools used. This is described below with the focus on, firstly, on the differences in approaches to risk assessment and, secondly, on types of process safety analysis and the potential contributory role of the occupational health and safety personnel.
While the objectives of the process safety and the occupational health and safety risk assessments are similar, some key differences in approach can be considered under the headings of (i) focus, (ii) hazard identification, (iii) risk assessment tools, (iv) inputs, and (v) outcomes.
Focus – The most obvious difference between the process safety and the occupational health and safety risk assessments is the focus of the assessment. Occupational health and safety risk assessments tend to focus on workplace risks associated with the work undertaken. They assess the risks to the employees due to the work, plant and equipment, materials and work environment (e.g. heights, confined spaces, work practices, and external impacts etc.). Process safety risk assessments focus on operational risks associated with the process equipment and assess the risk to the facility, employees, and the surrounding community.
Hazard identification – While specific ‘sources of potentially damaging energy’ can be considered the hazard in both the process safety and occupational health and safety studies, the method of identifying their presence and action differs. The occupational health and safety personnel gain information through observation, experience, and data, while the process safety personnel employ hazard identification techniques such as ‘process hazard review’ (PHR) and HAZOP studies which feature guidewords.
Risk assessment tools – There are three main types of hazard identification and risk assessment tools. These are (i) qualitative, (ii) semi-quantitative, and (iii) quantitative. Qualitative tools are matrices and hazard identification techniques featuring guide words. Semi-quantitative are those where word descriptors are associated with numerical ratings. For normal occupational health and safety personnel, these can include matrices with numerical risk ratings, spreadsheet assessments, and nomograms. The process safety personnel can use LOPA or SIL analysis. Quantitative risk assessment (QRA) tools are based on detailed consequence modelling and frequency analysis (e.g. using fault trees and event trees). While quite different to QRA, risk assessment tools with a numerical basis are used by the occupational health and safety personnel, e.g. hazard-specific tools for measuring exposure to chemicals, force and related risks associated with manual handling, biological indicators to assess fatigue, and surveys and tools to assess risk from psychosocial hazards.
Inputs – The occupational health and safety personnel base risk assessments on a broad range of information and data, including the history of incidents inside and outside the organization, statutory regulations and standards, industry information, observation, and expert opinion. Process safety personnel use such information in addition to equipment failure rates, process parameters, and engineering-based calculations.
Consultation is a regulatory requirement is some countries. Under consultation, both process safety personnel and the occupational health and safety personnel seek input from key stakeholders, including those who do the work and those who can be affected by the work process. Such consultation has a higher profile in risk assessments by the occupational health and safety personnel. For process safety personnel, risk assessment is a more technical process.
Outcomes – For both the process safety and the occupational health and safety, the objective of risk assessment is to understand the nature of the risk to inform development and implementation of controls. The key differences are in the focus and nature of the controls. Process safety controls have primarily focus on protection of the plant and operations, and are normally engineering controls (e.g. alarms, trip systems and relief valves) supported by administrative controls (such as permit to work and competency). The occupational health and safety controls mainly focus on employee’ protection with the nature of the controls implemented based on (i) need for requisite variety to address complexity, (ii) effectiveness of control as indicated through hierarchies of control, (iii) time sequence for employing controls, and (iv) socio-technical environment in which the control operates.
Control of risk to prevent and mitigate hazardous incidents is the overall objective of hazard identification, risk assessment, and safety-related management activities for both process safety personnel and the occupational health and safety personnel. For both the groups, the priority for control actions is (i) elimination through design, (ii) prevention, (iii) evaluation and assurance, and (iv) mitigation. Prevention and mitigation are achieved through passive, active and administrative barriers applied within a systematic approach to the process safety and occupational health and safety managements.
Elimination through design – Inherently safer design (ISD) is based on the principle that it is better to remove the hazard or reduce the magnitude of the hazard than to control it with equipment and procedures. This can be summed up as ‘what one does not have cannot leak’. The concepts underpinning ISD continue to evolve and increase in importance. While there are several ways of categorizing ISD strategies, the four categories important for the process safety are (i) minimization, (ii) substitution, (iii) moderation, and (iv) simplification.
It is normally not possible to target all hazards in the plant equally. For example, to allow for a reduced inventory of a hazardous material, the design can need processing at a higher temperature and pressure. In such a case the higher temperature and pressure is accepted to reduce the risk of a hazardous inventory. Another scenario is that there can be two possible materials for a process, one flammable with low toxicity, the other with low flammability but high acute toxicity. The hazard and ISD strategy selected frequently represent a compromise based on intensive risk assessment which considers the life cycle of the plant and the technology available at the time.
Minimization – Reducing the hazardous energy by reducing the size of the equipment (intensification of the process) is inherently safer as the consequences of a loss of containment are correspondingly reduced. Use of smaller units also enables implementation of other design safety features such as stronger containment. Process conditions in smaller vessels / furnaces are more uniform so there is better process control and improved safety. Since the smaller equipment is cheaper to build, there are also financial benefits.
Substitution – Substitution of a less-hazardous material or process reduces the overall hazards, but is normally to be considered at the design stage. Substitution for safety reasons is frequently linked with strategies to reduce environmental impact of materials and material processing, also known as sustainable or ‘green’ processing.
Moderation – Sometimes referred to as attenuation, changing a material or process to moderate a hazard can reduce the consequences of a loss of control. Moderation involves using processes needing less-hazardous operating conditions, i.e. reaction conditions closer to ambient temperature and atmospheric pressure. This can be achieved by (i) dilution with a less-hazardous material, reducing the impact of a loss of containment and, in some cases, increasing the stability of the material, (ii) refrigeration (e.g. storing liquefied natural gas / liquefied petroleum gas under refrigeration at atmospheric pressure thus reducing the need for pressure containment), (iii) changing physical characteristics (e.g. handling and transporting a material in briquette form rather than as a fine or combustible dust), and (iv) use of a catalyst to allow a lower operating temperature.
Simplification – A complex process or plant is normally more difficult to operate and less tolerant of errors. At the design stage, the emphasis is to be on the simplest design possible to eliminate a hazard or minimize the need for complex control and safeguard systems. Some general principles are (i) use of stronger (higher pressure rated) equipment to reduce the need for complex pressure relief systems, instrumentation, and interlocks, (ii) elimination of seldom-used piping, (iii) processes tolerant to variations in operating parameters and feedstock changes, (iv) making incorrect operation impossible (e.g. use of selective couplings to prevent inadvertent cross-connection of utilities such as nitrogen and breathing air systems), and (v) good human factor design to ensure equipment operates the way the people expect it to operate and provides feedback to confirm proper operation.
Prevention – The management environment sets the context in which all aspects of process safety and occupational health and safety operate. The management environment can be considered at two levels namely (i) organisational culture, and (ii) management systems and processes.
The safety is normally better served by shifting the focus and language from ‘safety culture’ to the organizational and management practices which have a direct impact on risk control in the workplace. It is frequently necessary to consider the components of a systematic approach to managing safety by comparing the process safety and occupational health and safety approaches to safety management systems and the specific examples of ‘management of change’ in a process safety environment and ‘safety critical elements’.
A process facility has three components namely (i) plant consisting of equipments, furnaces, heat exchangers, pipes, pumps, valves, sensors, computers, and relief valves, etc., which constitute the hardware and the control software used to operate the facility, (ii) process which constitutes the operating conditions (e.g. flow rate, pressure, and temperature) needed to produce the products, and (iii) people constitute those employees who operate the plant and ensure that the process remains within its design limits, those employees who maintain the plant so it can continue to operate as intended, and those employees who have accountability over the management of the plant and process.
A facility design is based on certain assumptions (e.g. the information about the feedstock, and the competency of operators), constraints (e.g. the availability of capital to spend on the design / construction), and limitations (e.g. physical realities related to materials and resources). These assumptions, constraints and limitations determine the nature of the process, the design, and construction of the plant, and the needed resources and competencies for operation, maintenance and management of the plant and the process. The result is typically a commissioned facility with a design which can have limited capacity to adapt to deviations from the design assumptions, constraints and / or limitations. In changing environments, such rigidity can cause the plant, process and / or people to be no longer ‘fit for the purpose’ (i.e. no longer able to produce the desired product at the desired rate or quality) or, worse, create an unsafe situation (i.e. a process safety incident). In such cases, the function of safeguards can be compromised or process conditions can exceed the ability of the facility to tolerate them (e.g. pressures / temperatures) and so lead to failure and loss of containment.
Changes are, however, inevitable in most situations. For example, changes in feedstock quality or availability, changes in the specifications of products and changes observed in the plant over time drive a need for the facility to be modified to varying degrees. Changes in production facilities can include both technical changes and organizational changes.
Typical technical changes include (i) changes initiated when statutory regulations, codes of practice or licence conditions are altered or where new requirements are imposed, (ii) design alternations or alterations to plant, equipment or any hardware (excluding like-for-like changes or replacement-in-kind), (iii) alterations to operations (including process parameters, safe operating conditions set within the pressure / temperature design limits), operating procedures or work instructions, (iv) changes to software or hardware associated with either process control systems or instrumented protective systems, (v) changes to set points initiating instrumented protective systems (e.g. a change to the low-level trip set point for a boiler), (vi) materials management (e.g. proposed use of a material which is new to the facility), (vii) changes to inspection, maintenance, or testing programmes, (viii) change in location or plant layout, (ix) a series of minor variations or adjustments with a cumulative effect which constitutes a deviation of significance from the original condition.
Typical organizational changes include alterations to the organizational structure (e.g. additions or deletions of roles) and any changes (permanent or temporary) in the employees assigned to (i) safety critical roles (responsible for assuring the effectiveness of the management system and risk controls), (ii) interface with designated internal technical specialists with sign-off authority (frequently referred to as technical authorities), (ii) roles specified in a major hazard facility safety incident, (iv) internal reporting needs, including key performance indicators, (v) interface with the regulatory authorities, and (i) interface with media representatives.
Other types of changes can relate to changes in the asset portfolio, such as the acquisition or disinvestment of facilities which can result in safety or environmental regulatory issues (e.g. contamination of soil, and quantity of suspended particulate matter discharged in the environment etc.) which are to be considered during a due diligence scrutiny.
For changes to be implemented effectively and safely the potential impacts of the change on all aspects of the facility (or the organization) are to be evaluated, understood, and communicated and, where needed, the risks mitigated. Majority of the steel organizations adopt a formal, systematic process for the management of change, typically comprising of (i) a clear definition of what constitutes a significant change (including changes to the organization and how temporary modifications are dealt with), (ii) consultation with subject matter experts, (iii) risk assessment of the proposed change, (iv) designated authority levels for approving the proposed change, (v) tracking of the communication and close out of the change, (vi) identification of any training needs associated with the change, (vii) identification of any controlled documents needing updating.
Formal management of change processes are also to ensure that (i) the original scope and duration of all changes (including temporary modifications) are not exceeded without review and formal approval, (ii) changes are documented (including the rationale and technical basis), and (iii) temporary changes have a prescribed time limit (not to be exceeded without formal review and approval).
Safety critical elements – The safety critical elements (SCEs) are defined as ‘a barrier which has been deemed to be critical by the facility or the organization to ensure the tolerability of the residual risk’. This is normally done on the basis of understanding (i) the consequence which the barrier is preventing or mitigating, (ii) the likelihood of that consequence happening, and (iii) the reliability of the barrier. SCEs can be hardware, control system related, or administrative, such as procedures.
Compromised design and maintenance of SCEs is a recurring theme in process safety incidents. For example, a report of the investigation into an incident identified ‘failure of design and maintenance in both overfill and liquid containment systems’ as the technical cause of the initial explosion and the seepage of pollutants to the environment. Reflecting on the incident and similar design failures in other incidents, it has been observed that reference to the international standards for design of SCEs is insufficient to ensure the required level of safer design and it is very important that appropriate changes to the international standards are made.
In a performance-based regulatory system, it is a fundamental requirement for the organizations to define their own SCEs, and then to implement an assurance process to ensure they have confidence in the reliability of each element. Examples of SCEs include (i) application of a high-quality safe-work or permit-to-work system, (ii) management of locked / tagged isolation valves, (iii) activation and operation of automated emergency trip systems which prevent a loss of containment when control is lost, (iv) operation of a pressure relief valve on a pressure vessel at the needed conditions, (iv) injection system to stop a runaway exothermic reaction, (v) gas detection equipment, and (vi) fire detection and suppression systems.
In a plant, the process is normally controlled by computer-based systems such as DCS (distributed control system), PLC (programmable logic controller), and SCADA (supervisory control and data acquisition) which manage for operational and quality outcomes, not the safety. While these systems can provide indications of safety issues (e.g. alarms), they are normally not safety critical as they lack the independence and reliability generally associated with SCEs.
Evaluation and assurance – Assurance that safety systems are in place and working as intended is very important. Deficiencies in the monitoring of safety and hazard management systems have been implicated in several process safety disasters. A focus on lost time injuries (LTIs) and relatively minor matters is considered a causal factor in several disasters. A failure to learn about the need for the valid and reliable performance measures has been identified in some disasters. Auditing, as an assurance activity, comes under similar criticisms. Shortcomings in either audit processes or responses to audits have been implicated in several incidents.
Performance indicators – Valid and reliable health and safety performance measures relevant to the situation and the process are necessary for evaluating the effectiveness of strategies for managing both the process safety and the occupational health and safety. The definition of performance measures for the occupational health and safety is a topic of some discussion among the occupational health and safety personnel The historical use of LTIs and the more encompassing ‘total injuries’ has come under criticism. While there has been a move away from injury outcome measures in favour of positive (or leading) performance indicators, such measures are also seen to have significant problems, not least of which is the tendency for the employees and the organization to ‘manage the measure rather than the performance’. The definition of effective safety performance measures remains hotly contested.
Process safety has suffered from a similar lack of agreed performance measures which address lag and lead indicators which are practical to implement. However, both lead and lag measures are important in evaluating the safety performance. The lag metrics described by the American Petroleum Institute (API, 2010) and lead indicators developed by the IChemE Safety Centre (ISC, 2015b) are important.
The API (2010) defines process safety indicators in terms of tiers. Tier 1 indicators are the most lagging, representing process events with high consequences resulting from losses of containment due to weaknesses in barriers. A Tier 1 process safety event is a ‘loss of primary containment’ (LOPC) with the greatest consequence, A Tier 2 process safety event is an LOPC with lesser consequence. It is an unplanned or uncontrolled release of any material, including non-toxic and non-flammable materials (e.g. steam, hot condensate, nitrogen, by-product gas, or compressed air), from a process which results in one or more of the consequences and is not reported in Tier 1. The list for Tier 2 include (i) an employee, contractor or subcontractor employee recordable injury, (ii) a fire or explosion resulting in greater than or equal to USD 2,500 of direct cost to the organization, (iii) a pressure relief device (PRD) discharge to the environment whether directly or through a downstream destructive device which results in one or more of the four consequences such as liquid carryover, discharge to a potentially unsafe location, onsite shelter-in-place and public protective measures (e.g. road closure) and a PRD discharge quantity higher than the ‘specified threshold quantities’ in any one-hour period, or (iv) a release of material higher than the ‘specified threshold quantities in any one-hour period. Leading indicators for process safety have been developed by the IChemE Safety Centre as a result of extensive industry consultation mediated by a technical panel.