GCPS 2013 __________________________________________________________________________

Management of Safety Critical Elements as a Base for Risk

Management of Major Accident Hazards



Mariana Bahadian Bardy
Det Norske Veritas
Rua Sete de Setembro 111/12
th
floor
mariana.bardy@dnv.com

Flvio Luiz Barros Diniz
Det Norske Veritas
flavio.diniz@dnv.com

Paula Silveira
Det Norske Veritas
paula.silveira@dnv.com







Prepared for Presentation at
American Institute of Chemical Engineers
2013 Spring Meeting
9th Global Congress on Process Safety
San Antonio, Texas
April 28 May 1, 2013

GCPS 2013 __________________________________________________________________________

UNPUBLISHED



AIChE shall not be responsible for statements or opinions contained
in papers or printed in its publications
GCPS 2013 __________________________________________________________________________

Management of Safety Critical Elements as a Base for Risk
Management of Major Accident Hazards

Mariana Bahadian Bardy
Det Norske Veritas
Rua Sete de Setembro 111/12
th
floor
mariana.bardy@dnv.com

Flvio Luiz Barros Diniz
Det Norske Veritas
flavio.diniz@dnv.com
Paula Silveira
Det Norske Veritas
paula.silveira@dnv.com

Keywords: safety critical element, barrier, major accident hazard

Abstract

Considering the already established relevance of barriers to avoid Major Accidents, the objective
of this paper is to present a methodology for management of Safety Critical Elements (SCE),
from the identification of them, definition of relevant importance to each activity performed by
the installation and establishing alternatives and contingencies for the failure or absence of the
SCE. The proposed methodology, adapted from common use methodologies from Offshore
Industry to Process Industries, is developed in 5 steps, being Step 1 the use of a Hazard
Identification technique and indication of Major Accident Hazards. Following on Step 2 bowtie
diagrams are developed for the MAH and SCE are identified. The SOOB Summary of
Operational Boundaries on Step 3 identifies the activities that may or may not proceed or caution
is applied in the case the SCE is defeat and on Step 4 a Contingency Plan is develop to maintain
operation for the cases indicated on the SOOB that operation may not proceed or proceed with
caution. Finally, on Step 5, definition of prioritization of maintenance and inspection activities
shall be in place for each SCE, including preventive maintenance routines, inspections routines
and definition of spares, where applicable. This methodology can help on the identification of
gaps and management of critical elements and consequently improving the performance of safety
systems increasing their availability.

1. Introduction and background

Recent accidents have indicated the importance of safety barriers on management of major
accidents, reducing its likelihood or minimizing consequence. Buncefield, Texas City and
Macondo, just to indicate some, have stated in their accident investigation reports the failure of
safety barriers or non-existence of adequate ones as potential causes for the major accident
occurrence.

GCPS 2013 __________________________________________________________________________
This paper presents a methodology for management of Safety Critical Elements (SCE), adapted
from common use methodologies from Offshore Industry to Process Industries, from the
identification of them, definition of relevant importance to each activity performed by the
installation and establishing alternatives and contingencies for the failure or absence of the SCE.

Several reference have definitions of SCE and how they must be managed, as NORSOK[1], that
indicated that Safety Critical Equipment is equipment that shall be in operation to ensure escape,
evacuation and /or to prevent escalation.

According to HSE UK[2] any structure, plant, equipment, system (including computer
software) or component part whose failure could cause or contribute substantially to a major
accident is safety critical, as is any which is intended to prevent or limit the effect of a major
accident.

For this paper, SCE is defined as indicated by HSE UK, as being the Barriers that can avoid or
mitigate Major Accident Hazards.

2. Description of Methodology

For the objective of systematic management of Safety Critical Elements, the methodology
outlined in Figure 1 is proposed, covering the 5 steps described below.

Figure 1 Methodology for SCE Management


2.1 Step 1 Hazard Identification

The first step is to identify the accidental scenarios from the specific process under analysis. For
that purpose, it is proposed to perform a Process Hazard Analysis (PHA) for identification of
accidental scenarios and classification according to a Risk Matrix, defined by each company
according to its risk management process. Figure 2 represents an example of spreadsheet to be
applied for the PHA.
GCPS 2013 __________________________________________________________________________

Process Hazard Analysis (PHA)

System: Hazard/Event Group:
1.Hazard 2.Causes 3.Effects 4.Freq 5.Sev 6.Risk 7.Safeguards
8.Final
Freq
9.Final
Sev
10.Final
Risk
11.Recommendations 12.#
1
2
3
Figure 2 Example of PHA Spreadsheet

The spreadsheet has 12 columns, and two classification of the risk for each scenario. Columns 4,
5 and 6 have the classification without considering existing safety barriers for the scenario. The
barriers are listed on Column 7 and Columns 8, 9 and 10 indicate the classification of the risk,
considering the existence of the barriers and these are operating or ready to operate when needed.

For the classification of severity, likelihood/frequency and risk, a risk matrix shall be used,
representing the risk tolerability of the company. An example of risk matrix is on Figure 3,
extract from ISO 17776:2000 [3].


Figure 3 Example of Risk Matrix

GCPS 2013 __________________________________________________________________________
Note that this matrix has 5 different severity ratings and analyze four different effects: people,
assets, environment and reputation. A common approach to define Major Accidental Hazards
(MAH) is to consider whose with highest consequence classification, as the ones classified with
Severity Category 5, from the matrix indicated on Figure 3, that represents multiple fatalities as
impact on people, extensive damage for environment, massive effect to assets and major
international impact on reputation.

The main advantage to select the MAH to go to Bowtie, as described above, is that the barriers
related to those events can be clearly identified and consequently be managed properly and in a
focused way. On the other hand, when there is no distinction between MAH and other scenarios,
with lower damage potential, the number of barriers to be managed increase reducing the focus
on the major impact scenarios MAH.

Note that some safety barriers are normally identified on this PHA and shall be reviewed and
detailed on the next steps.

2.1 Step 2 Development of Bowties

The following step of this methodology is to develop bowtie diagrams for each of the MAH, or
combination of MAH, if applicable, as exemplified in Figure 4. The BowTie methodology is
designed to give a picture of the risks, to help people understand the relationship between the
risks and organizational events and to identify where barriers in place can act, on the prevention
or on the mitigation and consequently give a better overview if those are enough to mitigate the
risks related to the MAH.


Figure 4 Example of Bowtie

With the use of multidisciplinary team from the company, starting from a Top Event, localized in
the center of the diagram, causes, preventive barriers, consequences and mitigating barriers are
identified. Following, each barrier, preventive or mitigating, is classified as:
Critical: essential barrier to avoid the causes or associated consequences.
Non-critical: barrier that reduces likelihood or minimize consequence, but does not avoid
the occurrence of the top event or associated effects.
GCPS 2013 __________________________________________________________________________
Third Party: barriers, critical or not, that are not under the company responsibility for
management.
Also responsible person or function can be indicated on the bowtie for each barrier. The list of
SCE are composed by those barriers classified as critical for each bowtie.

The Safety Critical Elements (SCE) can be an Equipment, System or Procedure. In the example
presented in Figure 4, for Top Event Large Release of Flammable Gas, from Compression
System, the following barriers were classified as Safety Critical Equipment or System:
Safety interlocks
PSVs
Filter Pressure Drop Indication
Injection of Corrosion Inhibitor
Gas and Fire Detection System
Fire Fighting System
CFTV
The other critical barriers such as Mechanical Integrity Program and Emergency Planning are
considered as Safety Critical Procedure.
All of those critical elements, equipment, systems and procedures, shall be managed but
specially for the equipment and systems contingency procedures shall apply considering they are
operating under degraded conditions or out of operation. As part of this scope a Summary of
Operations Boundaries (SOOB) analysis is carried out as stated below.

2.3 Step 3 Development of SOOB

The Step 3 of this methodology consists in developing the Summary of Operations Boundaries -
SOOB analysis. This is based on a matrix which crosses main operations and activities with the
Operational Risk Factors. Operational Risk Factors includes controls, identified in the BowTie
analysis, under reduced effectiveness and risk factors such as severe weather/sea conditions. The
matrix is completed row by row by reviewing all combinations.

The main objective is to examine if operations can be permitted or prohibited when certain
controls have been defeated or running under reduced effectiveness and examine if operations
can proceed in the case of occurrence of external factors that can potentially influence the risk of
doing these operations e.g. severe weather conditions.

This will distinguish when a stop work is applied or if that shall be a proceed with caution
condition, as indicated by IADC[4]. A traffic light system may be applied, indicating:
Red: stop the work or do not proceed;
Yellow: evaluate conditions, perform risk analysis or implement additional protection;
Green: continuous normal operation.

GCPS 2013 __________________________________________________________________________
Note that the activities will vary depending on the type of installation. Some examples are:
loading or unloading of trucks or railcars;
operation above normal conditions;
increase of capacity;
confined space entry;
working at height.

An example of analysis is for Gas Detection System failure, it is allowed to proceed with works
at heights and confined space entry; with caution, requiring additional evaluation normal
operation and loading/unloading; and not permitted operation above normal condition, increase
of capacity and hot work.

Operations vs.
Operational Risk Factors
N
o
r
m
a
l

P
r
o
d
u
c
t
i
o
n
O
p
e
r
a
t
i
o
n

A
b
o
v
e

N
o
r
m
a
l

C
o
n
d
i
t
i
o
n
s
I
n
c
r
e
a
s
e

o
f

C
a
p
a
c
i
t
y
L
o
a
d
i
n
g
/
U
n
l
o
a
d
i
n
g

T
r
u
c
k
L
o
a
d
i
n
g
/
U
n
l
o
a
d
i
n
g

R
a
i
l
c
a
r
C
o
n
f
i
n
e
d

S
p
a
c
e

E
n
t
r
y
H
o
t

W
o
r
k
W
o
r
k
i
n
g

a
t

H
e
i
g
h
t
s
Safety interlocks RA X X RA RA P RA RA
PSVs RA X X RA RA P P RA
Filter Pressure Drop Indication RA RA RA NA NA NA NA NA
Injection of Corrosion Inhibitor RA RA RA NA NA NA NA NA
Gas and Fire Detection System RA X X RA RA P X P
CFTV
P RA RA RA RA P P P


P- Permitted
RA Perform Risk Analysis
X- Do not Proceed

Figure 5 Example of SOOB Matrix


2.4 Step 4 Definition of Contingency Plan

The Step 4 of this methodology consists on the definition of Contingency Plan for each SCE.
The immediate response action that will normally be applied are:
to stop or limit operations to within the limits of remaining barriers; or
GCPS 2013 __________________________________________________________________________
identify and assess any temporary substituted safety system barrier that may be
implemented to support continued operation.
The company shall establish and document contingency procedures and a system of approval and
control of SCE to be used when those are under degraded conditions or out of operation.
The following items shall be considered:
Implementation of alternative controls equivalent;
Limitation and reduction of production;
Isolation and stopping of equipment, systems, installations;
Deadline for the temporary procedure to be allowed until corrective measures are taken.

A specific contingency plan is then developed for each SCE, using, for instance, the example
indicated in Figure 6.

SCE Permitted Acitivities
Activities with
Restriction
Prohibited Activities
Gas Detecti on
System
Confi ned Space Entry
Worki ng at hei ghts
Normal Producti on
Loadi ng/Unl oadi ng
Hot work
Operati on above
normal condi ti ons
Increase of capaci ty
Permitted Activities:
Activities with
Restriction:
Prohibited Activities:
Deadline Responsible
One month Operati on Manager
- Operati on Manager
One month Operati on Manager
SCE Resposible
If SCE not returned to ful l operati on after
fi rst deadl i ne, reduce producti on and safe
stop producti on
Performed l oadi ng/unl oadi ng acti vi ti es
wi th one extra fi el operator
Mai ntenance Manager
Activity
No limitation for the development or continuation of activity, event with
loss of the SCE
No limitation for the development or continuation of activity, event with
loss of the SCE
Not allowed to perform the activity and must be interrupted, even with
Alternative Procedures for Activities with Resctriction
Normal producti on to conti nuous wi th one
extra Operati on Supervi sor per shi ft, wi th
focus on Control Room supervi si on


Figure 6 Example of Contingency Plan for SCE
GCPS 2013 __________________________________________________________________________

2.4 Step 5 Definition of Maintenance and Inspection Prioritization

The final step for implementation of this methodology of Management of SCE is to incorporate
on maintenance and inspection routines and procedures prioritizations that will consider the
findings of the analysis of the SCE. Some important points shall be considered:
Guarantee that all SCE are classified as high priority for maintenance routines;
Guarantee no delays for inspection routines for the elements associated with MAH and
classified as SCE;
Evaluate the need of spares of SCE, where applicable.

3. Conclusion

As initially indicated, this paper presents a 5-step methodology for management of SCEs, being
those defined here as safety barriers that can avoid or mitigate Major Accident Hazards. The
objective of each step as well as practical approach and examples are presented, adapting
common use methodologies from Offshore Industry to Process Industries.

As extension of this work, considering all aspects for the presented, some improvements can be
implemented. The inclusion of procedures as part of the analysis, after the identification of the
critical procedures, with guarantee of correct training or certification of operators, is one of these
points. One additional relevant aspect is to incorporate a 6
th
step on the above methodology of
management of SCE, with the audit of process of management of the critical barriers.

Finally, it is importance to note that, this methodology was developed with the intention of
giving support for companies to systemic manage Safety Critical Elements and comply with
relevant regulation and best practices.


4. References

[1] Norsok S-001, Edition 4, February 2008, item 3.1.11. Norway. 2008

[2] Health and Safety Executive, A guide to the Offshore Installations (Safety Case)
Regulations 2005, item 83. London. 3
rd
Edition. 2006.

[3] ISO 17776:2000, Petroleum and natural gas industries Offshore production
Installations Guidelines on tools and techniques for hazard identification and risk
assessment, Table A.1. Geneva. 2006.

[4] IADC, HSE Case Guidelines for Mobile Offshore Drilling Units, Issue 3.2.1, 2009.