Major Hazard Facilities

Major Accident Identification and Risk Assessment

Overview
This seminar has been developed in the context of the MHF regulations to provide:
An overview of MA identification and risk assessment The steps required for MA recording Examples of major accidents identified The steps required for a risk assessment Examples of risk assessment formats

Some Abbreviations and Terms

AFAP - As far as (reasonably) practicable BLEVE Boiling liquid expanding vapour explosion BPCS Basic process control system DG - Dangerous goods Employer - Employer who has management control of the facility Facility - any building or structure which is classified as an MHF under the regulations HAZID - Hazard identification HSR - Health and safety representative LOC - Loss of containment LOPA Layers of protection analysis MHF - Major hazard facility MA - Major accident SIS Safety instrumented system
3

Topics Covered In This Presentation

Regulations Definition - Major accident (MA) MA identification issues Approaches to MA identification MA recording Pitfalls

Topics Covered In This Presentation

Definition of a risk assessment Approaches Risk assessment Likelihood assessment Consequences Risk evaluation and assessment Summary Sources of additional information Review and revision

Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994

Hazard identification (R9.43) Risk assessment (R9.44) Risk control (i.e. control measures) (R9.45, S9A 210) Safety Management System (R9.46) Safety report (R9.47, S9A 212, 213) Emergency plan (R9.53) Consultation

Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994

Regulation 9.43 (Hazard identification) states: The employer must identify, in consultation with employees, contractors (as far as is practicable) and HSRs: a) All reasonably foreseeable hazards at the MHF that may cause a major accident; and b) The kinds of major accidents that may occur at the MHF, the likelihood of a major accident occurring and the likely consequences of a major accident.

Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994

Regulation 9.44 (Risk assessment) states: If a hazard or kind of major accident at the MHF is identified under regulation 9.43, the employer must ensure that any risks associated with the hazard or major accident are assessed, in consultation with employees, contractors (as far as is practicable) and HSRs. The employer must ensure that the risk assessment is reviewed: a) Within 5 years after the assessment is carried out, and afterwards at intervals of not more than 5 years; and b) Before a modification is made to the MHF that may significantly change a risk identified under regulation 9.43; and c) When developments in technical knowledge or the assessment of hazards and risks may affect the method at the MHF for assessing hazards and risks; and d) If a major accident occurs at the MHF.

Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994

Regulation 9.45 (Risk control) states: The employer must, in consultation with employees, contractors (as far as is practicable) and HSRs, ensure that any risk associated with a hazard at the MHF is: a) eliminated; or b) If it is not practicable to eliminate the risk reduced as far as practicable. The employer must: a) Implement measures at the MHF to minimise the likelihood of a major accident occurring; and b) Implement measures to limit the consequences of a major accident if it occurs; and c) Protect relevant persons, an at-risk community, and the built and natural environment surrounding the MHF, by establishing an emergency plan and procedures in accordance with regulation 9.53.

Definition
Major Accident
A major accident is defined in the Regulations as: A sudden occurrence at the facility causing serious danger or harm to:
A relevant person or An at-risk community or Property or The environment

whether the danger or harm occurs immediately or at a later time

10

MA Identification Issues
Unless ALL possible MAs are identified then causal and contributory hazards may be overlooked and risks will not be accurately assessed Likewise, controls cannot be identified and assessed Identification of MAs must assume control measures are absent/unavailable/not functional

That is: WHAT COULD HAPPEN IF CONTROL MEASURES WERE NOT APPLIED AND MAINTAINED ?

11

MA Identification Issues
MAs can be identified in three different areas
These are: Process MAs MAs arising from concurrent activities Non-process MAs

12

MA Identification Issues
Process MAs These are MAs caused by hazards which are associated with upsets in the process, or failure of equipment in the process, etc MAs arising from concurrent activities Typical concurrent operations which must be considered are:
Major shutdowns/start ups Other activity on site Activities adjacent to the facility

13

MA Identification Issues
Non-Process MAs
MAs created by non-process hazards that could cause release of Schedule 9 materials Non-process hazards may typically include the following: aircraft crashing; dropped objects; extreme environmental conditions (earthquake, cyclone, high winds, lightning); nonprocess fires (e.g. bush fire); vehicles and road transport; heat stress

14

MA Identification Issues
Collate appropriate
Facility information Incident data/histories

To ensure a thorough understanding of :

The nature of the facility Its environment Its materials Its processes

15

MA Identification Issues
Develop/select a structured method for determining what types of MA can occur:
Loss of containment Fire Explosion Release of stored energy Where they can occur Under what circumstances

Define and document any restrictions applied to the above

16

MA Identification Tools Usage

Examples of tools which might be used include:
Analysis of Schedule 9 materials and DG properties Use of HAZID techniques Review of existing hazard identification or risk assessment studies Analysis of incident history local, industry, company and applicable global experience

17

Approach to MA Identification
It may be efficient to treat similar equipment items handling the same Schedule 9 materials together - as often they have similar hazards and controls Further, to ensure correct mitigation analysis, the equipment grouped together should contain similar materials at similar process conditions, resulting in similar consequences on release

18

Approach to MA Identification

For consistency of analysis, all MAs should be defined in terms of an initial energy release event This can be characterised as a loss of control of the Schedule 9 material As an example, in the case of a hydrocarbon release from one vessel leading to a jet fire that subsequently causes a BLEVE in a second vessel, the MA should be defined in terms of the initial hydrocarbon release from the first vessel

19

Approach to MA Identification

Review HAZID studies to identify initiating events for each MA Review to ensure all hazards have been identified Special checklists should be developed to assist with this process Further hazards may be identified from: Discussions with appropriate subject experts Review of incident data Review of the records from a similar system

20

MA Recording
A structured approach is important It can then link equipment management strategies and systems Record the key outputs in a register

For each MA, the register should record the following information: Equipment that comprises the MA Group similar items into one MA Description Consequences

21

MA Recording

Consider all Schedule 9 materials - regardless of quantity Screen out incidents that do not pose a serious danger or harm to personnel, the community, the environment or property Screening should only be on the basis of consequence not likelihood
i.e. Events should not be screened out on the basis of likelihood or control measures being active Consequence modelling should be used as justification for screening decisions

External influences need to be considered, for example, potential for a power failure to cause a plant upset leading to an MA

22

Example MA Recording
The following are examples of MA recording details

MA Reference No. LPG-PU2300110 TKF-SA10

MA Description LOC - pumps LOC finished flammable product release from tank farm Ignition of material

Equipment Included LPG transfer pumps (P254/A) Flammable storage tanks A202, A205,A206, B21, C55 Extruders E21/E22/D54

A26

23

Major Hazard Facilities Risk Assessment

What is Risk?
Regulatory definition (per Part 20 of the Occupational Health and Safety (Safety Standards) Regulations 1994) : Risk means the probability and consequences of occurrence of injury or illness AS/NZS 4360 (Risk Management Standard) the chance of something happening that will have an impact on objectives Risk combines the consequence and the likelihood RISK = CONSEQUENCE x LIKELIHOOD

25

Hazard versus Risk

26

Risk Assessment Definition

Any analysis or investigation that contributes to understanding of any or all aspects of the risk of major accidents, including their:
Causes Likelihood Consequences Means of control Risk evaluation

27

The Risk Assessment Should

Ensure a comprehensive and detailed understanding of all aspects for all major accidents and their causes Be a component of the demonstration of adequacy required in the safety report - e.g. by evaluating the effects of a range of control measures and provide a basis for selection/rejection of measures

28

Approach
The MHF Regulations respond to this by requiring comprehensive and systematic identification and assessment of hazards
HAZID and Risk Assessment must have participation by employees, as they have important knowledge to contribute together with important learnings These employees MAY BE the HSRs, but DO NOT HAVE TO BE However, the HSRs should be consulted in selection of appropriate participants in the process

29

Approach
Types of Risk Assessment Hazard Identification Qualitative Assessment

Detailed Studies

Quantitative Risk Assessment

Likelihood Analysis Plant Condition Analysis

Asset Integrity Studies Consequence Analysis Human Factors Studies

Technology Studies

30

Causes
From the HAZID and MA evaluation process, pick an MA for evaluation From the hazard register, retrieve all the hazards that can lead to the MA being realised In a structured approach, list all of the controls currently in place to prevent each of the hazards that lead to the MA being realised Examine critically all of the controls currently in place designed to prevent the hazard being realised

31

Causes

As an example, from hazard register, MA - A26

Ignition of materials (MA - A26)

32

Causes
List all possible causes of the accident (identified during HAZID study)

Hazard Scenario 1

Hazard Scenario 2

Ignition of materials (MA - A26)

Hazard Scenario 3, etc

33

Causes
List all prevention controls for the accident (identified during HAZID study)
Hazard Scenario 1

Prevention control C1-1

Prevention control C1-2

Hazard Scenario 2

Prevention control C2-1

Ignition of materials (MA - A26)

Hazard Scenario 3, etc

Prevention control C3-1

34

Likelihood Assessment
Likelihood analysis can involve a range of approaches, depending on the organisations knowledge, data recording systems and culture This knowledge can range from:
In-house data - existing data recording systems and operational experience Reviewing external information from failure rate data sources

Both are valid, however, the use of in-house data can provide added value as it is reflective of the management approaches and systems in place

35

Likelihood Assessment
A Likelihood is an expression of the chance of something happening in the future - e.g. Catastrophic vessel failure, one chance in a million per year (1 x 10-6/year) Frequency is similar to likelihood, but refers to historical data on actual occurrences

36

Likelihood Assessment
Likelihood Analysis can use:
Historical
Site historical data Generic failure rate data

Assessment
Workshops (operators and maintenance personnel) Fault trees Event trees Assessment of human error

37

Likelihood Assessment Qualitative Approach

A qualitative approach can be used for assessment of likelihood This is based upon agreed scales for interpretation purposes and for ease of consistency
For example, reducing orders of magnitude of occurrence

It also avoids the sometimes more complicated issue of using frequency numbers, which can be difficult on occasions for people to interpret

38

Likelihood Assessment Qualitative Approach

Category A Likelihood Possibility of repeated events (once in 10 years) Possibility of isolated incidents (once in 100 years) Possibility of occurring sometimes (once in 1,000 years) Not likely to occur, (once in 10,000 years) Rare occurrence (once in 100,000 years)

D E

39

Likelihood Assessment Fault Trees

A fault tree is a graphical representation of the logical relationship between a particular system, accident or other undesired event, typically called the top event, and the primary cause events In a fault tree analysis the state of the system is to find and evaluate the mechanisms influencing a particular failure scenario

40

Likelihood Assessment Fault Trees

A fault tree is constructed by defining a top event and then defining the cause events and the logical relations between these cause events This is based on:
Equipment failure rates Design and operational error rates Human errors Analysis of design safety systems and their intended function

41

Likelihood Assessment Fault Trees Example

Process vessel over pressured
AND

Pressure rises

PSV does not relieve

OR

AND

Process pressure rises

Control fails high PSV too small

Fouling inlet or outlet

Set point too high

PSV stuck closed

42

Likelihood Assessment Generic Failure Rate Data

This information can be obtained from:
American Institute of Chemical Engineers Process Equipment Reliability Data Loss Prevention in the Process Industries E&P Forum UK Health and Safety Executive data and other published reports

(Refer to Sources of Additional Information slides for references)

43

Likelihood Assessment Human Error

Human error needs to be considered in any analysis of likelihood of failure scenarios The interaction between pending failure scenarios, actions to be taken by people and the success of those actions needs to be carefully evaluated in any safety assessment evaluation Some key issues of note include:
Identifying particular issue Procedures developed for handling the issue Complexity of thought processing information required

44

Likelihood Assessment Human Error

Type of Behaviour Extraordinary errors: of the type difficult to conceive how they could occur: stress free, powerful cues initiating for success. Error in regularly performed, commonplace, simple tasks with minimum stress (e.g. Selection of a key-operated switch rather than a non keyoperated switch). Error Probability 10-5 (1 in 100,000) 10-4 (1 in 10,000)

Errors of omission where dependence is placed on situation cues and memory. Complex, unfamiliar task with little feedback and some distractions (e.g. failure to return manually operated test valve to proper configuration after maintenance).
Highly complex task, considerable stress, little time to perform it e.g. during abnormal operating conditions, operator reaching for a switch to shut off an operating pump fails to realise from the indicator display that the switch is already in the desired state and merely changes the status of the switch.

10-2 (1 in 100)

10-1 (1 in 10)

45

Likelihood Assessment Event Trees

Used to determine the likelihood of potential consequences after the hazard has been realised It starts with a particular event and then defines the possible consequences which could occur Each branching point on the tree represents a controlling point, incorporating the likelihood of success or failure, leading to specific scenarios Such scenarios could be:
Fire Explosion Toxic gas cloud

Information can then used to estimate the frequency of the outcome for each scenario

46

Likelihood Assessment Event Trees

Event tree example LPG Pipeline Release

47

Consequences
Most scenarios will involve at least one of the following outcomes:
Loss of containment Reactive chemistry Injury/illness Facility reliability Community impacts Moving vehicle incidents Ineffective corrective action Failure to share learnings

48

Consequences

Consequence evaluation estimates the potential effects of hazard scenarios The consequences can be evaluated with specific consequence modelling approaches These approaches include:
-

Physical events modelling (explosion, fire, toxic gas consequence modelling programs) Occupied building impact assessment

49

Consequences - Qualitative Evaluation

A qualitative evaluation is based upon a descriptive representation of the likely outcome for each event This requires selecting a specific category rating system that is consistent with corporate culture

50

Consequences - Qualitative Descriptors Example

Consequence descriptors Health and Safety Values

Insignificant A near miss, first aid injury

Minor One or more lost time injuries No or low impact

Moderate One or more significant lost time injuries Medium impact Release within facility boundary Loss from $50,000 to $1M

Major One or more fatalities Medium impact outside the facility boundary Loss from $1M to $10M

Catastrophic Significant number of fatalities Major impact event

Environmental Values

No impact

Financial Loss Exposures

Loss below $5,000

Loss $5,000 to $50,000

Loss above $10M

51

Consequences Quantitative Evaluation

Consequence analysis estimates the potential effects of scenarios Tools include:

Potential consequences (event tree) Physical events modelling (explosion, fire and/or gas dispersion consequence modelling programs) Load resistance factor design (building design)

52

Consequences - Qualitative Evaluation Example

Example: Impact of Explosions

Explosion Overpressure (kPa)

7 (1 psi)

Effects
Results in damage to internal partitions and joinery but can be repaired. Reinforced structures distort, storage tanks fail. Wagons and plant items overturned, threshold of eardrum damage. Complete demolition of houses, threshold of lung damage.

21 (3 psi) 35 (5 psi) 70 (10 psi)

Note: Calculations can be undertaken to determine probability of serious injury and fatality

53

Consequences - Qualitative Evaluation Example

Example - Overpressure Contour - impact on facility buildings

Release scenario location

35 kPa 21 kPa 14 kPa 7 kPa

54

Risk Evaluation

Risk evaluation can be undertaken using qualitative and/or quantitative approaches Risk comprises two categories - frequency and consequence Qualitative methodologies that can be used are
Risk matrix Risk nomograms Layers of protection analysis Risk matrix

Semi quantitative techniques

-

Quantitative - quantitative techniques

55

Risk Assessment - What Type?

Simple, subjective, low resolution, high uncertainty, low cost

Qualitative Assessment

SemiQuantitative Assessment
Detailed, objective, high resolution, low uncertainty, increasing cost

Quantitative Assessment
56

Risk Assessment Issues For Consideration

Greater assessment detail provides more quantitative information and supports decision-making Strike a balance between increasing cost of assessment and reducing uncertainty in understanding Pick methods that reflect the nature of the risk, and the decision options

57

Risk Assessment Issues For Consideration

Stop once all decision options are differentiated and the required information compiled Significant differences of opinion regarding the nature of the risk or the control regime indicate that further assessment is needed

58

Risk Assessment - Qualitative

Qualitative risk assessment can be undertaken using the following
Risk nomogram Risk matrix

Both approaches are valid and the selection will depend upon the company and its culture

59

Risk Assessment - Risk Nomogram

A nomogram is a graphical device designed to allow approximate calculation Its accuracy is limited by the precision with which physical markings can be drawn, reproduced, viewed and aligned Nomograms are usually designed to perform a specific calculation, with tables of values effectively built into the construction of the scales

60

Risk Assessment - Risk Nomogram

LIKELIHOOD Might well be EXPOSURE Expected at Sometime Very Rare, Yearly or Less Quite Possible Could Happen Rare Few per year Unusual but Possible

POSSIBLE CONSEQUENCES Catastrophe Many Fatalities >$100M Damage Disaster Multiple Fatalities >$10M Damage Very Serious Fatality >$1M Damage

500 400 300 200

Very High Risk Consider Discontinuing Operation

100 80 60

High Risk Immediate Correction Required Substantial Risk Correction Required Risk must be Reduced SFARP

Unusual Once per Month

Most nomograms are used in situations where an approximate answer is appropriate and useful

Remotely Possible

Occasional Once per Week

Serious Serious Injury >$100k Damage

Important Disability >$10k Damage

40

Conceivable but Very Unlikely

TIE LINE

Frequent Daily

20 Noticeable Minor Injury / First Aid 10 >$1k Damage 0 Risk Acceptable if Reduced SFARP

Continuous Practically Impossible

61

Risk Assessment - Risk Nomogram

Advantages and Disadvantages
Accuracy is limited Designed to perform a specific calculation Cannot easily denote different hazards leading to an MA Typically not used by MHFs

62

Risk Assessment - Risk Matrix

Hazards can be allocated a qualitative risk ranking in terms of estimated likelihood and consequence and then displayed on a risk matrix Consequence information has already been discussed, hence, information from this part of the assessment can be used effectively in a risk matrix Risk matrices can be constructed in a number of formats, such as 5x5, 7x7, 4x5, etc Often facilities may have a risk matrix for other risk assessments (eg Task analysis, JSA)

63

Risk Assessment - Risk Matrix

Results can be easily presented
In tabular format for all MAs Within a risk matrix

Such processes can illustrate major risk contributors, aid the risk assessment and demonstration of adequacy Care needs to be taken to ensure categories are consistently used and there are no anomalies Australian/New Zealand Standard, AS4360, Risk Management 1999, provides additional information on risk matrices

64

Risk Assessment - Risk Matrix

Risk matrix example (AS4360)
Health and Safety Values Environmental Values Financial Loss Exposures
A Possibility of repeated events, (1 x 10-1 per year)

Consequences
Insignificant
1
A near miss, First Aid Injury (FAI) or one or more Medical Treatment Injuries (MTI)

Minor
2
One or more Lost Time Injuries (LTI)

Moderate
3
One or more significant Lost Time Injuries (LTI) Medium impact. Release within facility boundary Loss from $50,000 to $1,000,000

Major
4
One or more fatalities

Catastrophic
5
Significant number of fatalities

No impact

No or low impact Loss $5,000 to $50,000

Medium impact Major impact outside the facility event boundary Loss from $1,000,000 to $10,000,000 Loss of above $10,000,000

Loss below $5,000

Significant Risk Moderate Risk Low Risk Low Risk Low Risk

Significant Risk Significant Risk Moderate Risk Low Risk Low Risk

High Risk Significant Risk Significant Risk Moderate Risk Moderate Risk

High Risk High Risk High Risk Significant Risk Significant Risk

High Risk High Risk High Risk High Risk Significant Risk

Likelihood

B Possibility of isolated incidents, (1 x 10-2 per year) C Possibility of occurring sometimes, (1 x 10-3 per year) D Not likely to occur, (1 x 10-4 per year) E Rare occurrence, (1 x 10-5 per year)

65

Risk Assessment - Risk Matrix

Advantages
If used well, a risk matrix will:

Identify event outcomes that should be prioritised or grouped for further investigation Provides a good graphical portrayal of risks across a facility Help to identify areas for risk reduction Provide a quick and relatively inexpensive risk analysis Enable more detailed analysis to be focused on high risk areas (proportionate analysis)

66

Risk Assessment - Risk Matrix

Disadvantages
Scale is always a limitation regarding frequency reduction - it does not provide an accurate reduction ranking Cumulative issues and evaluations are difficult to show in a transparent manner There can be a strong tendency to try and provide a greater level of accuracy than what is capable

67

Risk Assessment - Semi-Quantitative Approach

One tool is a layer of protection analysis approach (LOPA) It is a simplified form of risk evaluation The primary purpose of LOPA is to determine if there are sufficient layers of protection against a hazard scenario It needs to focus on:
Causes of hazards occurring Controls needed to minimise the potential for hazards occurring If the hazards do occur, what mitigation is needed to minimise the consequences

68

Risk Assessment - Semi-Quantitative Approach (LOPA)

Diagrammatic Representation - LOPA Analysing the safety measures and controls that are between an uncontrolled release and the worst potential consequence

69

Risk Assessment - Semi-Quantitative Approach (LOPA)

The information for assessment can be presented as a bow-tie diagram Preventative Controls Mitigative Controls

Causes

M A

Hazards

Controls

Controls

Consequences

Outcomes

70

Risk Assessment - Semi-Quantitative Approach (LOPA)

Advantages and Disadvantages
Risk evaluation can be undertaken using a bow-tie approach A procedural format needs to be developed by the company to ensure consistency of use across all evaluations External review (to the safety report team) should be considered for consistency and feedback Correct personnel are needed to ensure the most applicable information is applied to the evaluation approach

71

Risk Assessment - Quantitative

Quantitative assessments can be undertaken for specific types of facilities This is a tool that requires expert knowledge on the technique and has the following aspects:
It is very detailed High focus on objective Detailed process evaluations Requires a high level of information input Provides a high output resolution Reduces uncertainty

Frequency component can be questionable as generic failure rate data is generally used Provides understanding on the high risk contributors from a facility being evaluated

72

Risk Assessment - Quantitative

Typical result output from such an assessment is individual risk contours
VRJ Risk Engineers Pty Ltd
R ac ec ou rs e

H os pi tal

Sch oo l

Sch oo l L igh t R ai l R es er ve Tow n C en te r R es id en tua l Spo rts C ompl ex

Example shown is for land use planning

10-5

106

107

10-6

Figure 13: Sample Risk Plot - VRJ QRA

Risks are in chances per million per year

73

Risk Assessment - Quantitative

Time consuming Expensive Expert knowledge is required Not suitable for every MHF site Process upsets (such as a runaway reaction) cannot be easily modelled as an initiating event using standard equipment part counts - incorporation of fault tree analysis required Use of generic failure rate data has limitations and does not take into consideration a specific companys equipment and management system strategies

74

Summary

A risk assessment provides an understanding of the major hazards and a basis for determining controls in place
Risk assessments can involve significant time and effort Operations personnel and managers could cause, contribute to, control or be impacted by MAs Hence they should be involved in the risk assessment HSRs may or may not take part, but must be consulted in relation to the process of HAZID & Risk Assessment They should also be involved in resolution of any issues that arise during the studies, including improvements to methods and processes

75

Review and Revision

Employer must review (and revise) Hazard Identifications, Risk Assessments and Control Measures to ensure risks remain reduced to AFAP:
At the direction of the Commission Prior to modification After a major accident When a control measure is found to be deficient At least every 5 years Upon licence renewal conditions

76

Sources of Additional Information

The following are a few sources of information covering risk assessment
Hazard and Operability Studies (HAZOP Studies), IEC 61882, Edition 1.0, 2001-05 Functional Safety Safety Instrumented Systems for the Process Industry Sector, IEC 61511, 2004-11 Fault Tree Analysis, IEC 61025, 1990-10 Hydrocarbon Leak and Ignition Data Base, E&P Forum, February 1992 N658 Guidelines for Process Equipment Reliability Data, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 1989

77

Sources of Additional Information

Offshore Hydrocarbon Release Statistics, Offshore Technology Report OTO 97 950, UK Health and Safety Executive, December 1997 Loss Prevention in the Process Industries , Lees F. P., 2nd Edition, Butterworth Heinemann Layer of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 2001 Nomogram, Wikipedia, the free encyclopaedia

78

Questions?

79

Example LOPA Assessment Spreadsheet Format

Cause

Hazard

Independent Preventative Protection Layers

Mitigative Protection Layers Pressure safety valve opens on high pressure

Loss of cooling tower water to conden ser once every 10 years

Catastrophic rupture of distillation column with shrapnel, toxic release

Columns condenser, reboiler and piping maximum allowable working pressures are greater than maximum possible pressure from steam reboiler

Logic in BPCS trips steam flow valve and steam RCV on high pressure or high temperature . No credit since not independent of SIS.

High column pressure and temperature alarms can alert operator to shut off the steam to the reboiler (manual valve)

Logic in BPCS trips stream flow valve and steam RCV on high pressure or high temperatur e (dual sensors separate from DCS).

80

Example Example Bowtie Assessment System Format

MA-1

MA-2

81