PHA Articles

Originally issued: May 6, 2024

Author

Shaun Williamson, P.L.(Eng.),  CFSE, FS Eng (TÜV Rheinland)   

Director of Operations

Watchmen Instrumented Safety Experts Ltd.

swilliamson@watchmenise.com

https://watchmenise.com

PHA Complete? Why not Put A Bowtie On It!

Upon completing a thorough Process Hazard Assessment (PHA), the question arises: How can we gain the most value for the rich information detailed in our risk assessment and effectively communicate the risk to our organization? Enter the bowtie diagram, a powerful tool that transforms abstract hazards into tangible insights. By encapsulating potential threats, their causes, and preventive and mitigative measures in a single, elegant diagram, the bowtie empowers management to navigate risk landscapes with clarity and precision. Effective risk management entails more than just identifying risks; it's about painting a vivid picture of them, enabling informed decision-making and proactive risk management strategies. So, why settle for ambiguity when you can adorn your PHA with the clarity of a bowtie diagram?

Benefits of Bowtie Diagrams

Bowtie analysis can be conducted independently or following a PHA study, offering several key benefits:

• Simplified Risk Visualization: Bowtie diagrams provide a visual depiction of identified risk scenarios, showcasing the potential initiators and hazardous outcomes, and illustrating the relationship between preventive and mitigative barriers.
• Effective Safety Critical Element Identification: Bowtie diagrams facilitate the identification of safety critical elements (SCEs), crucial for preventing major accidents or mitigating their consequences. SCEs can be visualized directly on the bowtie, supporting comprehensive risk management strategies.
• Supporting Informed Decision Making: Bowtie diagrams aid in prioritizing resources by highlighting critical barriers and scenarios requiring urgent attention. Visualizing the health of each barrier enables effective management and tracking of conditions affecting barrier performance, enhancing informed decision-making in risk management.

Application in Risk Management

Bowtie diagrams are a highly effective means of visualizing risk, even for stakeholders with limited technical background. They support the identification and management of SCEs, crucial for preventing major accidents. Having this information readily available in an easily understandable format enhances informed decision-making in risk management strategies. The bowtie risk analysis approach excels in considering multiple initiators and potential outcomes in a single graphic, focusing not only on preventative, but also mitigative barriers or safeguards.

Application in Safety Critical Element Management

Once the bowtie diagram has been developed and represents the major barriers used to prevent or mitigate safety related hazards, these can be consolidated into a Safety Critical Element list. A smart bowtie will do more than just paint a pretty picture. It can be kept current to track the health of each barrier using different colours. For example, alarms used as barriers may not be considered effective until alarms have been rationalized, prioritized and an alarm management program is in place. Fire and gas detection may not be considered effective until detector and annunciator coverage has been verified. Other barriers may not be considered effective until open PHA recommendations affecting them are closed.

The bowtie can also be used to analyze the effects of unavailability of barrier(s) due to failure or maintenance. This risk analysis can support decision making for contingency planning and maintenance scheduling.
 

Summary

In summary, incorporating a bowtie diagram after completing a PHA enhances risk visualization and supports effective risk management strategies. The clarity and simplicity of bowtie diagrams empower organizations to identify and manage safety critical elements, ensuring proactive risk mitigation. So, why settle for ambiguity? Go ahead and put a bowtie on your PHA for enhanced clarity and informed decision-making. 

Originally issued: May 24, 2024

Authors

Richard Carter, P.Eng., F.S. Eng. (TÜV Rheinland) 

Senior Functional Safety Engineer

Carsten Acker, P.L.(Eng.), F.S. Eng (TÜV Rheinland), CFSE, CSP

Director of Operations

Watchmen Instrumented Safety Experts Ltd.

This Article is part 1 of an 8 Part Series. 

Process Hazards Analysis (PHA) studies, such as HAZOP, What-If or LOPA, are an essential part of an effective Process Safety Management system, but it is easy to end up with an inadequate analysis and a false sense of security. Identifying potentially hazardous events, and ensuring that there are adequate safeguards in place to prevent the unthinkable from happening, is a critical step in keeping people safe and preventing costly downtime and repairs. Unfortunately, however, these same safeguards contain traps that are easy to fall into in a PHA session, resulting in ineffective safeguards, lack of redundancy, and a much greater risk gap than intended. This can ultimately lead to catastrophic consequences.

This article series will discuss the characteristics and requirements of a safeguard in the context of PHA, and will address detailed considerations for the following common categories of safeguards that are relied upon in PHAs to keep people, the environment and equipment safe:

·         Alarms and interlocks

·         High-integrity interlocks (SIS and HIPPS)

·         Pressure relief devices (PSVs, PVSVs, rupture discs)

·         Operator rounds

·         Fire and gas detection

·         Occupancy factor modifiers (not considered a safeguard, but often utilized as such by PHA teams).

This series will provide practical guidelines for each of these types of safeguards, and for safeguards as a whole, that can be used for any process or system to improve the quality of a PHA to better identify the true risk of the system. This will assist in making improved risk decisions that can reduce economic impacts, prevent harm to environment, and save lives.

To ensure that the safeguards being relied upon in a PHA are effective and dependable, it is first important to discuss the required attributes of any safeguard. This article will discuss the requirements that every risk mitigation method must meet in order to be considered as a sufficiently reliable safeguard in a PHA.

The first distinction to draw is the difference between “safeguards” and “normal controls”. These are often conflated in PHA, which can cause confusion in a PHA and lead to a compromised safeguarding strategy.

Normal controls are those functions that are required to keep the system running in its normal operating state. These controls are usually frequently making adjustments to keep the process parameters within their intended operating limits. In many cases, they can be modified with little oversight, such as in the case of an operator changing the setpoint of a control loop or alarm. If there is a failure of one of these controls, it normally causes a process upset or puts the system in some potentially hazardous scenario situation, such as a level control valve malfunctioning closed and causing high level in a vessel.

An example of a normal control is an electronically-controlled pressure control valve, or the accelerator and brake pedals of a car. Note that, as in the case of the car’s pedals, it is not necessary for the control to be operating at all times to count as a normal control. If it is used frequently and is required to keep the system operating within its intended operating limit, it is considered a normal control.

Safeguards, on the other hand, are not normally acting during normal operation. They are only required to act in the event that a process parameter is deviating outside of the intended operating limits. Because of this, the only times that a failure of a safeguard is identified is either during a proof test operation, or when the safeguard is required to act in a potentially unsafe situation.

An example of a safeguard is a pressure safety valve, or a car airbag. The pressure safety valve is held closed by a spring, and is intended to open if the pressure in the system is dangerously high, but the rest of the time there is no indication of whether the PSV will work as intended unless it is tested. A car airbag system is not intended to be in use except in the event of a collision, and in fact may cause a hazardous event if it activates during normal operation.

There are a number of factors which are not normally considered safeguards by themselves, but which support the normal controls and safeguard items. These factors may affect the likelihood of a cause or the reliability of a safeguard, but by themselves they do not take action to prevent hazardous situations from occurring. They are normally assumed to be in place when describing a failure and a consequence, however any deficiency in these categories may adversely affect the likelihood of a hazardous event, or the efficacy of a safeguard, and therefore must be considered as part analysis of causes, consequences and safeguards.

Training and certification – a certain level of training, certification and competency must be assumed for every individual that interacts with the process during design, construction, operation and decommissioning.

Design to codes and standards – in most cases a baseline assumption can be made that the system is designed to applicable codes and standards. If any deficiencies or deviations are found, they must be addressed, but designing to codes and standards is not a safeguard by itself.

Operating and maintenance procedures – As part of the difference between normal controls and safeguards, normal operating and maintenance procedures are assumed to be followed, unless it is known otherwise. A robust program for ensuring that these procedures are followed as intended can adjust the likelihood of a scenario caused by human factors, but is not a safeguard.

Normal testing and inspection – Similar to operating and maintenance procedures, normal testing and inspection can influence the frequency or likelihood of scenario, or the reliability of a safeguard.

Preventive maintenance – these are activities required to keep the equipment functioning as it is intended, and therefore will affect the likelihood that such equipment malfunctions. This may affect the likelihood of a scenario or the reliability of a safeguard.

Signage – Signs are not considered safeguards, as they can easily be obscured, ignored, or misinterpreted. Furthermore, individuals will become familiar with signs they see often and will stop noticing them.

PPE (Personal Protective Equipment) – The baseline set of PPE to be worn for a task should be considered in the potential hazard to personnel in a hazardous event. However, as the last line of defense against harm to a person, PPE is not intended to be relied upon to prevent injury. Furthermore, it is rarely highly reliable; for example, hazardous materials can enter the eyes around the edges of safety glasses, and serious injuries and fatalities from fires have been inflicted on workers wearing fire-retardant clothing.

Emergency response – An emergency response plan (ERP) is required to be developed in most scenarios for safe operations, however as the last line of defense they are implemented once a significantly hazardous event is already underway and therefore it is not appropriate to consider it to be a safeguard. By the time an ERP is enacted, there is usually already significant damage or injury that has occurred, and the ERP is designed to limit the extent of this damage or injury and not prevent it outright.

Time – The duration of the window between the inciting incident and the hazardous consequence may provide an opportunity for an automatic or manual response, but it does not prevent the event by itself and is therefore not a safeguard.

In order to be relied upon, each safeguard must meet certain criteria that are intended to confirm that the safeguard will be available and effective when required to act. The following four criteria are commonly used:

·         Independent of the cause and other safeguards.

·         Specific to the hazardous scenario.

·         Dependable to provide the risk reduction required and to take the system to a safe state.

·         Auditable to verify that it is ready to act.

These categories are explored further below.

One of the most commonly overlooked requirements of a safeguard is that it is independent of whatever may cause the scenario in which the safeguard is required to act, and independent of other safeguards that are intended to protect against the same scenario. In other words, there must be no common-cause event that would result in the scenario occurring and also prevent the safeguard acting, and no common-cause failure that would prevent the safeguard in question from acting correctly and also prevent any other safeguards acting correctly if they are intended to prevent the same hazardous scenario occurring.

Independence between cause and safeguard

If the event that causes the demand on the safeguard also prevents the safeguard from acting correctly, the safeguard is not adequately independent and therefore cannot be relied upon. For example, if a control function and an automated shutdown both take their input from the same sensing element then a malfunction of the sensing element, or error in the signal from the element, may cause an incorrect control action and, at the same time, prevent the safeguard from acting.

There are many industry incident examples of insufficient independence of a safeguard that has allowed a hazardous scenario to occur. As one example, the fatal liquid nitrogen release at the Foundation Food Group facility in Gainesville, GA was, in part, caused by insufficient independence between the control system measurement and the safeguard. In this incident, a liquid-nitrogen bath freezer had a level control system that measured the level in the bath with a bubbler tube instrument. The high nitrogen level automatic shutdown also took its input reading from this instrument. At some point, the tube became bent such that the end of the tube (normally immersed in the liquid) was protruding above the maximum liquid nitrogen level height in the bath. This resulted in the control system detecting no level in the bath, which caused an overflow into the surrounding room and ultimately resulted in six fatalities. The high level shutdown action, which took its input from the same instrument, also did not activate as the instrument did not detect any level in the bath, and therefore the high level shutdown could not activate. The bent bubbler tube caused an incorrect control action and also prevented the safeguard from acting correctly.

Independence between safeguards

If there is a potential failure or event which could cause multiple safeguards to fail to act correctly for a scenario, only one of the safeguards can be considered to be adequately independent. For example, if there are two independent automated shutdown commands that are intended to prevent the same hazardous scenario, but they both take the same action such as closing the same emergency shutdown valve, there is likely to be insufficient independence because both actions rely on closing the same valve.[1] If the emergency shutdown valve fails to act as required, neither shutdown command will succeed. The same approach is used for alarms with human response; if a trained operator receives one alarm they may be able to adequately respond and prevent the hazardous scenario. If the same operator receives multiple alarms for the same event, however, they will not be able to respond to multiple alarms at the same time, and many alarms may even obscure the real process condition resulting in a higher likelihood of incorrect response from the operator.

A safeguard must be intended to prevent the hazardous scenario that is under review. This may seem obvious, however there are many cases where operators of a process must rely on indirect information to identify a potential hazardous scenario, or a safeguard is relied upon for a different reason than it was intended.

For example, in a distillation system the temperature and pressure of the process are closely interlinked, and therefore if there is a known issue with measurement of one of these variables the operators may rely on the other and infer the incorrect value. There are potential scenarios, however, when the process does not operate as expected and therefore this approach is insufficient, and therefore a high temperature action cannot be solely relied upon to identify a high pressure situation, and vice versa. When identifying safeguards in a PHA, it is important to ensure that safeguards are intended to identify and protect against the scenario that is in question.

The safeguard must be dependable to perform its action and take the system to a safe state. This includes consideration that the safeguard will indeed take the system to a safe state when it functions correctly, and that it is sufficiently reliable that it can be reasonably expected to perform correctly.

If the safeguard is later found to be less reliable or effective that it was previously expected to be, the relevant portion(s) of the PHA must be revalidated to ensure that adequate safeguarding is provided, given the reduced efficacy of the safeguard in question.

The Dependable criterion may be defeated in the event that either the safeguard will not take the system to a safe state, or the safeguard is not reliable enough for the demands of the scenario in question.

It is also important to consider whether the safeguard, performing its function as intended, will introduce any new hazards that would not otherwise be present. If a safeguard activating may cause another hazardous scenario, it is necessary to either ensure there is adequate protection against that scenario or, preferably, alter or replace the safeguard such that the system is taken to a safe state by the safeguard and no new hazards are created.

An example of a safeguard that introduces a new hazard is a pressure/vacuum relief valve (PVRV), also known as a pressure/vacuum safety valve, on an atmospheric-pressure storage tank that contains flammable gas. If the pressure in the tank falls below the ambient air pressure there is the potential for the tank to implode due to the vacuum created, and the PVRV prevents this vacuum by allowing atmospheric air to enter the tank. However, this causes a new hazard by introducing oxygen to a flammable hydrocarbon gas environment, with the resultant potential for fire or explosion in the system. This new hazard must be also controlled for.

Finally, the potential for personnel working with the system to bypass or disable the safeguard must be considered. For example, an operator might disable an alarm because it activates often when not required to, creating an unnecessary distraction. While this may be a good decision for safe operation of the facility, it then means that the alarm cannot be considered a dependable safeguard in a PHA. If necessary controls must be put in place to prevent safeguards being bypassed or disabled, if they are considered necessary to control the risk, but also care must be taken to avoid introducing alarms and shutdowns that create nuisance interruptions for operators.

In qualitative assessments such as Hazard and Operability (HAZOP) studies, it is generally considered that a minimum threshold of dependability of 90% must be reached in order to consider the safeguard dependable. This means that the safeguard will take the system to a safe state at least nine out of ten times that it is required to act.

All equipment and processes, whether equipment or administrative processes, degrade over time and require maintenance and investment to maintain an adequate reliability and functionality. A key part of this maintenance is auditing the safeguard to verify that, if it is required to act, it will perform its function effectively and with adequate reliability. This may include proof testing, calibration, verification, periodic replacement, and other checks or activities to provide assurance that the safeguard’s reliability and function are maintained to an adequate level. The auditing process proves that the other safeguard criteria are being maintained. This process must be documented and verified to ensure it is meeting the requirements of the process in question.

Center for Chemical Process Safety. Layer of Protection Analysis: Simplified Process Risk Assessment. American Institute of Chemical Engineers, 2001.

Center for Chemical Process Safety. Guidelines for Initiating Events and Independent Protection Layers in Layers of Protection Analysis. John Wiley & Sons, 2015.

US Chemical Safety and Hazard Investigation Board. Fatal Liquid Nitrogen Release at Foundation Food Group: Investigation Report.  https://www.csb.gov/file.aspx?DocumentId=6268. December 2023. Accessed December 2023.

International Electrotechnical Commission. IEC 61511-1 Functional Safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and application programming requirements. Edition 2.1, August 2017.

[1] There are some cases where an analysis of the reliability of each component of a safeguard, and the overall reliability of the safeguard, is warranted to identify requirements for adequate independence to reach the desired risk reduction. However, for many processes it is sufficient for the operating company to sent standard minimum requirements for independence for safeguards instead of analyzing each on a case-by-case basis.