improve your ‘operational discipline’ before embarking · pdf filefunctional...

Functional Safety – “the need to get it right” Perth, 31 July 2013

Improve your ‘Operational Discipline’ before embarking on SIS journey

Raj Sreenevasan

Principal Instrument Engineer, Proteus EPCM Engineers

Reflection on Process safety at your work place

• What is the difference between Personal safety (OHS) and Process safety?

• Are you aware of API 754 / API 755 standards?

• Do you regularly discuss / analyze significant process safety accidents at your work place?

• Are there any specific web sites you monitor on a regular basis to learn about new significant process safety incident (e.g., CSB, HSE, EPSC)?

• List some leading process safety indicators monitored at your site

• What process hazard identification techniques do you use?

• Have you considered alternative techniques because current techniques fail to uncover hazards during start-up or shut-down phases?

• How well do you incorporate lessons learned in process hazard identification studies?

Reflection on Process safety at your work place

• Describe the process safety culture at your work place.

• Have you participated in incident / accident investigations?

• Have you heard about Trevor Kletz / James Reason?

• How about Andrew Hopkins?

DIFFERENCES BETWEEN OHS & PROCESS SAFETY

Occupational Health & Safety Process Safety

• Workplace rules

• Worker training

• Supervision

• Individual behaviors

• Safety equipment

• Focus on individual well being

Collective commitment

Addresses events over which the individual worker has little or no control

Focus on systems

Behavioral safety

Broader impact – events that could affect groups or workers or general public

Process safety is a blend of engineering and management skills focused on preventing catastrophic accidents, particularly explosions, fires, and toxic releases associated with the use of

chemicals and petroleum products (Centre for Chemical Process Safety – 2012).

Based on Baker Panel report (after Texas City explosion in 2005), CCPS and API have developed a common set of industry leading and lagging metrics:

• Tier 1 process safety incidents [Loss of primary containment (LOPC)] of greater consequence

• Tier 2 process safety events, LOPC incidents that either restrict work or require medical treatment

• Near Miss or minor LOPC events (challenges to safety systems)

• Unsafe behaviors or operating discipline and management system performance indicators

Tier 1 and 2 events are publicly reported nationwide ‘lagging metrics’ (as they are reported after the incidents have occurred).

‘Near Miss’ or challenges to safety system is a company defined ‘lagging metric’ performance indicator.

Unsafe behaviors are company defined ‘leading metric’ performance indicator.

LAGGING METRICS

• Tier 1 LOPC events of greater consequence

• Tier2 LOPC events of lesser consequence

• Rate adjusted metrics

• Industry ‘Process Safety’ metrics

NEAR MISS or CHALLENGES TO SAFETY SYSTEM

• Opening of a rupture disc, pressure relief valve when a pre-determined trigger point is

reached

• Failure to open of a rupture disc, pressure relief valve when a pre-determined trigger point is reached

• The number of times a mechanical shutdown system is called upon to function by a valid signal, whether or not the actual device responds

• Near misses involving primary containment inspection or testing outside acceptable limits

• Near misses involving process deviation or excursions

• Near misses associated with management system failures / issues – discovery of failed safety system upon testing, defeated safety system, errors of omission / commission, unexpected or unplanned equipment condition, physical damage to containment envelope, etc.

• Activation of a safety instrumented system when ‘out of acceptable range’ process variable is detected

• Any time a safety instrumented system fails to operate as designed when a demand is placed on the system

LEADING METRICS

• Mechanical integrity

• Process hazards evaluation completion

• Action items follow-up

• Management of Change [MOC] process

• Operating procedures current and accurate

• Safety Culture

• ‘Process Safety’ training and competency

• Work permit compliance

• Operating and maintenance procedures

• Safety critical equipment inspection

• Safety critical equipment deficiency management

• Completion of ‘emergency response’ drills

• Fatigue risk management

Response to ‘Major Accidents’ It is quite natural for governments around the world to further strengthen / beef-up regulations following a major accident. However unlike Australia, most other western nations have embarked on a parallel path of educating the industry for example commissioning research reports, or establishing new organizations.

Rest of the World

• Seveso, Italy, 1976 – Seveso directive

• Union Carbide, Bhopal, 1984 – Centre for Chemical Process Safety

• Piper Alpha, North Sea, 1988 – HSE UK

• Phillips 66, Texas, 1989 – Mary O’Connor Process Safety Center

• Chemical Safety Board, USA – 1998

• Baker Panel report, 2007 – European Process Safety Centre

Australia

Moura mine explosion, 1994 – QLD Mines Safety Act

Gretley mine disaster, 1996 – NSW Mines Safety Act

Longford explosion, 1998 – Victorian MHF legislation

Common factors in “MAJOR” accidents

Prof Nancy G Leveson has stated that major accidents share the following common factors:

• Flaws in the safety culture (organization / whole industry)

• Lack of real commitment to safety by leaders

• Non-existent or not followed management of change procedures

• Inadequate hazard analysis and design for safety

• Flawed communications and reporting systems

• Inadequate learning from prior events

• Confusion between occupational and system safety

• Belief that process accidents are low probability (reporting accidents as low probability, high consequence events – unique to process industries chemical, petro-chemical, oil & gas), while major accidents may be low frequency, they are not necessarily low probability

Could these disasters been avoided by implementing ‘SIL’ systems?

• BP Texas City Refinery explosion – 2005

• Buncefield Explosion and fire – 2005

• Formosa Plastics Fire – 2005

• Varanus Island explosion – 2008

• IOL Jaipur Terminal fire – 2009

• Dupont Flammable Vapor explosion – 2010

• Pike River Coal Mine disaster – 2010

• Macondo Well blowout – 2010

• Kooragang Island Chromium VI leak – 2011

• Chevron Richmond Refinery fire – 2012

• West Fertilizer Fire and explosion – 2013

• Freeport Grasberg Mine disaster - 2013

BP Texas City Refinery explosion – 2005

• BP has not provided effective process safety leadership and has not adequately established process safety as a core across all of its five US refineries

• BP has emphasized personal safety and has achieved significant improvement in personal safety performance. However BP did not emphasize process safety

• Inadequate process safety understanding created a false sense of confidence that BP was properly addressing process safety risks

• BP did not effectively incorporate process safety into corporate decision making

• BP has not implemented an effective process safety audit system for its US refineries

• Most fatalities and serious injuries occurred in or around trailers that were susceptible to blast damage and were within 150 feet of blowdown drum and vent stack

Buncefield Explosion and fire – 2005

• Possible. Root cause was the failure of both automatic tank gauge [ATG] and the independent high level switch [IHLS] leading to a loss of ‘primary containment’

• There were also failures of ‘secondary, and ‘tertiary’ containments

• Redundant ‘Emergency Stop’ button provided on the operator screen. However the capability of this E-stop to close all tank side valves was never tested

• No clear understanding of major accident risks and the safety critical equipment and systems designed to control them

• Time and resources required for process safety were not made available

• There was no effective auditing system in place which test the quality of existing management systems

• There was no board level involvement with process safety initiatives

• Lacking competence to ensure that major hazard risks are being properly managed

Formosa Plastics fire – 2005

• Root cause – A trailer towed by a fork lift snagged and knocked out a small drain valve out of a strainer. Escaping propylene rapidly vaporized, forming a large vapor cloud, which ignited and caused an explosion

• Control room operator began shutting down the unit (pump). However the field operator was unable to shutoff the manual isolation valves (design defect in not installing remotely operated valves)

• Design defect in not adequately protecting the drain valves (installation of safety bollards to protect equipment and piping from vehicle impacts)

• Non-availability of flame resistant clothing for emergency responders

• Inadequate fire proofing of structural steel supports (design defect)

• The design engineer was required to revise their petrochemical process plant design procedures to ensure that they address the use of current safety standards for new designs and earlier designs reused for new facilities

Varanus Island Explosion – 2008

• There was lack of robust corrosion data, and corrosion prevention systems were not addressed by Apache

• High pressure export sales gas pipeline (critically weakened by external corrosion) ruptured and exploded

• Almost immediately an adjacent inflow gas pipeline (< 30 cm away) ruptured

• Intense jet fires caused further four (4) pipelines to rupture

• Explosion was due to Apache’s (operator) technical and operational failings

• Australian offshore industry has a good safety reputation. However in recent years key safety indicators have worsened and not all operators have a mature safety culture in place

• Mish-mash of regulatory regimes and poor relationships among regulators (both state and federal)

IOL Jaipur Terminal fire – 2009

• Formation of vapour cloud through a leak in ‘Hammer blind valve’ • The operator lining up the transfer pipeline, and shift officer were

incapacitated by the motor spirit fumes and had to be removed from site

• 2nd operator who rushed to assist the 1st operator succumbed to the fumes and could not be rescued

• Absence of remotely operated valves to prevent ‘loss of primary containment’

• Absence of site specific written procedures • Shortcomings in design and engineering specifications • Inadequate mitigation measures • Safety was not considered a priority for management • Loss of both ‘primary’ and ‘secondary, containment was never

considered to be a credible event and hence not recorded in HAZID register

Dupont Flammable Vapor explosion – 2010

• Dupont PHA made the incorrect assumption that vinyl flouride [VF] in the Tedlar process could not reach flammable levels in the slurry tanks

• Tank 1 not properly isolated from Tanks 2 & 3, before hot work permit for Tank 1 was issued

• Hot work permit procedure did not require testing the atmosphere inside Tank 1 for flammable gases

• Individuals who signed off the hot work permit were not knowledgeable in the operations and hazards associated with the Tedlar process

• Repair work created multiple ignition sources

Pike River Coal disaster – 2010

• This was a process safety accident caused by an unintended escape of methane gas followed by an explosion in the mine. It occurred during a drive to achieve coal production in a mine with leadership, operational systems and cultural problems

• Inadequate oversight of the mine by a health and safety regulator lacking in focus, resources and inspection capacity

• Failure to learn – New Zealand’s HSE record is inferior to other comparable nations

• A high ratio of inexperienced to experienced miners and the presence of overseas miners not used to New Zealand’s mining conditions

• Worker’s practice of bypassing safety devices on mining machinery, so work could continue regardless of the presence of methane gas

• Placing main ventilation fan underground in a gassy coal mine – A world’s first and worst form of design defect

• Inability to learn from Queensland and NSW coal mine accidents – Failure to adopt the Trigger Action Response Plans [TARPs]

• No electrical safety assessment was carried out – A number of VSDs placed underground were failing regularly

Macondo Well blowout – 2010

• Failure of ‘defence-in-depth’ mechanism [James Reason’s Swiss cheese accident model]. Defence in depth strategy works when the layers are ‘truly independent’ from each other

• If the defence layers become interdependent, then domino effect comes into play – once one barrier falls, then the other barriers will collapse

• Cement job was emphatically declared as “a success”, with the assumption that the subsequent well integrity test will pick up any problems, and the blowout protector [BOP] will operate as a last line of defence

• Cement evaluation tool was not used because the cement job was believed to have been successful

• Well integrity test was undermined by the announcement that the well job had been successful

• Flow monitoring of the well was effectively stopped during the last few hours because of the declaration that the cement job was successful and the well had passed the integrity test

• The BOP failed because it was designed on the assumption that someone would be monitoring the well vigilantly

Note: CSB is yet to release its investigation report on the Macondo accident. The source for the above observations is Andrew Hopkins book titled “Disastrous Decisions”.

Kooragang Island Chromium VI leak – 2011

• Modification of heat recovery coil in 2011 facilitated the condensate formation

• Amount of condensate produced overwhelmed the drainage arrangements • Vent stack SP8 was not designed to cope with the levels of condensate

produced during the start-up (design defect) • Increase in condensation was anticipated, but was not quantified and hence

effective safeguards were not implemented (design error) • Operating procedures were not prescriptive enough in defining key criteria

to be met at particular stages of the start-up (deficient operating procedures)

• Modifications to the plant appear to have been assessed as a collection of small projects rather than as part of the holistic review of the plant (management was not aware of the safety risks)

• Orica failed to anticipate that there was potential for communities outside the plant to be affected by prevailing winds and an emission that was nearly 60 m high

• There was an unacceptable delay in Orica’s reporting of the incident to the Office of Environment and Heritage

Chevron Richmond Refinery fire – 2012

• An operator noticed a leak from the side cut piping. Instead of shutting down the crude unit, Chevron tried to locate the source of the leak while the unit was still operating (production took precedence over process safety)

• Catastrophic pipe rupture led to the formation of a large vapour cloud explosion

• Large plume of unknown and unquantified particulates escaped, affecting ~ 15,000 people

• Level 3 community warning alert issued for the Contra Costa county

• Subsequent metallurgical testing confirmed sulphidation corrosion as the root cause of pipe rupture

• Several Chevron refineries had incidents from sulphidation corrosion since 1988 i.e., Chevron was aware of the problem for well over 25 years

West Fertilizer Fire and explosion – 2013

• Explosion at West Fertilizers resulted from an intense fire in a wooden warehouse containing ~ 60 tons of ammonium nitrate stored in wooden bins

• Building lacked sprinkler systems or other systems to automatically detect or suppress fires

• Fertilizer industry personnel have reported that wooden bins are still the norm for distributing AN fertilizer across the US

• Ammonium nitrate is not one of the listed chemicals that triggers OSHA PSM coverage. The PSM standard also contains an exemption for retail facilities such as West Fertilizers

• Similarly ammonium nitrate is not one of the listed chemicals that triggers EPA’s RMP coverage

• West Fertilizer was RMP covered due to its stored anhydrous ammonia. However the company’s offsite consequence analysis considered only the possibility of an ammonia leak, not an ammonium nitrate explosion

• While US standards for ammonium nitrate has remained static, other countries have adopted more rigorous standards covering both the storage and siting of ammonium nitrate facilities

• UK’s HSE guidance requires “ammonium nitrate be normally stored in single storey, dedicated, well ventilated buildings that are constructed from materials that will not burn such as concrete, bricks or steel

Freeport Grasberg Mine disaster – 2013

• Training facility located in an unused mine tunnel

• Tunnel collapsed trapping 39 people attending a training course

• 11 people were rescued, but the remaining 28 people died

• Production at Grasberg has been suspended pending investigations and clearance from local authorities

• Daily impact of suspension is ~ 3 million pounds of copper and 3000 ounces of gold production

• Freeport has declared a ‘Force Majeure’ on all of its contracts

‘DESIGN’ as a contributor to chemical process accidents

Humans are prone to make errors due to many reasons – misunderstanding, poor communication, miss-thought, in-a-hurry, lack-of-knowledge, lack-of-checking etc. ‘Designer makes error because they usually have a limited time to check their work’ – Trevor Kletz

Not all design errors are safety related. Hence, for accident analysis purpose, JR Taylor (1975) states that “a design error is deemed to have occurred, if either the design or operating procedures are changed after an incident has occurred”.

Design errors relating to operator-technical interface has been found to be the contributor for ~23% of chemical process accidents. There are strictly no faults from a technical point of view, but still the design has led to an accident by causing confusing, misleading or illogical information being presented to the operator.

Source: Design as a contributor to chemical process accidents1

THE CLASSIFICATION OF DESIGN ERROR

Design Error Description

Process condition Inappropriate process condition selection due to lack of knowledge or inadequate analysis

Reactivity / Incompatibility

Lack of analysis at normal and abnormal process conditions

Unsuitable equipment

Selection that creates operational problems or increases the risk of accidents

MOC Wrong specification

Sizing Inappropriate sizing (oversize or undersize) that affect their function and reliability during normal and abnormal process conditions




Protection Inadequate design for safety due to lack of analysis and availability of limited process information

Layout Errors on plant layout, physical arrangement, positioning, equipment accessibility, visual obstacles, operator-technical interface, colour coding

Automation /Instrumentation

Inadequate automation / instrumentation, especially during abnormal process conditions for proactive process deviation / hazard detection, response and mitigation




Utility set-up Wrong utility selection and its realization especially related to maximum heating / cooling capacity, incompatible heat transfer medium

Operating Manual Wrong work procedures that jeopardize the safe operation of process equipment (wrong sequence of work, not clear direction / instruction, wrong tool)

Fabrication / Construction / Installation

Design oriented problems – welding defect, thermal expansion, stress, mis-match of process equipment with their connectivity


DISTRIBUTION OF DESIGN ERRORS

7

10

15

29

39

40

60

72

82

83

89

0 20 40 60 80 100

Operating Manual

Sizing

Automation…

Fab / Const. / Installation

Unsuitable Equipment

Utility set-up

Construction Material

Protection

Process Condition

Reactivity / Incompatibility

Layout

No of design errors

No of design errors


DISTRIBUTION OF DESIGN ERRORS / PROCESS EQUIPMENT

0 20 40 60 80 100

Layout

Reactivity/incompatibility

Process condition

Protection

Material of construction

Utility set-up

Unsuitable equipment

Fabrication/construction/in…

Automation/Instrumentation

Sizing

Operating manual

Piping system

Reactor

Process vessel

Storage tank

Separation eqpt

Heat transfer eqpt


DuPont Process Safety Management Model

Operational Discipline and Flawless Execution

Operational Discipline [OD] is defined as ‘a mindset and commitment to strict adherence to standards, processes and rules that govern operations in groups or individuals’. DuPont goes further and defines OD as ‘the deeply rooted dedication and commitment by every member of an organization to carry out each task the right way every time’.

Formality is defined as ‘that strict adherence to established rules and procedures’, i.e., it is the actionable part of the actionable part of the OD mindset. Thus OD is commitment while formality is rigidity. Together OD and formality determine how individuals and teams act, communicate, resolve issues, perform maintenance and foster ownership.

Flawless Execution methodology (Plan-Brief-Execute-Debrief cycle) drives the OD necessary to close execution gaps and prevent errors and crises. Debriefing events, to garner lessons learned for the next planning cycle, results in continuous safety and performance improvement.

Flawless Execution - contd..

Plan

Brief

Execute

Debrief

Flawless Execution - contd..

Formalized communication can significantly enhance and improve safety, execution and productivity. Some companies prefer to formalize their processes by writing the standards and then distribute them throughout the company, while other companies prefer to initially train their front-line supervisors on the formalized standards and have the front-line supervisors transfer this knowledge throughout the organization (both in theory and practice).

An important pillar of operational discipline and formality is the fostering of individual and organizational ownership. Encouraging ownership comes down to answering two simple questions – ‘What is OUR standard’? and ‘How do WE ensure it is being met’?

Typical Process Variable

ESD threshold

HiHi threshold

High threshold

Low threshold

LoLo threshold

ESD threshold

Au

tom

atic

B

PC

S o

per

atio

n

Man

ual

Le

vel 1

Man

ual

Le

vel 2

Au

to E

SD

Man

ual

ESD

Escalation of undesirable events

A well designed and maintained basic process control system [BPCS] would control the process variable to remain in the green zone (normal operational limits). BPCS should also be able to return the process from short term excursion into the yellow zone.

Sustained excursion into the Yellow zone will require manual intervention {Level 1} from the operator (this may be something simple as adjusting another process variable).

Any incursion into the Orange zone (either short or sustained) will require manual intervention {Level 2} from the operator (e.g., auto mode for the loop being reverted to manual mode).

An incursion into the Red zone will trigger an automatic ESD response (possibly after a small time delay). If the incursion into the Red zone is prolonged, it is possible to intervene and manually activate ESD control (immediate shutdown).

All manual interventions (Level 1 & 2) and automatic ESD response which return the process to its normal operating zone (Green zone) are process near-miss events. Near-misses are high probability, low consequence events. History has shown us that accidents are preceded by several near-misses.

Escalation of undesirable events contd..

Most operating plants record the alarm events in either distributed control system (DCS) or emergency shutdown (ESD) databases. Engineers and managers have been aware of rich information related to near-misses held in the databases. However, despite advances in alarm management over the years, existing alarm data analysis methods have not utilised the risk information contained in these recorded alarm databases. Under the new API 754 standard, these near-misses are required to be treated as leading indicators for process safety in the plant.

In recent years, researchers have been developing key performance indicators associated with potential trips and accidents, leading indicators (events or trends indicating the times these trips / accidents are likely to occur) and the probabilities of failures. These are often referred to as dynamic risk analyses (DRA).

NOTE: Dynamic risk assessment using alarm data is in its infancy. DRA based on alarm data complements quantitative risk analysis (QRA) and hence will help improve process safety management at operating plants.

NUGGETS TO TAKE BACK TO YOUR WORKPLACE

• Instill a learning culture in your organization

• Before commencing a SIL project take a very close look at the ‘operational discipline’ followed at your plant or site

• Do not embark on a SIL journey so as to get a warm, fuzzy feeling or to satisfy the regulator

• KISS principle – Keep it simple stupid (less SIF’s in your facility, the more safe it is)

THANK YOU FOR YOUR ATTENTION

References Reprinted from Journal of Loss Prevention in the Process Industries, Vol. 25 / Edition 4, Kamarizan Kidam, Design as a contributor to chemical process accidents, Pages 655-666, Copyright (2012), with permission from Elsevier1

http://www.sciencedirect.com/science/journal/xxxxx

Operational Discipline – Does your organization do the job right every time? Brian D Rains, AIChE 7th Global Congress on Process Safety, 2011

Reducing Accidents in the Oil & Gas Industry, Professor Nancy Leveson’s Testimony on Deepwater Horizon Accident to US Congress

Process Safety Performance Indicators in Chemical Industry – What Makes It a Success Story and What Did We Learn So Far? Thomas Klein, Chemical Engineering Transactions, Vol. 31 2013

Improve process safety with near-miss analysis, Ulku G Otkem, Chemical Engineering Progress May 2013

Guidance on developing ‘Safety Performance Indicators’ for Industry, OECD 2nd Edition 2008



improve your ‘operational discipline’ before embarking · pdf filefunctional...

Documents