Project
NAME:
LOPA_Continuing_Example_Method1.sbmx
DESCRIPTION
This project implements the continuing example as described in Appendix 1 of the CCPS book: Layer of Protection Analysis - Simplified Process Risk Assessment, AIChE, 2001, ISBN 0-8169-0811-7
The consequence assessment method is "Method 1", "Category Approach without Direct Reference to Human Harm" as described in section 3,3 and Table 3.1.
For the decision model, a risk matrix is derived from Table 8.1. This Table shows 4 risk areas ("colors"), here we have combined "Action at next opportunity (notify corporate management)" and "Immediate action (notify corporate management)" as "red"
Links to the respective LOPA sheets are included in the descriptions of the consequences (click on consequence, expand Description, and click hyperlink)
The project is based on the template "Standard Template_EN_colored barrier types.sbmt"
Consequence
NAME:
Uncontrolled Hexane release
Expected Frequency of Occurrence per Year:
1E-5
DESCRIPTION
Initial Event
NAME:
Loop failure of BPCS LIC
Expected Frequency of Occurrence per Year:
0.1
DESCRIPTION
Intermediate Event
NAME:
Hexane surge tank overflow
Expected Frequency of Occurrence per Year:
0.001
DESCRIPTION
Consequence
NAME:
Spill contained by dike
Expected Frequency of Occurrence per Year:
0.00099
DESCRIPTION
Consequence
NAME:
Uncontrolled Release of Hexane/Overfilling
Expected Frequency of Occurrence per Year:
1E-5
DESCRIPTION
Consequence
NAME:
Hexane Tank Overflow - contained by dike
Expected Frequency of Occurrence per Year:
0.00099
DESCRIPTION
Intermediate Event
NAME:
Storage Tank Overflow
Expected Frequency of Occurrence per Year:
0.001
Intermediate Event
NAME:
Tank Filling Continues
Expected Frequency of Occurrence per Year:
0.1
DESCRIPTION
Initial Event
NAME:
Unloading of truck while storage tank not empty
Expected Frequency of Occurrence per Year:
1
DESCRIPTION
Barrier Diagram
NAME:
Hexane Surge Tank Overflow
DESCRIPTION
Continuing Example 1a and 1b Hexane Surge Tank Overflow
Risk Matrix Categorization (Method 1/Chapter 3 and 8)
Barrier
NAME:
Safety Instrumented Function
Probability of Failure on Demand (PFD): 0.01
DESCRIPTION
BARRIER TYPE:
8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS)
BARRIER TYPE DESCRIPTION
Barrier
NAME:
Dike
Probability of Failure on Demand (PFD): 0.01
DESCRIPTION
BARRIER TYPE:
2 PERMANENT PASSIVE BARRIER
BARRIER TYPE DESCRIPTION
Barrier Diagram
NAME:
Hexane Storage Tank Overflow
DESCRIPTION
Continuing Example 2a and 2b Hexane Storage Tank Overflow
Risk matrix method with categories (Method 1 of Chapter 3 and 8)
Notes: Safeguards (non-IPL):
BPCS level control and alarm is not an IPL because it is part of the BPCS system already credited in the IPL: Level Check: Level Indicator read by operator
Barrier
NAME:
Dike
Probability of Failure on Demand (PFD): 0.01
BARRIER TYPE:
2 PERMANENT PASSIVE BARRIER
BARRIER TYPE DESCRIPTION
Barrier
NAME:
SIF overfilling protection
Probability of Failure on Demand (PFD): 0.01
DESCRIPTION
BARRIER TYPE:
8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS)
BARRIER TYPE DESCRIPTION
Barrier
NAME:
Level check
Probability of Failure on Demand (PFD): 0.1
DESCRIPTION
BARRIER TYPE:
6 PREVENTIVE PROCEDURAL ACTION
BARRIER TYPE DESCRIPTION
Barrier Diagram | Consequence | Prob./Expected Freq. | (Unit) | Severity |
---|---|---|---|---|
Hexane Surge Tank Overflow | Uncontrolled Hexane release | 1E-5 | Expected Frequency of Occurrence per Year | Category 4 |
Hexane Surge Tank Overflow | Spill contained by dike | 0.00099 | Expected Frequency of Occurrence per Year | Consequences of No Interest |
Hexane Storage Tank Overflow | Hexane Tank Overflow - contained by dike | 0.00099 | Expected Frequency of Occurrence per Year | Consequences of No Interest |
Hexane Storage Tank Overflow | Uncontrolled Release of Hexane/Overfilling | 1E-5 | Expected Frequency of Occurrence per Year | Category 4 |
Barrier Diagram | Critical Event | Prob./Expected Freq. | (Unit) |
---|
Expected Frequency of Occurrence per Year | Consequences of No Interest | Category 1 | Category 2 | Category 3 | Category 4 | Category 5 | |
---|---|---|---|---|---|---|---|
-1 | More likely than: 0.1 | ||||||
-2 | Less likely than: 0.1 | ||||||
-3 | Less likely than: 0.01 | ||||||
-4 | Less likely than: 0.001 | Spill contained by dike; Hexane Tank Overflow - contained by dike | |||||
-5 | Less likely than: 0.0001 | Uncontrolled Hexane release; Uncontrolled Release of Hexane/Overfilling | |||||
-6 | Less likely than: 1E-5 | ||||||
-7 | Less likely than: 1E-6 |
Barrier | Barrier Diagram | Generic Barrier | Barrier Type | PFD | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | ||||||
Safety Instrumented Function | Hexane Surge Tank Overflow | 8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) | 0.01 | Safety Instrumented Function (to be added) "Add SIF with PFD of 1E-2" | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | |||||||||||||
Dike | Hexane Surge Tank Overflow | 2 PERMANENT PASSIVE BARRIER | 0.01 | Dike (existing) (PFD from Table 6.3) Dike to be maintained as an Independent Protection Layer (IPL) | 0.43 | 1 | 0.17 | 1 | 0.05 | 1 | 0.1 | 1 | |||||||||||||
Dike | Hexane Storage Tank Overflow | 2 PERMANENT PASSIVE BARRIER | 0.01 | 0.43 | 1 | 0.17 | 1 | 0.05 | 1 | 0.1 | 1 | ||||||||||||||
SIF overfilling protection | Hexane Storage Tank Overflow | 8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) | 0.01 | SIF (to be added) with PFD o 1 x 10-2 | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | |||||||||||||
Level check | Hexane Storage Tank Overflow | 6 PREVENTIVE PROCEDURAL ACTION | 0.1 | Operator checks level before unloading Exisiting safeguard PFD from Table 6.5 Note: Human action at PFD 0.1 since BPCS level indication is part of this IPL ("Human response to BPCS indication or alarm with 40 minutes response time") | 0.29 | 1 | 0.36 | 1 | 0.2 | 1 | 0.25 | 1 | 0.18 | 1 | 0.08 | 0.75 | 0.1 | 1 | 0.05 | 1 |
Generic Barrier | Barrier Type | PFD | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating |
Barrier Type | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | ||
1 EXCESSIVELY CONSERVATIVE DESIGN AND MECHANICAL REDUNDANCY | DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Resilience and redundancy withstanding physical forces DESCRIPTION "Excessively conservative" means that the relevant characteristics of equipment (e.g. wall thickness) are at least a factor two more than what would be required using state-of-the-art or traditional standards used for that process. Redundancy means that under normal conditions forces are transmitted through multiple independent paths and each path has the capacity to perform the desired function alone. Evaluation of redundancy must consider whether the redundant systems can be affected simultaneously by an accident or deviation (independence). Redundancy that requires an active shift to another system must be perceived as an intervention (not permanent). EXAMPLES Over dimensioned wall thickness, fitted with double steering cables or rods, fitted with double electrical connections. FAILURE MECHANISMS Material failure or installation errors, in particular following maintenance; slow degradation; process conditions that exceed even so the material strength, in particular following changes in process conditions; simultaneous (common cause) failure of redundant systems. | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | ||||||||||||
2 PERMANENT PASSIVE BARRIER | DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Passive Barriers are elements in a system that are constantly present (i.e. they do not need to be activated), and that are installed with the only reason to avoid or limit hazardous situations (i.e. the installation can in principle operate without those barriers). EXAMPLES: Tank bunds, dyke, fire protection, drainage sump, fence, lightning conductors, collision barrier, edge protection, hardware protection against body parts entering hazard zones. FAILURE MECHANISMS: Lacking strength or capacity, construction error, slow degradation, human error causing flaws (e.g. open rain-water drains in tank bunds), removed (e.g. protection) or not installed or not re-installed after maintenance. | 0.43 | 1 | 0.17 | 1 | 0.05 | 1 | 0.1 | 1 | ||||||||||||
3 PERMANENT BARRIER: ENERGIZED | DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Capacity to perform the barrier function DESCRIPTION These barriers are constantly present, but need an energy source to work. If activation is required upon certain conditions, consider classification as temporary barrier. EXAMPLES Ventilation, active corrosion prevention, circulation of material, continuous inerting of systems, pilot flames, continuous addition of inhibitors. FAILURE MECHANISMS Not turned on/not activated, lacking capacity, lacking energy supply or material (gas) supply. | 0.13 | 1 | 0.43 | 1 | 0.17 | 1 | 0.05 | 1 | 0.1 | 1 | ||||||||||
4 TEMPORARY BARRIER (PASSIVE OR ENERGIZED) | DETECTION: The effect does not depend on the detection of a deviation, but the barrier need to be present or working. DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Barriers temporary put in place or temporary used, depending on a temporary situation (such as maintenance or repair works) or within a specific time spans or locations. Installation and use depends to a high degree on routines, procedures and rules. EXAMPLES Barriers around repair work, blind flanges over open pipes, spades in pipes, inhibitors in substances, personal protection equipment (PPE: e.g. hard hats, safety goggles, safety clothing, safety gloves), clothes and shoes to avoid static electricity, earthing of tanks during (un)loading FAILURE MECHANISMS Not put in place, not donned (PPE), not appropriate for the hazard (chemicals, heat, pressure, wrongly mounted. | 0.29 | 1 | 0.18 | 1 | 0.13 | 1 | 0.09 | 1 | 0.22 | 1 | 0.08 | 1 | 0.04 | 0.75 | 0.03 | 1 | 0.03 | 1 | ||
5 RESPECT SAFETY ZONES AND WARNINGS | DETECTION: Detection relates to warnings and signs, not to detection of deviations (passive barrier as regards to deviations). DIAGNOSE: Not relevant ACTION: Behaviour: To respect markings and warning signs: refrain from entering danger zones and refrain from manipulating marked parts of installations. DESCRIPTION Symbols, markings and warning signs (passive, i.e. not alarms) request to perform or refrain from certain behaviour. Implies in general refraining from certain actions (not touching, not operating, not entering not smoking). Respecting danger zones prevents people from getting hurt when deviations occur (mitigating barrier), Awareness of valves closing off dangerous substances may prevent erroneous operation. Note that the barrier consists of the behaviour itself, not the signalling. (Note that marking components such as valves in order to support correct operation is part of a management obligation to provide a sufficiently good human-machine interface and work place, and should NOTbe considered a safety barrier.) EXAMPLES Not entering danger zones (e.g. at cranes or robot stations, open containers, rotating machinery) , refrain from operating valves, avoid contact with hot parts, respecting smoking prohibitions, obeying speed limits. FAILURE MECHANISMS Not respecting signs and markings, lacking signs, unclear signs, and conflicts with work tasks. | 0.1 | 1 | 0.09 | 1 | 0.5 | 0 | 0.5 | 0 | 0.08 | 0.75 | 0.1 | 1 | 0.05 | 1 | ||||||
6 PREVENTIVE PROCEDURAL ACTION | DETECTION: Detection concerns attention to situations where the preventive action is required according to procedure, the deviation or threat is not detected. DIAGNOSE: Not relevant ACTION: Behaviour or hardware: To follow rules and procedures which apply to the situation at hand or (activate) automated sequencing through steps in a process. DESCRIPTION The activity is performed as part of a procedure for some operation or step in a process in order to prevent dangerous situations, even when the dangerous situation not necessarily is present. There may be overlap with “Temporary barrier” (e.g. making a ground connection and leaving it in place during the (un)loading), but this barrier focuses on actions performed prior to the hazardous activity, i.e. detached in time. EXAMPLES Venting of closed spaces before entering, venting/emptying hoses before detachment, earthing tankers before (un)loading to prevent static electricity, inerting vessels or reactors before taking into use. FAILURE MECHANISMS Not executing the action, incomplete or faulty execution. | 0.29 | 1 | 0.36 | 1 | 0.2 | 1 | 0.25 | 1 | 0.18 | 1 | 0.08 | 0.75 | 0.1 | 1 | 0.05 | 1 | ||||
7 HARDWARE INTERVENTION | DETECTION: Hardware DIAGNOSE: Hardware ACTION: Hardware DESCRIPTION Barriers that by means of direct mechanical-physical principles both detect the deviation and perform the necessary action. EXAMPLES Pressure relief valves, bursting disks, sprinkler heads, explosion relief hatches FAILURE MECHANISMS Insufficient capacity (too small, too slow), wrong set point, blocked (including piping towards the barrier), stuck. | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | ||||||||||||
8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) | DETECTION: Hardware DIAGNOSE: Hardware/software ACTION: Hardware DESCRIPTION Automated intervention by a system of electrical/electronic/programmable electronic (E/E/PE) components, that on the basis of input from sensors is able to determine what intervention needs to be made, and activates actuators (like powered valves) to perform this intervention. In order for an automated system to be considered to be an independent safety barrier (independent protection layer) the components that make up the automated system should not be part of the basic process control system (BPCS). EXAMPLES Emergency shutdown system (ESD), emergency blowdown system, FAILURE MECHANISMS Component failure, software failure, design failure, common cause failure | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | ||||||||||||
9 HUMAN INTERVENTION FOLLOWING ALARM | DETECTION: Hardware/software DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") (may include activation of powered components) DESCRIPTION Actions of operators in response to clear instrument signals or alarms. There will be clear instructions describing the actions that are required to respond to the each of the alarms. The sensors, transmitters and actuators are part of the barrier system. In order for the alarm system to be considered to be an independent safety barrier (independent protection layer) the components that make up the alarm system should not be part of the basic process control system (BPCS). EXAMPLES Manual shutdown or adjustment, evacuation, calling fire brigade on alarm, close/open (correct) valve FAILURE MECHANISMS Failure of sensors, transmitters or software, flaws in instructions, wrong intervention, operator not present. | 0.58 | 1 | 0.36 | 1 | 0.2 | 1 | 0.09 | 1 | 0.22 | 1 | 0.08 | 1 | 0.08 | 0.75 | 0.05 | 1 | 0.1 | 1 | ||
10 SITUATIONAL HUMAN INTERVENTION (PROCEDURAL) | DETECTION: Human observation and interpretation DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") DESCRIPTION The hazardous situation is detected by human observation of (a combination) factors in accordance with clear rules and procedures. There are no clear alarms, the hazardous situation needs to be derived from a combination of inputs. Instrument failure can both be considered to be a part of the initiating deviation (a dangerous failure in the sense that a deviation does not show up) or as part of the barrier failure. Actions can be similar to "Human Intervention Following Alarm", but the detection is by observing normal indicators (including measurement displays) BEFORE alarms (if any) are raised. This barrier also includes actions of supervisors supervising other operator’s tasks. EXAMPLES To adjust hardware set-points, abort operations developing outside safe area, start alternative (back-up) capacity, redirect flows (e.g. dump), warning others for action or evacuation, to disconnect tanks, hoses or pipes, to avoid escalation by protecting equipment with foam or fire-fighting water. FAILURE MECHANISMS Failure of instruments or software, flaws in instruction, lack of attention, wrong intervention. | 0.29 | 1 | 0.36 | 1 | 0.2 | 1 | 0.25 | 1 | 0.09 | 1 | 0.15 | 0.75 | 0.1 | 1 | 0.05 | 1 | ||||
11 KNOWLEDGE-BASED HUMAN INTERVENTION (AD HOC) | DETECTION: Human observation and interpretation. DIAGNOSE: Behaviour on the basis of knowledge and reasoning ("Knowledge based") ACTION: Behaviour DESCRIPTION Intervention that requires a continuous knowledge-based assessment of the situation (e.g. during a rescue operation) and/or requires detailed analysis in cases where no procedures or rules apply. This barrier type is provided for sake of completeness. Apart from use as a mitigating barrier (emergency response) at the far right-hand side of the diagram or bow-tie, prevention of foreseeable events should be dealt with by procedures, i.e. “Rule and Skill-based” barriers. EXAMPLES Fire-fighting, emergency response, to (re)gain control over a complex system (such as a nuclear reactor) and take it to a safe condition. FAILURE MECHANISMS Wrong assessment, inadequate intervention, intervention too late, too early. | 0.87 | 1 | 1 | 1 | 0.17 | 1 | 0.83 | 1 | 0.09 | 1 | 0.13 | 0.75 | 0.01 | 1 | 0.05 | 1 |
Barrier Element | PFD | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating |
Gate | Barrier Diagram | Gate Type | Description |
---|---|---|---|
Condition | Condition Type | Freq. or Prob. | Unit | Description | Severity |
---|---|---|---|---|---|
Uncontrolled Hexane release | Consequence | 1E-5 | Expected Frequency of Occurrence per Year | Release of hexane (1 000 - 10 000 lb) outside the dike due to tank overflow and failure of dike Severity Category 4 (Method 1, Table 3,1) Risk Tolerance Criteria (Category or Frequency): Action Required if frequency > 1E-3 Tolerable if frequency < 1E-5 | Category 4 |
Loop failure of BPCS LIC | Initial Event | 0.1 | Expected Frequency of Occurrence per Year | Loop failure of BPCS LIC PFD from Table 5.1 | |
Hexane surge tank overflow | Intermediate Event | 0.001 | Expected Frequency of Occurrence per Year | Hexane surge tank overflow | |
Spill contained by dike | Consequence | 0.00099 | Expected Frequency of Occurrence per Year | Tank overflow and spill of hexane into dike In method 1 a spill into the tank dike, with little potential for igntion and resulting damage or lost production, is not a consequence of interest Risk Tolerance Criteria (Method 1): Action required: N/A Tolerable: N/A | Consequences of No Interest |
Uncontrolled Release of Hexane/Overfilling | Consequence | 1E-5 | Expected Frequency of Occurrence per Year | Release of Hexane (1 000 - 10 000 lbs) outside the dike due to tank overflow and failure of dike | Category 4 |
Hexane Tank Overflow - contained by dike | Consequence | 0.00099 | Expected Frequency of Occurrence per Year | Tank overflow and spill of hexane into dike. In this method a spill into the tank dike, with little potential for ignition and resulting damage or lost production, is not a consequence of interest. | Consequences of No Interest |
Storage Tank Overflow | Intermediate Event | 0.001 | Expected Frequency of Occurrence per Year | ||
Tank Filling Continues | Intermediate Event | 0.1 | Expected Frequency of Occurrence per Year | Tank filling operation continues while not sufficient space in storage tank | |
Unloading of truck while storage tank not empty | Initial Event | 1 | Expected Frequency of Occurrence per Year | Arrival of tank truck with insufficient room in the (storage) tank due to failure of the inventory control system. Frequency based upon plant data |
Measure | Description | Applies to: Barriers | Applies to: Initial Conditions | Management Issue |
---|
Management Issue | Performance | Description |
---|---|---|
1st ARAMIS Item, Manpower Planning and Availability | 1 | Manpower Planning covers allocating the necessary time (or numbers) of competent people to the tasks that have to be carried out, at the moment (or within the time frame) when they should be carried out. It also covers the process of planning and allocation of tasks over time, including coverage for: Holidays, Sick leave, Peak loads, Ensuring breaks and rest pauses, and Limiting overtime and fatigue. Personnel Availability ensures that personnell is available for all relevant tasks in relation to the functioning and management of barriers (operations, maintenance, emergency), including: Operating personnel, Maintenance personnel, Inspection & testing incl. general plantwalk-rounds, Supervision, and Back-up & emergency crews,. |
2nd ARAMIS Item, Competence and Suitability | 1 | Competence covers the knowledge, skills, and abilities of first-line and/or back-up personnel for the safe execution of safety-critical tasks related to barrier functioning or management. Competence covers the cognitive aspects of behaviour, which can be learned through training, experience and practice. They include: Job content/safety, e.g.: Plant & process knowledge: - Operating procedures, critical tasks, action alternatives, skills - Boundary of safety operations - Hazards, safety consequences of actions, safety priorities - Safety responsibility/task boundaries Inspection & testing procedures: - Fault diagnosis & response - Emergency procedures - Maintenance diagnosis - Safe isolation and recommissioning - Equipment dismantling, repair, testing & reassembly Other skills: - Communications - Team work - Supervision/management - Issuing instructions Suitability covers physical attributes that are usually more permanent characteristics of an individual, though some can be modified or compensated for over the longer term. They include: Size, strength, dexterity, Physical condition, health, Visual acuity, colour blindness, and Hearing. |
3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 1 | Commitment and conflict resolution are concerned with: - Information, training and discussion on what is important and has priority - Rapid confrontation and correction of deviations from the desired working method, state or condition - High (publicity) profile and reward for achievements on safety - Appraisal schemes with explicit attention to safety performance - Recurrent active attention to safety in meetings, discussions and actions - Procedure violations - Keeping to the prescribed operating envelope - Safety and production/time pressures e.g. production pressures reducing scheduled maintenance/inspection, operations which come under time pressure for implementation, reluctance to declare emergencies or shutdown plant because of loss of production - Safety critical maintenance priority over production - Balancing production targets, resource availability/costs and inspection and maintenance requirements via e.g. time schedules and budget setting - Safety budget (increased/decreased) |
4th ARAMIS Item, Communication and Coordination | 1 | The communication and coordination concerns itself with: - Communication channels (phone, radio, minutes, reports, etc.) - Coordination methods (e.g. meetings, supervision) - Communication between: Different persons engaged on one task as team or working in sequence, and Shifts at changeover - Communication about: Work content Barrier/plant status Job instructions Priorities Who does what, where and when Need for action or (back-up) personnel and equipment - Communication systems for sharing operation/maintenance hazard concerns and experience |
5th ARAMIS Item, Procedures, rules, and goals | 1 | The procedures, rules and goals delivery system is occupied with identifying tasks that need (detailed) written rules and procedures, and subsequently providing and promulgating these. This system also delivers output goals for tasks that do not need a detailed procedure. Procedures and rules are specific performance criteria, which specify in detail, usually in written form, a formalised 'normative' behaviour or method for carrying out an activity (checklist, task list, action steps, plan, instruction manual, fault-finding heuristic, form to be completed, etc.). Output goals are performance measures for an activity, which specify what the result of the activity should be, but not how the results should be achieved. They are objectives, goals or outputs. The procedures, rules and goals delivery system concerns itself with: Coverage (i.e. all safety situations), Accuracy, Readability/usability, Size/complexity/overload or rule sets, Clarity/ambiguity, Up-to-date, Indicating priorities. |
6th ARAMIS Item, Hard/software purchase, build, interface, install | 1 | Management of barrier (and spares) purchase, construction, installation and adjustment deals with the management process for ensuring that the hardware/ software barriers and barrier elements in agreement with specifications are acquired, either by purchase from outside, or by construction on site, are put in place and adjusted and that the spare parts or replacements purchased and stored for the maintenance phase of their life cycle are the correct ones and are in good condition when used. The process should pay explicit attention to the human factors aspects of the interface between barrier elements and their users in the case of mixed barriers. |
7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 1 | Management of inspection, maintenance and replacement deals with the management processes for ensuring that the specified hardware/software barriers and barrier elements are kept in an effective state. It covers all hardware and software which has a function within any barrier designed to fulfill a safety function in the plant. It forms the part of the life cycle of these barrier elements from the point where they have been installed and adjusted and are ready for use. It covers all the activities which monitor the working of the barriers, detect the (chance of) deviation from the designed working and identify the need for work to be done to restore the functioning or replace the barrier (elements) with new ones. This process also manages small modifications which are carried out at the same time as, and under the same management as the maintenance activities. Where the modifications are of a more major type, which are (or should be) dealt with by a change management process, these are covered by the protocol on learning and change. |
0th ARAMIS Item, Safety Culture | 0.75 | Safety culture can be assessed by questionnaire surveys of the personnel. Safety culture addresses the following issues: Learning and willingness to report: the employees' willingness / reluctance to report accidents and incidents, their perception of feedback from reporting and dissemination of lessons learned. Safety prioritisation, rules and compliance covering use of and familiarity with rules and instructions; the prioritisation of safety versus productivity and ease of work; the extent to which and the circumstances under which safety procedures may be violated Leadership involvement and commitment concerns both the avowed involvement and commitment of management and supervisors and team leaders as well as employee perception of their commitment and involvement Risk and human performance limitation perception concerns management and employee awareness of hazards, risks and human error potentials (fatigue, automation etc.) relevant to their work. Felt responsibility concerns the employee's perception of who is responsible for safety at work including felt ownership of responsibility Trust and fairness involves management's trust in employees and, crucially, employees' trust in top management and their immediate leaders and employee perception of fairness in the workplace Work team atmosphere and support comprises employees' perception of teamwork and the 'spirit' in their respective teams; the extent to which the team gives its members support and help; and the extent to which respondents are willing to speak up and warn each other of dangers. Motivation, influence and involvement comprises (i) work as meaningful; (ii) own influence on work planning and execution; (iii) motivation and involvement; and (iv) feeling informed and finding work predictable |
A Risk analysis and selection of safety barriers | 1 | This issue covers the process of risk assessment and selection of the barriers. Definitions and coverage: Barrier functions and elements - The process emphasises that barrier functions should first be defined (prevent, protect, mitigate), followed by a choice between all possible principles and forms of barrier which could fulfil that function. Most barrier forms chosen will be combinations of hardware and software elements with behavioural elements. Some barriers may be pure hardware, either passive, in which case it requires no activation after its installation (temporarily or permanently), or with active elements, which require adjustment and activation. A number of barriers may be purely dependent on behaviour, such as evacuation, or skilled dismantling of equipment. The elements out of which the complete barriers are constructed must consist (except in the case of passive barriers) of elements which perform the functions of detection or diagnosis of the need to respond, activation of the barrier and its response. Either hardware or behaviour elements can fulfil each of the functions and these can be combined in many different ways. The company must make its choices out of these combinations. Coverage - The process should cover all accident scenarios which the company wishes to control, or wishes to demonstrate to regulators that it has controlled. The steps follow the normal processes of risk assessment, but emphasise more clearly the selection and specification of barriers to control the hazards. They also emphasise that barrier selection should take account of the whole life cycle of the barrier and its elements in deciding what is likely to be the most effective choice to make. |
B Learning and management of change | 1 | This issue deals with the management processes designed to achieve continuous improvement and adaptation of barrier performance to the current best practice and to the current state of the risks in the organisation. Definitions and coverage: Learning - Learning is defined as the collection of information about the performance of a barrier (element) or management process relating to barrier performance, the analysis of the performance data, its comparison with desired performance and/or good practice, the drawing of conclusions about improvements and changes which are required to bring about better performance, and the implementation throughout the organisation of the changes. Learning should be triggered by both deviations from expected or desired performance within the organisation, as by comparisons with good practice outside it. Change management - Change management is designed to ensure that any changes to the technical, human or organisational aspects of the design, layout, functioning, control or management of the organisation are reflected in changes to the barriers provided to control risk and/or changes to the appropriate part of the life cycle or management processes which ensure the functioning of the barriers. This requires that the organisation specify and identify what will be considered to be ‘significant changes’ requiring assessment. Incident, accident and failure - Incident: any deviation from expected or desired operation or performance, which, if uncorrected, would lead to damage, injury or other undesired outcome, and which is defined as relevant to be recorded for the purposes of learning. Accident: any deviation from expected or desired operation or performance, which leads to actual damage, injury or other undesired outcome. Failure: any deviation of a barrier (element) or management process relevant to barrier performance which results in a partial or complete loss of function of that barrier (element) or management process. Coverage - The learning and change control system covers the performance of all barriers and their elements, whether they are achieved by hardware, software or behaviour. |
Diagram Name | Number of: Barriers | Number of: Gates | Number of: Event Tree Branches | Description |
---|---|---|---|---|
Hexane Surge Tank Overflow | 2 | 0 | 0 | Continuing Example 1a and 1b Hexane Surge Tank Overflow Risk Matrix Categorization (Method 1/Chapter 3 and 8) |
Hexane Storage Tank Overflow | 3 | 0 | 0 | Continuing Example 2a and 2b Hexane Storage Tank Overflow Risk matrix method with categories (Method 1 of Chapter 3 and 8) Notes: Safeguards (non-IPL): BPCS level control and alarm is not an IPL because it is part of the BPCS system already credited in the IPL: Level Check: Level Indicator read by operator |
Event Tree Branch Name | Diagram Name | Number of: Event Tree Branches | Event Tree Branches & Probability | Description |
---|