SafetyBarrier

i

Viewer

LOPA_Continuing_Example_Method3.sbmx

Hexane Surge Tank Overflow

SBMImage SBMImage SBMImage
SBMImage SBMImage SBMImage

Hexane Storage Tank Overflow

SBMImage SBMImage SBMImage
SBMImage SBMImage SBMImage

Combined Fatality Risk of Scenarios

SBMImage SBMImage SBMImage
SBMImage SBMImage SBMImage

Combined Fire Risk of Scenarios

SBMImage SBMImage SBMImage
SBMImage SBMImage SBMImage
Safety Instrumented Function Dike Ignition (Contained spill) Ignition (Uncontrolled spill) Personnel Exposed (Contained Fire) Personnel Exposed (Uncontrolled Fire) Fatal Injury Loop failure of BPCS LIC Hexane surge tank overflow Uncontrolled Hexane release Spill contained by dike Personnel Exposed Fire (Contained) Fire (Unbounded) Fatal Injury/Loop Failure Safety Instrumented Function Dike Ignition (Contained spill) Ignition (Uncontrolled spill) Personnel Exposed (Contained Fire) Personnel Exposed (Uncontrolled Fire) Fatal Injury Loop failure of BPCS LIC Hexane surge tank overflow Uncontrolled Hexane release Spill contained by dike Personnel Exposed Fire (Contained) Fire (Unbounded) Fatal Injury/Loop Failure Dike SIF overfilling protection Level check Personnel Exposed (Uncontrolled Fire) Ignition (Uncontrolled spill) Fatal Injury Personnel Exposed (Contained Fire) Ignition (Contained spill) Unloading of truck while storage tank not empty Storage Tank Overflow Tank Filling Continues Uncontrolled Release of Hexane/Overfilling Hexane Tank Overflow - contained by dike Personnel Exposed/Overfilling Fire (Contained)/Overfilling Fire (Unbounded)/Overfilling Fatal Injury/Overfilling Dike SIF overfilling protection Level check Personnel Exposed (Uncontrolled Fire) Ignition (Uncontrolled spill) Fatal Injury Personnel Exposed (Contained Fire) Ignition (Contained spill) Unloading of truck while storage tank not empty Storage Tank Overflow Tank Filling Continues Uncontrolled Release of Hexane/Overfilling Hexane Tank Overflow - contained by dike Personnel Exposed/Overfilling Fire (Contained)/Overfilling Fire (Unbounded)/Overfilling Fatal Injury/Overfilling RiskCombination Fatal Injury/Loop Failure Fatal Injury/Overfilling Fatal Injury RiskCombination Fatal Injury/Loop Failure Fatal Injury/Overfilling Fatal Injury CombinedFireRisk Fire (Contained) Fire (Unbounded) Fire (Contained)/Overfilling Fire (Unbounded)/Overfilling Serious Fire CombinedFireRisk Fire (Contained) Fire (Unbounded) Fire (Contained)/Overfilling Fire (Unbounded)/Overfilling Serious Fire

Project

NAME: LOPA_Continuing_Example_Method3.sbmx
DESCRIPTION
This project implements the continuing example as described in Appendix 1 of the CCPS book: Layer of Protection Analysis - Simplified Process Risk Assessment, AIChE, 2001, ISBN 0-8169-0811-7
The consequence assessment method is "Method 3", "Qualitative Estimates with Human Harm with Adjustments for Postrelease Probabilities" as described in section 3.3 and Table 3.2, with the endpoint impact on humans.
Table 3.2 is the basis for the risk matrix, with the information from the LOPA tables (appendix A, Tables A5 to A8). on the acceptance criteria for "Fatal Injury" (10-5 per year). Lower frequencies are colored yellow, and 2 decades below green (broadly acceptable). For the lesser consequence classes, acceptance criteria a factor 10 more freqeucnt have been assumed.
Links to the respective LOPA sheets are included in the descriptions of the consequences in the first two diagrams (click on consequence, expand Description, and click hyperlink)
Note that the individual scenarios fulfill the acceptance criterion, but not the combinations neither for fatal injury risk or serious fire - this is a drawback of the useof risk matrices on single scenarios and aggregation of risk results, see: N.J. Duijm, Recommendations on the use and design of risk matrices, Safety Science 76 (2015) 21–31.
The project is based on the template "Standard Template_EN_colored barrier types.sbmt"


Intermediate Event

NAME: Uncontrolled Hexane release
Expected Frequency of Occurrence per Year: 1E-5
DESCRIPTION

Initial Event

NAME: Loop failure of BPCS LIC
Expected Frequency of Occurrence per Year: 0.1
DESCRIPTION

Intermediate Event

NAME: Hexane surge tank overflow
Expected Frequency of Occurrence per Year: 0.001
DESCRIPTION

Intermediate Event

NAME: Spill contained by dike
Expected Frequency of Occurrence per Year: 0.00099
DESCRIPTION

Intermediate Event

NAME: Uncontrolled Release of Hexane/Overfilling
Expected Frequency of Occurrence per Year: 1E-5
DESCRIPTION

Intermediate Event

NAME: Hexane Tank Overflow - contained by dike
Expected Frequency of Occurrence per Year: 0.00099
DESCRIPTION

Intermediate Event

NAME: Storage Tank Overflow
Expected Frequency of Occurrence per Year: 0.001

Intermediate Event

NAME: Tank Filling Continues
Expected Frequency of Occurrence per Year: 0.1
DESCRIPTION

Initial Event

NAME: Unloading of truck while storage tank not empty
Expected Frequency of Occurrence per Year: 1
DESCRIPTION

Intermediate Event

NAME: Fire (Unbounded)
Expected Frequency of Occurrence per Year: 1E-5
DESCRIPTION

Intermediate Event

NAME: Fire (Contained)
Expected Frequency of Occurrence per Year: 9.9E-5
DESCRIPTION

Intermediate Event

NAME: Personnel Exposed
Expected Frequency of Occurrence per Year: 1.49E-5

Consequence

NAME: Fatal Injury/Loop Failure
Expected Frequency of Occurrence per Year: 7.45E-6
DESCRIPTION

Intermediate Event

NAME: Fire (Contained)/Overfilling
Expected Frequency of Occurrence per Year: 9.9E-5
DESCRIPTION

Intermediate Event

NAME: Fire (Unbounded)/Overfilling
Expected Frequency of Occurrence per Year: 1E-5
DESCRIPTION

Intermediate Event

NAME: Personnel Exposed/Overfilling
Expected Frequency of Occurrence per Year: 1.49E-5

Consequence

NAME: Fatal Injury/Overfilling
Expected Frequency of Occurrence per Year: 7.45E-6
DESCRIPTION

Consequence

NAME: Fatal Injury
Expected Frequency of Occurrence per Year: 1.49E-5
DESCRIPTION

Consequence

NAME: Serious Fire
Expected Frequency of Occurrence per Year: 0.000218
DESCRIPTION

Barrier Diagram

NAME: Hexane Surge Tank Overflow
DESCRIPTION
Continuing Example 1a and 1b Hexane Surge Tank Overflow
The consequence assessment method is "Method 3", "Qualitative Estimates with Human Harm with Adjustments for Postrelease Probabilities" as described in section 3.3
Note that expected frequency of "Spill contained by dike" and thus also the following events deviate from the assessment in Appendix A, Table A6. Table A6 applies 0.001 by ignoring the possibilitye that the dike fails, which leads to the alternative (lower) branch in the diagram: the sum of the frequencies via the upper and lower branch is the expected frequency of "Hexane surge tank overflow".

Barrier

NAME: Safety Instrumented Function
Probability of Failure on Demand (PFD): 0.01
DESCRIPTION

BARRIER TYPE: 8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS)
BARRIER TYPE DESCRIPTION

Barrier

NAME: Dike
Probability of Failure on Demand (PFD): 0.01
DESCRIPTION

BARRIER TYPE: 2 PERMANENT PASSIVE BARRIER
BARRIER TYPE DESCRIPTION

Event Tree Branch

NAME: Ignition (Contained spill)
DESCRIPTION

Event Tree Branch

NAME: Ignition (Uncontrolled spill)
DESCRIPTION

Event Tree Branch

NAME: Personnel Exposed (Contained Fire)
DESCRIPTION

Event Tree Branch

NAME: Personnel Exposed (Uncontrolled Fire)
DESCRIPTION

Event Tree Branch

NAME: Fatal Injury
DESCRIPTION

Barrier Diagram

NAME: Hexane Storage Tank Overflow
DESCRIPTION
Continuing Example 2a and 2b Hexane Storage Tank Overflow
The consequence assessment method is "Method 3", "Qualitative Estimates with Human Harm with Adjustments for Postrelease Probabilities" as described in section 3.3
Note that expected frequency of "Hexane Tank Overflow - contained by dike" and thus also the following events deviate from the assessment in Appendix A, Table A8. Table A8 applies 0.001 by ignoring the possibilitye that the dike fails, which leads to the alternative (lower) branch in the diagram: the sum of the frequencies via the upper and lower branch is the expected frequency of "Storage Tank Overflow".

Notes: Safeguards (non-IPL):
BPCS level control and alarm is not an IPL because it is part of the BPCS system already credited in the IPL: Level Check: Level Indicator read by operator

Barrier

NAME: Dike
Probability of Failure on Demand (PFD): 0.01

BARRIER TYPE: 2 PERMANENT PASSIVE BARRIER
BARRIER TYPE DESCRIPTION

Barrier

NAME: SIF overfilling protection
Probability of Failure on Demand (PFD): 0.01
DESCRIPTION

BARRIER TYPE: 8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS)
BARRIER TYPE DESCRIPTION

Barrier

NAME: Level check
Probability of Failure on Demand (PFD): 0.1
DESCRIPTION

BARRIER TYPE: 6 PREVENTIVE PROCEDURAL ACTION
BARRIER TYPE DESCRIPTION

Event Tree Branch

NAME: Personnel Exposed (Uncontrolled Fire)
DESCRIPTION

Event Tree Branch

NAME: Ignition (Uncontrolled spill)
DESCRIPTION

Event Tree Branch

NAME: Fatal Injury
DESCRIPTION

Event Tree Branch

NAME: Personnel Exposed (Contained Fire)
DESCRIPTION

Event Tree Branch

NAME: Ignition (Contained spill)
DESCRIPTION

Barrier Diagram

NAME: Combined Fatality Risk of Scenarios
DESCRIPTION
The output of different scenarios can be combined
In this project total risk has been summed for scenarios explicitly.
Both included scenarios have as Consequence of interest "Fatal Injury", viz. "Fatal Injury/Loop Failure" and "Fatal Injury/Overfilling"
These outcomes are combined in this diagram.
Alternatively, in both scenarios, the same condition "Fatal Injury" (without distinguishing the scenarios) could have been used - The quantitative assessment will be corretly assessed for all scenarios leading to "Fatal Injury", but the result would not be expliquable from the single scenario.
Hence the separate, explicit method in this project

OR Gate

NAME: RiskCombination

Barrier Diagram

NAME: Combined Fire Risk of Scenarios
DESCRIPTION
The output of different scenarios can be combined
In this project total risk has been summed for scenarios explicitly.
Both included scenarios have as Consequence (in this project as Intermediate Event) of interest "Fire"
These events are combined in this diagram.
Alternatively, in both scenarios, the same conditions "Fire (uncontrolled)" and "Fire (contained)" (without distinguishing the scenarios) could have been used if the treatment of the exposure and fatality is the same (as in this case) - The quantitative assessment will be corretly assessed for all scenarios leading to "Fire", but the result would not be expliquable from the single scenario.
Hence the separate, explicit method in this project.
In order to create this diagram, the combination has to be done during development of the diagrams, when the "Fire" events are the consequences (right most events) in the diagram - only then the events are accessible for gates in other diagrams, see the helpfile topic "links to conditions"

OR Gate

NAME: CombinedFireRisk

Consequences

Barrier Diagram Consequence Prob./Expected Freq. (Unit) Severity
Hexane Surge Tank Overflow Fatal Injury/Loop Failure 7.45E-6 Expected Frequency of Occurrence per Year Very High Consequences (Fatality/Permanent Disability)
Hexane Storage Tank Overflow Fatal Injury/Overfilling 7.45E-6 Expected Frequency of Occurrence per Year Very High Consequences (Fatality/Permanent Disability)
Combined Fatality Risk of Scenarios Fatal Injury 1.49E-5 Expected Frequency of Occurrence per Year Very High Consequences (Fatality/Permanent Disability)
Combined Fire Risk of Scenarios Serious Fire 0.000218 Expected Frequency of Occurrence per Year High Consequences (Major Injury)

Critical Events

Barrier Diagram Critical Event Prob./Expected Freq. (Unit)

Risk Matrix

  Expected Frequency of Occurrence per Year Low Consequences (No LTI) Medium Consequences (Single Minor Injury) High Consequences (Major Injury) Very High Consequences (Fatality/Permanent Disability)
-1 More likely than: 0.1        
-2 Less likely than: 0.1        
-3 Less likely than: 0.01        
-4 Less likely than: 0.001     Serious Fire  
-5 Less likely than: 0.0001       Fatal Injury
-6 Less likely than: 1E-5       Fatal Injury/Loop Failure; Fatal Injury/Overfilling
-7 Less likely than: 1E-6        

Barriers

Barrier Barrier Diagram Generic Barrier Barrier Type PFD Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
            Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating
Safety Instrumented Function Hexane Surge Tank Overflow   8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) 0.01 Safety Instrumented Function (to be added) "Add SIF with PFD of 1E-2"                     0.43 1 0.17 1     0.1 1 0.05 1
Dike Hexane Surge Tank Overflow   2 PERMANENT PASSIVE BARRIER 0.01 Dike (existing) (PFD from Table 6.3) Dike to be maintained as an Independent Protection Layer (IPL)                     0.43 1 0.17 1     0.05 1 0.1 1
Dike Hexane Storage Tank Overflow   2 PERMANENT PASSIVE BARRIER 0.01                       0.43 1 0.17 1     0.05 1 0.1 1
SIF overfilling protection Hexane Storage Tank Overflow   8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) 0.01 SIF (to be added) with PFD o 1 x 10-2                     0.43 1 0.17 1     0.1 1 0.05 1
Level check Hexane Storage Tank Overflow   6 PREVENTIVE PROCEDURAL ACTION 0.1 Operator checks level before unloading Exisiting safeguard PFD from Table 6.5 Note: Human action at PFD 0.1 since BPCS level indication is part of this IPL ("Human response to BPCS indication or alarm with 40 minutes response time") 0.29 1 0.36 1 0.2 1 0.25 1 0.18 1         0.08 0.75 0.1 1 0.05 1

Generic Barriers

Generic Barrier Barrier Type PFD Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
        Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating

Barrier Types

Barrier Type Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
    Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating
1 EXCESSIVELY CONSERVATIVE DESIGN AND MECHANICAL REDUNDANCY DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Resilience and redundancy withstanding physical forces DESCRIPTION "Excessively conservative" means that the relevant characteristics of equipment (e.g. wall thickness) are at least a factor two more than what would be required using state-of-the-art or traditional standards used for that process. Redundancy means that under normal conditions forces are transmitted through multiple independent paths and each path has the capacity to perform the desired function alone. Evaluation of redundancy must consider whether the redundant systems can be affected simultaneously by an accident or deviation (independence). Redundancy that requires an active shift to another system must be perceived as an intervention (not permanent). EXAMPLES Over dimensioned wall thickness, fitted with double steering cables or rods, fitted with double electrical connections. FAILURE MECHANISMS Material failure or installation errors, in particular following maintenance; slow degradation; process conditions that exceed even so the material strength, in particular following changes in process conditions; simultaneous (common cause) failure of redundant systems.                     0.43 1 0.17 1     0.1 1 0.05 1
2 PERMANENT PASSIVE BARRIER DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Passive Barriers are elements in a system that are constantly present (i.e. they do not need to be activated), and that are installed with the only reason to avoid or limit hazardous situations (i.e. the installation can in principle operate without those barriers). EXAMPLES: Tank bunds, dyke, fire protection, drainage sump, fence, lightning conductors, collision barrier, edge protection, hardware protection against body parts entering hazard zones. FAILURE MECHANISMS: Lacking strength or capacity, construction error, slow degradation, human error causing flaws (e.g. open rain-water drains in tank bunds), removed (e.g. protection) or not installed or not re-installed after maintenance.                     0.43 1 0.17 1     0.05 1 0.1 1
3 PERMANENT BARRIER: ENERGIZED DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Capacity to perform the barrier function DESCRIPTION These barriers are constantly present, but need an energy source to work. If activation is required upon certain conditions, consider classification as temporary barrier. EXAMPLES Ventilation, active corrosion prevention, circulation of material, continuous inerting of systems, pilot flames, continuous addition of inhibitors. FAILURE MECHANISMS Not turned on/not activated, lacking capacity, lacking energy supply or material (gas) supply.             0.13 1 0.43 1 0.17 1         0.05 1 0.1 1
4 TEMPORARY BARRIER (PASSIVE OR ENERGIZED) DETECTION: The effect does not depend on the detection of a deviation, but the barrier need to be present or working. DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Barriers temporary put in place or temporary used, depending on a temporary situation (such as maintenance or repair works) or within a specific time spans or locations. Installation and use depends to a high degree on routines, procedures and rules. EXAMPLES Barriers around repair work, blind flanges over open pipes, spades in pipes, inhibitors in substances, personal protection equipment (PPE: e.g. hard hats, safety goggles, safety clothing, safety gloves), clothes and shoes to avoid static electricity, earthing of tanks during (un)loading FAILURE MECHANISMS Not put in place, not donned (PPE), not appropriate for the hazard (chemicals, heat, pressure, wrongly mounted. 0.29 1 0.18 1     0.13 1 0.09 1 0.22 1 0.08 1 0.04 0.75 0.03 1 0.03 1
5 RESPECT SAFETY ZONES AND WARNINGS DETECTION: Detection relates to warnings and signs, not to detection of deviations (passive barrier as regards to deviations). DIAGNOSE: Not relevant ACTION: Behaviour: To respect markings and warning signs: refrain from entering danger zones and refrain from manipulating marked parts of installations. DESCRIPTION Symbols, markings and warning signs (passive, i.e. not alarms) request to perform or refrain from certain behaviour. Implies in general refraining from certain actions (not touching, not operating, not entering not smoking). Respecting danger zones prevents people from getting hurt when deviations occur (mitigating barrier), Awareness of valves closing off dangerous substances may prevent erroneous operation. Note that the barrier consists of the behaviour itself, not the signalling. (Note that marking components such as valves in order to support correct operation is part of a management obligation to provide a sufficiently good human-machine interface and work place, and should NOTbe considered a safety barrier.) EXAMPLES Not entering danger zones (e.g. at cranes or robot stations, open containers, rotating machinery) , refrain from operating valves, avoid contact with hot parts, respecting smoking prohibitions, obeying speed limits. FAILURE MECHANISMS Not respecting signs and markings, lacking signs, unclear signs, and conflicts with work tasks.         0.1 1     0.09 1 0.5 0 0.5 0 0.08 0.75 0.1 1 0.05 1
6 PREVENTIVE PROCEDURAL ACTION DETECTION: Detection concerns attention to situations where the preventive action is required according to procedure, the deviation or threat is not detected. DIAGNOSE: Not relevant ACTION: Behaviour or hardware: To follow rules and procedures which apply to the situation at hand or (activate) automated sequencing through steps in a process. DESCRIPTION The activity is performed as part of a procedure for some operation or step in a process in order to prevent dangerous situations, even when the dangerous situation not necessarily is present. There may be overlap with “Temporary barrier” (e.g. making a ground connection and leaving it in place during the (un)loading), but this barrier focuses on actions performed prior to the hazardous activity, i.e. detached in time. EXAMPLES Venting of closed spaces before entering, venting/emptying hoses before detachment, earthing tankers before (un)loading to prevent static electricity, inerting vessels or reactors before taking into use. FAILURE MECHANISMS Not executing the action, incomplete or faulty execution. 0.29 1 0.36 1 0.2 1 0.25 1 0.18 1         0.08 0.75 0.1 1 0.05 1
7 HARDWARE INTERVENTION DETECTION: Hardware DIAGNOSE: Hardware ACTION: Hardware DESCRIPTION Barriers that by means of direct mechanical-physical principles both detect the deviation and perform the necessary action. EXAMPLES Pressure relief valves, bursting disks, sprinkler heads, explosion relief hatches FAILURE MECHANISMS Insufficient capacity (too small, too slow), wrong set point, blocked (including piping towards the barrier), stuck.                     0.43 1 0.17 1     0.1 1 0.05 1
8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) DETECTION: Hardware DIAGNOSE: Hardware/software ACTION: Hardware DESCRIPTION Automated intervention by a system of electrical/electronic/programmable electronic (E/E/PE) components, that on the basis of input from sensors is able to determine what intervention needs to be made, and activates actuators (like powered valves) to perform this intervention. In order for an automated system to be considered to be an independent safety barrier (independent protection layer) the components that make up the automated system should not be part of the basic process control system (BPCS). EXAMPLES Emergency shutdown system (ESD), emergency blowdown system, FAILURE MECHANISMS Component failure, software failure, design failure, common cause failure                     0.43 1 0.17 1     0.1 1 0.05 1
9 HUMAN INTERVENTION FOLLOWING ALARM DETECTION: Hardware/software DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") (may include activation of powered components) DESCRIPTION Actions of operators in response to clear instrument signals or alarms. There will be clear instructions describing the actions that are required to respond to the each of the alarms. The sensors, transmitters and actuators are part of the barrier system. In order for the alarm system to be considered to be an independent safety barrier (independent protection layer) the components that make up the alarm system should not be part of the basic process control system (BPCS). EXAMPLES Manual shutdown or adjustment, evacuation, calling fire brigade on alarm, close/open (correct) valve FAILURE MECHANISMS Failure of sensors, transmitters or software, flaws in instructions, wrong intervention, operator not present. 0.58 1 0.36 1 0.2 1     0.09 1 0.22 1 0.08 1 0.08 0.75 0.05 1 0.1 1
10 SITUATIONAL HUMAN INTERVENTION (PROCEDURAL) DETECTION: Human observation and interpretation DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") DESCRIPTION The hazardous situation is detected by human observation of (a combination) factors in accordance with clear rules and procedures. There are no clear alarms, the hazardous situation needs to be derived from a combination of inputs. Instrument failure can both be considered to be a part of the initiating deviation (a dangerous failure in the sense that a deviation does not show up) or as part of the barrier failure. Actions can be similar to "Human Intervention Following Alarm", but the detection is by observing normal indicators (including measurement displays) BEFORE alarms (if any) are raised. This barrier also includes actions of supervisors supervising other operator’s tasks. EXAMPLES To adjust hardware set-points, abort operations developing outside safe area, start alternative (back-up) capacity, redirect flows (e.g. dump), warning others for action or evacuation, to disconnect tanks, hoses or pipes, to avoid escalation by protecting equipment with foam or fire-fighting water. FAILURE MECHANISMS Failure of instruments or software, flaws in instruction, lack of attention, wrong intervention. 0.29 1 0.36 1 0.2 1 0.25 1 0.09 1         0.15 0.75 0.1 1 0.05 1
11 KNOWLEDGE-BASED HUMAN INTERVENTION (AD HOC) DETECTION: Human observation and interpretation. DIAGNOSE: Behaviour on the basis of knowledge and reasoning ("Knowledge based") ACTION: Behaviour DESCRIPTION Intervention that requires a continuous knowledge-based assessment of the situation (e.g. during a rescue operation) and/or requires detailed analysis in cases where no procedures or rules apply. This barrier type is provided for sake of completeness. Apart from use as a mitigating barrier (emergency response) at the far right-hand side of the diagram or bow-tie, prevention of foreseeable events should be dealt with by procedures, i.e. “Rule and Skill-based” barriers. EXAMPLES Fire-fighting, emergency response, to (re)gain control over a complex system (such as a nuclear reactor) and take it to a safe condition. FAILURE MECHANISMS Wrong assessment, inadequate intervention, intervention too late, too early. 0.87 1 1 1 0.17 1 0.83 1 0.09 1         0.13 0.75 0.01 1 0.05 1

Common Elements

Barrier Element PFD Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
      Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating

Gates

Gate Barrier Diagram Gate Type Description
       
RiskCombination Combined Fatality Risk of Scenarios OR Gate  
CombinedFireRisk Combined Fire Risk of Scenarios OR Gate  

Conditions

Condition Condition Type Freq. or Prob. Unit Description Severity
Uncontrolled Hexane release Intermediate Event 1E-5 Expected Frequency of Occurrence per Year Release of hexane (1 000 - 10 000 lb) outside the dike due to tank overflow and failure of dike Severity Category 4 (Method 1, Table 3,1) Risk Tolerance Criteria (Category or Frequency): Action Required if frequency > 1E-3 Tolerable if frequency < 1E-5 Category 4
Loop failure of BPCS LIC Initial Event 0.1 Expected Frequency of Occurrence per Year Loop failure of BPCS LIC PFD from Table 5.1  
Hexane surge tank overflow Intermediate Event 0.001 Expected Frequency of Occurrence per Year Hexane surge tank overflow  
Spill contained by dike Intermediate Event 0.00099 Expected Frequency of Occurrence per Year Tank overflow and spill of hexane into dike In method 1 a spill into the tank dike, with little potential for igntion and resulting damage or lost production, is not a consequence of interest Risk Tolerance Criteria (Method 1): Action required: N/A Tolerable: N/A Consequences of No Interest
Uncontrolled Release of Hexane/Overfilling Intermediate Event 1E-5 Expected Frequency of Occurrence per Year Release of Hexane (1 000 - 10 000 lbs) outside the dike due to tank overflow and failure of dike Category 4
Hexane Tank Overflow - contained by dike Intermediate Event 0.00099 Expected Frequency of Occurrence per Year Tank overflow and spill of hexane into dike. In this method a spill into the tank dike, with little potential for ignition and resulting damage or lost production, is not a consequence of interest. Consequences of No Interest
Storage Tank Overflow Intermediate Event 0.001 Expected Frequency of Occurrence per Year    
Tank Filling Continues Intermediate Event 0.1 Expected Frequency of Occurrence per Year Tank filling operation continues while not sufficient space in storage tank  
Unloading of truck while storage tank not empty Initial Event 1 Expected Frequency of Occurrence per Year Arrival of tank truck with insufficient room in the (storage) tank due to failure of the inventory control system. Frequency based upon plant data  
Fire (Unbounded) Intermediate Event 1E-5 Expected Frequency of Occurrence per Year Fire in uncontrolled pool. Maximum Tolerable Risk of Serious Fire: 10-4 /year This criterion applies to single scenarios  
Fire (Contained) Intermediate Event 9.9E-5 Expected Frequency of Occurrence per Year Fire bounded by the hexane pool in the dike Maximum Tolerable Risk of Serious Fire: 10-4 /year This criterion applies to single scenarios  
Personnel Exposed Intermediate Event 1.49E-5 Expected Frequency of Occurrence per Year    
Fatal Injury/Loop Failure Link between 2 diagrams 7.45E-6 Expected Frequency of Occurrence per Year Maximum Tolerable Risk of a Fatal Injury 10-5/year Applies to a single scenario Very High Consequences (Fatality/Permanent Disability)
Fire (Contained)/Overfilling Intermediate Event 9.9E-5 Expected Frequency of Occurrence per Year Fire bounded by the hexane pool in the dike Maximum Tolerable Risk of Serious Fire: 10-4 /year This criterion applies to single scenarios  
Fire (Unbounded)/Overfilling Intermediate Event 1E-5 Expected Frequency of Occurrence per Year Fire in uncontrolled pool. Maximum Tolerable Risk of Serious Fire: 10-4 /year This criterion applies to single scenarios  
Personnel Exposed/Overfilling Intermediate Event 1.49E-5 Expected Frequency of Occurrence per Year    
Fatal Injury/Overfilling Link between 2 diagrams 7.45E-6 Expected Frequency of Occurrence per Year Maximum Tolerable Risk of a Fatal Injury 10-5/year Applies to a single scenario Very High Consequences (Fatality/Permanent Disability)
Fatal Injury Consequence 1.49E-5 Expected Frequency of Occurrence per Year Combined assessment of the expected frequency of Fatal Injury for both (all) identified accident scenarios Maximum Tolerable Risk of a Fatal Injury 10-5/year Applies to a single scenario No information how to apply Tolerable Risk on the Combined Risk Very High Consequences (Fatality/Permanent Disability)
Serious Fire Consequence 0.000218 Expected Frequency of Occurrence per Year Maximum Tolerable Risk of Serious Fire: 10-4 /year This criterion applies to single scenarios No information how to apply to total risk High Consequences (Major Injury)

Measures

Measure Description Applies to: Barriers Applies to: Initial Conditions Management Issue

Management Issues

Management Issue Performance Description
1st ARAMIS Item, Manpower Planning and Availability 1 Manpower Planning covers allocating the necessary time (or numbers) of competent people to the tasks that have to be carried out, at the moment (or within the time frame) when they should be carried out. It also covers the process of planning and allocation of tasks over time, including coverage for: Holidays, Sick leave, Peak loads, Ensuring breaks and rest pauses, and Limiting overtime and fatigue. Personnel Availability ensures that personnell is available for all relevant tasks in relation to the functioning and management of barriers (operations, maintenance, emergency), including: Operating personnel, Maintenance personnel, Inspection & testing incl. general plantwalk-rounds, Supervision, and Back-up & emergency crews,.
2nd ARAMIS Item, Competence and Suitability 1 Competence covers the knowledge, skills, and abilities of first-line and/or back-up personnel for the safe execution of safety-critical tasks related to barrier functioning or management. Competence covers the cognitive aspects of behaviour, which can be learned through training, experience and practice. They include: Job content/safety, e.g.: Plant & process knowledge: - Operating procedures, critical tasks, action alternatives, skills - Boundary of safety operations - Hazards, safety consequences of actions, safety priorities - Safety responsibility/task boundaries Inspection & testing procedures: - Fault diagnosis & response - Emergency procedures - Maintenance diagnosis - Safe isolation and recommissioning - Equipment dismantling, repair, testing & reassembly Other skills: - Communications - Team work - Supervision/management - Issuing instructions Suitability covers physical attributes that are usually more permanent characteristics of an individual, though some can be modified or compensated for over the longer term. They include: Size, strength, dexterity, Physical condition, health, Visual acuity, colour blindness, and Hearing.
3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 1 Commitment and conflict resolution are concerned with: - Information, training and discussion on what is important and has priority - Rapid confrontation and correction of deviations from the desired working method, state or condition - High (publicity) profile and reward for achievements on safety - Appraisal schemes with explicit attention to safety performance - Recurrent active attention to safety in meetings, discussions and actions - Procedure violations - Keeping to the prescribed operating envelope - Safety and production/time pressures e.g. production pressures reducing scheduled maintenance/inspection, operations which come under time pressure for implementation, reluctance to declare emergencies or shutdown plant because of loss of production - Safety critical maintenance priority over production - Balancing production targets, resource availability/costs and inspection and maintenance requirements via e.g. time schedules and budget setting - Safety budget (increased/decreased)
4th ARAMIS Item, Communication and Coordination 1 The communication and coordination concerns itself with: - Communication channels (phone, radio, minutes, reports, etc.) - Coordination methods (e.g. meetings, supervision) - Communication between: Different persons engaged on one task as team or working in sequence, and Shifts at changeover - Communication about: Work content Barrier/plant status Job instructions Priorities Who does what, where and when Need for action or (back-up) personnel and equipment - Communication systems for sharing operation/maintenance hazard concerns and experience
5th ARAMIS Item, Procedures, rules, and goals 1 The procedures, rules and goals delivery system is occupied with identifying tasks that need (detailed) written rules and procedures, and subsequently providing and promulgating these. This system also delivers output goals for tasks that do not need a detailed procedure. Procedures and rules are specific performance criteria, which specify in detail, usually in written form, a formalised 'normative' behaviour or method for carrying out an activity (checklist, task list, action steps, plan, instruction manual, fault-finding heuristic, form to be completed, etc.). Output goals are performance measures for an activity, which specify what the result of the activity should be, but not how the results should be achieved. They are objectives, goals or outputs. The procedures, rules and goals delivery system concerns itself with: Coverage (i.e. all safety situations), Accuracy, Readability/usability, Size/complexity/overload or rule sets, Clarity/ambiguity, Up-to-date, Indicating priorities.
6th ARAMIS Item, Hard/software purchase, build, interface, install 1 Management of barrier (and spares) purchase, construction, installation and adjustment deals with the management process for ensuring that the hardware/ software barriers and barrier elements in agreement with specifications are acquired, either by purchase from outside, or by construction on site, are put in place and adjusted and that the spare parts or replacements purchased and stored for the maintenance phase of their life cycle are the correct ones and are in good condition when used. The process should pay explicit attention to the human factors aspects of the interface between barrier elements and their users in the case of mixed barriers.
7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 1 Management of inspection, maintenance and replacement deals with the management processes for ensuring that the specified hardware/software barriers and barrier elements are kept in an effective state. It covers all hardware and software which has a function within any barrier designed to fulfill a safety function in the plant. It forms the part of the life cycle of these barrier elements from the point where they have been installed and adjusted and are ready for use. It covers all the activities which monitor the working of the barriers, detect the (chance of) deviation from the designed working and identify the need for work to be done to restore the functioning or replace the barrier (elements) with new ones. This process also manages small modifications which are carried out at the same time as, and under the same management as the maintenance activities. Where the modifications are of a more major type, which are (or should be) dealt with by a change management process, these are covered by the protocol on learning and change.
0th ARAMIS Item, Safety Culture 0.75 Safety culture can be assessed by questionnaire surveys of the personnel. Safety culture addresses the following issues: Learning and willingness to report: the employees' willingness / reluctance to report accidents and incidents, their perception of feedback from reporting and dissemination of lessons learned. Safety prioritisation, rules and compliance covering use of and familiarity with rules and instructions; the prioritisation of safety versus productivity and ease of work; the extent to which and the circumstances under which safety procedures may be violated Leadership involvement and commitment concerns both the avowed involvement and commitment of management and supervisors and team leaders as well as employee perception of their commitment and involvement Risk and human performance limitation perception concerns management and employee awareness of hazards, risks and human error potentials (fatigue, automation etc.) relevant to their work. Felt responsibility concerns the employee's perception of who is responsible for safety at work including felt ownership of responsibility Trust and fairness involves management's trust in employees and, crucially, employees' trust in top management and their immediate leaders and employee perception of fairness in the workplace Work team atmosphere and support comprises employees' perception of teamwork and the 'spirit' in their respective teams; the extent to which the team gives its members support and help; and the extent to which respondents are willing to speak up and warn each other of dangers. Motivation, influence and involvement comprises (i) work as meaningful; (ii) own influence on work planning and execution; (iii) motivation and involvement; and (iv) feeling informed and finding work predictable
A Risk analysis and selection of safety barriers 1 This issue covers the process of risk assessment and selection of the barriers. Definitions and coverage: Barrier functions and elements - The process emphasises that barrier functions should first be defined (prevent, protect, mitigate), followed by a choice between all possible principles and forms of barrier which could fulfil that function. Most barrier forms chosen will be combinations of hardware and software elements with behavioural elements. Some barriers may be pure hardware, either passive, in which case it requires no activation after its installation (temporarily or permanently), or with active elements, which require adjustment and activation. A number of barriers may be purely dependent on behaviour, such as evacuation, or skilled dismantling of equipment. The elements out of which the complete barriers are constructed must consist (except in the case of passive barriers) of elements which perform the functions of detection or diagnosis of the need to respond, activation of the barrier and its response. Either hardware or behaviour elements can fulfil each of the functions and these can be combined in many different ways. The company must make its choices out of these combinations. Coverage - The process should cover all accident scenarios which the company wishes to control, or wishes to demonstrate to regulators that it has controlled. The steps follow the normal processes of risk assessment, but emphasise more clearly the selection and specification of barriers to control the hazards. They also emphasise that barrier selection should take account of the whole life cycle of the barrier and its elements in deciding what is likely to be the most effective choice to make.
B Learning and management of change 1 This issue deals with the management processes designed to achieve continuous improvement and adaptation of barrier performance to the current best practice and to the current state of the risks in the organisation. Definitions and coverage: Learning - Learning is defined as the collection of information about the performance of a barrier (element) or management process relating to barrier performance, the analysis of the performance data, its comparison with desired performance and/or good practice, the drawing of conclusions about improvements and changes which are required to bring about better performance, and the implementation throughout the organisation of the changes. Learning should be triggered by both deviations from expected or desired performance within the organisation, as by comparisons with good practice outside it. Change management - Change management is designed to ensure that any changes to the technical, human or organisational aspects of the design, layout, functioning, control or management of the organisation are reflected in changes to the barriers provided to control risk and/or changes to the appropriate part of the life cycle or management processes which ensure the functioning of the barriers. This requires that the organisation specify and identify what will be considered to be ‘significant changes’ requiring assessment. Incident, accident and failure - Incident: any deviation from expected or desired operation or performance, which, if uncorrected, would lead to damage, injury or other undesired outcome, and which is defined as relevant to be recorded for the purposes of learning. Accident: any deviation from expected or desired operation or performance, which leads to actual damage, injury or other undesired outcome. Failure: any deviation of a barrier (element) or management process relevant to barrier performance which results in a partial or complete loss of function of that barrier (element) or management process. Coverage - The learning and change control system covers the performance of all barriers and their elements, whether they are achieved by hardware, software or behaviour.

Barrier Diagrams

Diagram Name Number of: Barriers Number of: Gates Number of: Event Tree Branches Description
Hexane Surge Tank Overflow 2 0 5 Continuing Example 1a and 1b Hexane Surge Tank Overflow The consequence assessment method is "Method 3", "Qualitative Estimates with Human Harm with Adjustments for Postrelease Probabilities" as described in section 3.3 Note that expected frequency of "Spill contained by dike" and thus also the following events deviate from the assessment in Appendix A, Table A6. Table A6 applies 0.001 by ignoring the possibilitye that the dike fails, which leads to the alternative (lower) branch in the diagram: the sum of the frequencies via the upper and lower branch is the expected frequency of "Hexane surge tank overflow".
Hexane Storage Tank Overflow 3 0 5 Continuing Example 2a and 2b Hexane Storage Tank Overflow The consequence assessment method is "Method 3", "Qualitative Estimates with Human Harm with Adjustments for Postrelease Probabilities" as described in section 3.3 Note that expected frequency of "Hexane Tank Overflow - contained by dike" and thus also the following events deviate from the assessment in Appendix A, Table A8. Table A8 applies 0.001 by ignoring the possibilitye that the dike fails, which leads to the alternative (lower) branch in the diagram: the sum of the frequencies via the upper and lower branch is the expected frequency of "Storage Tank Overflow". Notes: Safeguards (non-IPL): BPCS level control and alarm is not an IPL because it is part of the BPCS system already credited in the IPL: Level Check: Level Indicator read by operator
Combined Fatality Risk of Scenarios 0 1 0 The output of different scenarios can be combined In this project total risk has been summed for scenarios explicitly. Both included scenarios have as Consequence of interest "Fatal Injury", viz. "Fatal Injury/Loop Failure" and "Fatal Injury/Overfilling" These outcomes are combined in this diagram. Alternatively, in both scenarios, the same condition "Fatal Injury" (without distinguishing the scenarios) could have been used - The quantitative assessment will be corretly assessed for all scenarios leading to "Fatal Injury", but the result would not be expliquable from the single scenario. Hence the separate, explicit method in this project
Combined Fire Risk of Scenarios 0 1 0 The output of different scenarios can be combined In this project total risk has been summed for scenarios explicitly. Both included scenarios have as Consequence (in this project as Intermediate Event) of interest "Fire" These events are combined in this diagram. Alternatively, in both scenarios, the same conditions "Fire (uncontrolled)" and "Fire (contained)" (without distinguishing the scenarios) could have been used if the treatment of the exposure and fatality is the same (as in this case) - The quantitative assessment will be corretly assessed for all scenarios leading to "Fire", but the result would not be expliquable from the single scenario. Hence the separate, explicit method in this project. In order to create this diagram, the combination has to be done during development of the diagrams, when the "Fire" events are the consequences (right most events) in the diagram - only then the events are accessible for gates in other diagrams, see the helpfile topic "links to conditions"

Event Tree Branches

Event Tree Branch Name Diagram Name Number of: Event Tree Branches Event Tree Branches & Probability Description
Ignition (Contained spill) Hexane Surge Tank Overflow 1 : 0.1. Conditional Modifier Probability of ignition of spill contained by the dike modelled as Conditional Probability, i.e. an "event tree branch" with one output
Ignition (Uncontrolled spill) Hexane Surge Tank Overflow 1 : 1. Conditional Modifier Probability of ignition of spill not contained by dike (uncontrolled spill) modelled as Conditional Probability, i.e. an "event tree branch" with one output
Personnel Exposed (Contained Fire) Hexane Surge Tank Overflow 1 : 0.1. Conditional Modifier Probability of personnel in affected area for fire contained by dike modelled as Conditional Probability, i.e. an "event tree branch" with one output
Personnel Exposed (Uncontrolled Fire) Hexane Surge Tank Overflow 1 : 0.5. Conditional Modifier Probability of personnel in affected area for fire not contained by dike (uncontrolled fire) modelled as Conditional Probability, i.e. an "event tree branch" with one output
Fatal Injury Hexane Surge Tank Overflow 1 : 0.5. Conditional Modifier Probability of fatal injury of personnel in affected area modelled as Conditional Probability, i.e. an "event tree branch" with one output
Personnel Exposed (Uncontrolled Fire) Hexane Storage Tank Overflow 1 : 0.5. Conditional Modifier Probability of personnel in affected area for fire not contained by dike (uncontrolled fire) modelled as Conditional Probability, i.e. an "event tree branch" with one output
Ignition (Uncontrolled spill) Hexane Storage Tank Overflow 1 : 1. Conditional Modifier Probability of ignition of spill not contained by dike (uncontrolled spill) modelled as Conditional Probability, i.e. an "event tree branch" with one output
Fatal Injury Hexane Storage Tank Overflow 1 : 0.5. Conditional Modifier Probability of fatal injury of personnel in affected area modelled as Conditional Probability, i.e. an "event tree branch" with one output
Personnel Exposed (Contained Fire) Hexane Storage Tank Overflow 1 : 0.1. Conditional Modifier Probability of personnel in affected area for fire contained by dike modelled as Conditional Probability, i.e. an "event tree branch" with one output
Ignition (Contained spill) Hexane Storage Tank Overflow 1 : 0.1. Conditional Modifier Probability of ignition of spill contained by the dike modelled as Conditional Probability, i.e. an "event tree branch" with one output