Prevention and Mitigation Layers for Hazardous Events are Plants and processes in their environmental context, Process Control, Alarm, Emergency Shutd
The best and most redundant safety layers can be defeated by poor or conflicting management practices. If all prevention layers are effective (e.g. strong and solid), failures cannot spread from one to another.
In reality, these layers are not strong and solid, but more like Swiss cheese. The holes are caused by flaws in management, design specifications, engineering, operations, procedures, improperly performed maintenance, and other errors. Not only there are holes in each layer, but these holes are constantly moving, increasing, ad decreasing, as well as appearing and disappearing. It is clear that if these “holes” line up properly, a failure can propagate through all layers causing a hazardous event.
Supposing these holes are not present, the SIL levels (PFDavg) of each layer can be multiplied. This means that three SIL 1 layers could lead to SIL 3. Unfortunately this is just theory, due to the imperfections mentioned above. However, increasing the level of the three layers (SIL 2 and SIL 3), makes the achieving of a SIL 3 global level much more probable.
As already seen, risk is a function of the probability (or frequency) of a hazardous event and of its severity (or consequence). In an industrial plant the various layers are planned to reduce one or the other. Prevention layers are used to reduce the probability of the hazardous event, while mitigation layers are implemented to reduce the damaging consequences of an already happened hazardous event.
Prevention layers of an industrial plant are usually four and other four are the mitigation layers.
In this chapter ten layers are specified (5 for prevention + 5 for mitigation). This is not relevant if not for a better comprehension and identification of the functions of the different layers.
Safe processes and systems may be more expensive, but offer greater advantages to the final user throughout the life of the plant.
Risk reduction may result in a simplification and therefore in a reduction of costs. For example the problem of children remaining trapped and suffocated while playing in refrigerators has lead the industry to the use of magnetic latches, which are simpler, less expensive and much safer.Layer 1 takes into consideration all processes, plants and activities which may generate hazardous situations. All these represent the environmental context to which each safety matter refers to.
Arguments which are taken in to evaluation are:
The process control system is the second safety layer. It controls the plant for an optimization of fuel usage, production quality, etc. It attempts to keep all process variables, such as pressure, temperature, range, level, flow, within safe limits. For this reason, this layer can be considered a safety prevention layer. However a failure in the control system may also initiate a hazardous event.
Automation does not eliminate the need of human intervention.
Experience has demonstrated that operators’ actions may result in lowered alertness and vigilance, and lead to over-reliance on automated systems. Long periods of passive monitoring can make operators unprepared to act in emergency. One way to solve this problem is to involve operators in safety analysis and design decisions up front. Involve operators more, not less.
A good knowledge of processes and plant structures at various levels is important in order to organize a satisfactory process control, and this means:
Supposing these holes are not present, the SIL levels (PFDavg) of each layer can be multiplied. This means that three SIL 1 layers could lead to SIL 3. Unfortunately this is just theory, due to the imperfections mentioned above. However, increasing the level of the three layers (SIL 2 and SIL 3), makes the achieving of a SIL 3 global level much more probable.
Prevention layers of an industrial plant are usually four and other four are the mitigation layers.
In this chapter ten layers are specified (5 for prevention + 5 for mitigation). This is not relevant if not for a better comprehension and identification of the functions of the different layers.
- [accordion]
- Risk Based Process Safety Management
-
- 2. Guidelines LOPA by CCPS - PDF
- 3. CCPS - Risk Based Process Safety Summary
- Risk Based Process Safety Management
- 2. Guidelines LOPA by CCPS - PDF
- 3. CCPS - Risk Based Process Safety Summary
1. Plants and Processes in Their Environmental Context
The main requirement of an industrial process is to be safe, not forgetting the rule that “what is not there cannot be damaged”, which means that it is important to make the process as simple as possible.Safe processes and systems may be more expensive, but offer greater advantages to the final user throughout the life of the plant.
Arguments which are taken in to evaluation are:
- Area’s classification.
- Stocking plants.
- Production plants.
- Storage plants.
- Hot fluid plants.
- Cold fluid plants.
- Electric plants.
- Auxiliary fluid plants.
- Organizational structure of the layer.
The process control system is the second safety layer. It controls the plant for an optimization of fuel usage, production quality, etc. It attempts to keep all process variables, such as pressure, temperature, range, level, flow, within safe limits. For this reason, this layer can be considered a safety prevention layer. However a failure in the control system may also initiate a hazardous event.
Automation does not eliminate the need of human intervention.
Experience has demonstrated that operators’ actions may result in lowered alertness and vigilance, and lead to over-reliance on automated systems. Long periods of passive monitoring can make operators unprepared to act in emergency. One way to solve this problem is to involve operators in safety analysis and design decisions up front. Involve operators more, not less.
A good knowledge of processes and plant structures at various levels is important in order to organize a satisfactory process control, and this means:
- Management level: Management decisions, and organization of the
- information.
- Productive level: Operative decisions and elaborated information.
- Field level: Elaborated commands and direct information.
- Plant level: Direct controls and direct information.
- Instrumentation management.
- Operability analysis.
- Wired systems management.
- Computerized systems management.
- Alarms management.
- Diagnostic management.
- Surveillance management.
- Organizational structure of the layer.
3. Alarm system
Monitoring and alarm systems should:
An alarm system that provides a lot of information may “confuse” the operators instead of helping them. A recent investigation has shown that during emergencies, people are about the worst thing to rely on, no matter how well trained they may be.
Note 1:
Some people might consider operating and maintenance procedures of a plant as an independent protection layer. This is a rather controversial subject. For example, an inspection to detect corrosion and degradation of a vessel may help prevent accidents.
Procedures which limit the operability of a certain unit below the safety limits, or preventive maintenance actions, may help reduce accidents. However all procedures may be violated (intentionally or not), especially in presence of pressures to reduce the costs or the number of the personnel involved. If the procedures are to be accounted as protection safety “layers”, they must be documented, the people have to be trained to follow them, and their use must be regularly audited in order to avoid the operators forgetting them.
Note 2:
Some plant engineers include in the control system (layer 2) critical alarms, such as the ones that alert a possible system shut down by the SIS, if proper corrective actions are not taken. Normally, if the safety alarms are supervised by specific control operators and are generated by independent instrumentation from the process control system, it is right to consider critical alarms as a separate layer (layer 3). If instead a competent technician is not available (and this happens often due to economic reasons) or a separation of the instrumentation does not exist, layer 3 should be included into layer 2. In this case however, operator negligence must be considered as common factor in the failure analysis.
Note 3:
Many safety specialists consider layer 3 together with layer 4. For this reason the considerations accounted on layer 4 can be applied to layer 3.
4. Emergency Shutdown system
If the control system (DCS) and the operators fail to act, the automatic shutdown system (ESD) takes action. These systems are always completely separated, with their own sensors, logic systems and final elements. Safety systems are designed to:
It is important to distinguish between a safety instrumented function (SIF) and a safety instrumented system (SIS). A SIF refers to a single safety function (for example a high or low pressure trip), while a SIS may include hundreds of SIFs. Many SIFs include only one sensor (or transmitter) and one final element (valve).
Layer 4 considers all instrumentation controls and safety instrumented systems. It is structured for instrumentation protection of safety conditions. However, the main concern for a safety system should not only be focused on how the system operates, but rather on how it fails. This is the underlying reason why dormant safety systems (ESD, F&G) differ from active control systems (DCS) and why SISs have unique design considerations.
Emergency Shut Down includes:
- Detect problems as soon as possible, to a low enough level to ensure that corrective actions can be taken before reaching hazardous conditions.
- Be independent from the control devices they are monitoring, which means they should not fail even if the system they are monitoring fails.
- Add as little complexity as possible.
- Be easy to maintain, check, and calibrate.
- Operators may not believe that rare events, alarmed by the system, are real or genuine.
- Operators may take wrong decisions, and fail to act, because overloaded with multiple alarms.
An alarm system that provides a lot of information may “confuse” the operators instead of helping them. A recent investigation has shown that during emergencies, people are about the worst thing to rely on, no matter how well trained they may be.
Note 1:
Some people might consider operating and maintenance procedures of a plant as an independent protection layer. This is a rather controversial subject. For example, an inspection to detect corrosion and degradation of a vessel may help prevent accidents.
Procedures which limit the operability of a certain unit below the safety limits, or preventive maintenance actions, may help reduce accidents. However all procedures may be violated (intentionally or not), especially in presence of pressures to reduce the costs or the number of the personnel involved. If the procedures are to be accounted as protection safety “layers”, they must be documented, the people have to be trained to follow them, and their use must be regularly audited in order to avoid the operators forgetting them.
Note 2:
Some plant engineers include in the control system (layer 2) critical alarms, such as the ones that alert a possible system shut down by the SIS, if proper corrective actions are not taken. Normally, if the safety alarms are supervised by specific control operators and are generated by independent instrumentation from the process control system, it is right to consider critical alarms as a separate layer (layer 3). If instead a competent technician is not available (and this happens often due to economic reasons) or a separation of the instrumentation does not exist, layer 3 should be included into layer 2. In this case however, operator negligence must be considered as common factor in the failure analysis.
Note 3:
Many safety specialists consider layer 3 together with layer 4. For this reason the considerations accounted on layer 4 can be applied to layer 3.
4. Emergency Shutdown system
If the control system (DCS) and the operators fail to act, the automatic shutdown system (ESD) takes action. These systems are always completely separated, with their own sensors, logic systems and final elements. Safety systems are designed to:
- Allow the process to move forward in a safe way when specified conditions require so;
- Automatically take the process to a safe state if specified conditions are violated;
- Take action to mitigate the consequences, of an industrial hazard.
It is important to distinguish between a safety instrumented function (SIF) and a safety instrumented system (SIS). A SIF refers to a single safety function (for example a high or low pressure trip), while a SIS may include hundreds of SIFs. Many SIFs include only one sensor (or transmitter) and one final element (valve).
Emergency Shut Down includes:
- Safety instrumentation ESD
- Safety analysis ESD
- Wired safety systems ESD
- Computerized safety systems ESD
- Safety interlock management ESD
- Diagnostic management ESD
- Safety surveillance ESD
- Organizational structure of layer
5. Physical protection and release devices
Release valves and rupture discs are one mean of physical protection that could be used to prevent, for example, an overpressure condition. While this may prevent a vessel from exploding due to a high pressure condition, the release of dangerous substances in the atmosphere may result in a secondary hazardous event (such as release of toxic material) or a violation of the environmental protection laws.
Layer 5 considers all the passive physical protections such as release valves and includes:
HAZOP studies consider all evaluative activities that, by means of a systematic analytical approach carried out by a team of experts, have lead to a quantitative determination of potential risk levels for each specific portion of the process (node). Such considerations should be taken in consideration of the following:
For example fuel tank dikes can be placed to contain the possible outflow of material. However, holding process fluid within dikes may introduce secondary hazards. Therefore it will be necessary to activate the F&G system (Fire & Gas).
Nuclear reactors are usually set in a proper containment structure (in Chernobyl a specific structure was not available). The control room of a plant which produces TNT is usually surrounded by a reinforced concrete wall, 7 meters in depth, with a roof made of light material that would be able to “fly away” with no harm to persons in case of explosion.
An explosion proof box (e.g. Nema 7 type) allows a safe explosion into its structure, but does not allow the propagation outside.
Sometimes the F&G system is part of the ESD system. The main difference between the two is that the ESD systems operate normally-energized and de- energize for trip (to take action), while the F&G systems operate at the contrary, which means they are normally de-energize and energize for trip. The reason for this is actually rather simple: ESD systems are designed to bring the plan to a safe state, which usually means stopping the production.
Nuisance trips (shutting the plant down when nothing is actually wrong) are economically expensive, due to lost production downtime, but are not generally catastrophic.
F&G systems are designed to protect equipment and people. Spurious operation of these systems can damage equipment and possibly result in casualties.The risk for people caused by a nuisance alarm, for example, with the release of Halon or CO2 in a control room during normal operation, is not tolerated: this is why the system is normally de-energized. Indeed the solenoid valves of a F&G system are driven (powered) directly by the safety PLC and, if required, the intrinsic safety isolated barriers, between the PLC and the solenoid, are powered by the loop. For this reason the barrier will remain unpowered for most of its life.
Because of this, the input line diagnostic circuit of the barrier cannot constantly monitor the continuity of the lines. To solve this very delicate situation, for F&G application, GM International has developed a special solenoid driver circuit which has a continuously active diagnostic circuit, while the safety function is driven by the safety PLC only (loop powered). By doing so, the mandatory feature of having zero nuisance trips is achieved together with a continuous monitoring of the input lines. To obtain a good SIL level for the safety function of these barriers it is necessary to use 1oo2 architecture, because for ND circuits the PFDavg for 1oo1 architectures is usually too high (see Chapter 5).
The analysis of this layer includes:
Some plant safety engineers consider layers 6, 7 and 8 as one unique containment layer, because they state that all containment devices must be handled and managed with the same criteria and procedures.
The analysis of this layer includes:
This layer considers the sequential actions to be taken in case of an emergency situation that may involve the outskirts of the plant. It is an organized communitarian structure of authorized bodies that intervenes with coordinated actions to mitigate the dangerous effects for the residential community and for the environment.
It is obvious that inadequate responses, or the inefficiency of intervention, may lead to severe consequences, like the ones occurred in Bhopal. Evacuation procedures should consider:
Layer 5 considers all the passive physical protections such as release valves and includes:
- Containment devices.
- Discharge devices.
- Conveyances.
- Organizational structure of the layer.
- Evaluation of the risk level.
- Evaluation of the plant’s structures.
- Evaluation of the control instrumentation.
- Evaluation of the safety instrumentation.
- Evaluation of the physical protections.
- Evaluation of the prevention levels.
- HAZOP organization structure.
6. Physical protections, containment systems
Mitigation layers are implemented to reduce the severity or consequences of a hazardous event once it has already occurred. They may contain, disperse or neutralize the release of a dangerous substance. This layer considers all passive containment physical protections. It is designed to perform the first important actions of mitigation for a dangerous event in consequence of specific out of control plant situations. Any deficiency in this layer may lead to the propagation of hazard consequences inside the productive sites.Nuclear reactors are usually set in a proper containment structure (in Chernobyl a specific structure was not available). The control room of a plant which produces TNT is usually surrounded by a reinforced concrete wall, 7 meters in depth, with a roof made of light material that would be able to “fly away” with no harm to persons in case of explosion.
An explosion proof box (e.g. Nema 7 type) allows a safe explosion into its structure, but does not allow the propagation outside.
7. Separator Type Operation
Scrubbers are designed to neutralize the release of dangerous substances Flare towers are designed to burn off dangerous gas substances in excess. Note that in Bhopal these two devices were present but not functioning during the maintenance phase the plant was in at the time. Moreover they were not dimensioned to handle a release of such quantity. In other analysis, the seventh layer is included in the sixth one.8. Physical Protections Fire & Gas Systems
F&G systems are neutralizing systems composed of sensors, a logic solver, and final elements designed to detect any combustible gas, toxic gas, or fire and:- Alarm the condition.
- Take the process to a safe state.
- Take actions to mitigate the consequences of a hazardous event.
Sometimes the F&G system is part of the ESD system. The main difference between the two is that the ESD systems operate normally-energized and de- energize for trip (to take action), while the F&G systems operate at the contrary, which means they are normally de-energize and energize for trip. The reason for this is actually rather simple: ESD systems are designed to bring the plan to a safe state, which usually means stopping the production.
Nuisance trips (shutting the plant down when nothing is actually wrong) are economically expensive, due to lost production downtime, but are not generally catastrophic.
F&G systems are designed to protect equipment and people. Spurious operation of these systems can damage equipment and possibly result in casualties.The risk for people caused by a nuisance alarm, for example, with the release of Halon or CO2 in a control room during normal operation, is not tolerated: this is why the system is normally de-energized. Indeed the solenoid valves of a F&G system are driven (powered) directly by the safety PLC and, if required, the intrinsic safety isolated barriers, between the PLC and the solenoid, are powered by the loop. For this reason the barrier will remain unpowered for most of its life.
Because of this, the input line diagnostic circuit of the barrier cannot constantly monitor the continuity of the lines. To solve this very delicate situation, for F&G application, GM International has developed a special solenoid driver circuit which has a continuously active diagnostic circuit, while the safety function is driven by the safety PLC only (loop powered). By doing so, the mandatory feature of having zero nuisance trips is achieved together with a continuous monitoring of the input lines. To obtain a good SIL level for the safety function of these barriers it is necessary to use 1oo2 architecture, because for ND circuits the PFDavg for 1oo1 architectures is usually too high (see Chapter 5).
The analysis of this layer includes:
- Containment structures
- F&G safety instrumentations
- Analysis for the safety containments
- Wired F&G safety systems
- Computerized F&G safety systems
- F&G operating time management
- F&G diagnostic management
- F&G safety surveillance
- Organization structure of the layer.
Some plant safety engineers consider layers 6, 7 and 8 as one unique containment layer, because they state that all containment devices must be handled and managed with the same criteria and procedures.
9. Internal Emergency Evacuation Plan
Although evacuation plans are not a physical system (apart from sirens), but a set procedures, they can be assimilated to a real layer. Failures in the procedures indeed may cause a risk for the overall safety. Evacuation alarms are usually announced with the sound of a siren; proper means of transport are available for the safety of the personnel. In Bhopal the sound of the siren signal had the undesired effect to attract people from outside the plant, raising the number of casualties and injuries.- Internal scenarios analysis
- Internal emergency plan
- Internal intervention equipment's
- Internal organizational structure
10. External Emergency Evacuation Plan
This is a very delicate issue. It may happen that the plant management voluntarily hides the possible hazard for the people and the environment to the authorities and citizens living around the facilities. The external community must be instead informed about any possible hazard, and an emergency plan must be carefully prepared.This layer considers the sequential actions to be taken in case of an emergency situation that may involve the outskirts of the plant. It is an organized communitarian structure of authorized bodies that intervenes with coordinated actions to mitigate the dangerous effects for the residential community and for the environment.
It is obvious that inadequate responses, or the inefficiency of intervention, may lead to severe consequences, like the ones occurred in Bhopal. Evacuation procedures should consider:
- valuation of external community impact
- Mapping of the area exposed to the risk
- Evaluation of intervention levels
- Organizational structure of the plan
- Analysis of the external scenarios
- External emergency plan
- External intervention department
- External organizational structure