Prevention Mitigation Layers for Hazardous Events

Prevention and Mitigation Layers for Hazardous Events are Plants and processes in their environmental context, Process Control, Alarm, Emergency Shutd

The best and most redundant safety layers can be defeated by poor or conflicting management practices. If all prevention layers are effective (e.g. strong and solid), failures cannot spread from one to another.

Prevention and Mitigation Layers for Hazardous Events - Virda
In reality, these layers are not strong and solid, but more like Swiss cheese. The holes are caused by flaws in management, design specifications, engineering, operations, procedures, improperly performed maintenance, and other errors. Not only there are holes in each layer, but these holes are constantly moving, increasing, ad decreasing, as well as appearing and disappearing. It is clear that if these “holes” line up properly, a failure can propagate through all layers causing a hazardous event.

Supposing these holes are not present, the SIL levels (PFDavg) of each layer can be multiplied. This means that three SIL 1 layers could lead to SIL 3. Unfortunately this is just theory, due to the imperfections mentioned above. However, increasing the level of the three layers (SIL 2 and SIL 3), makes the achieving of a SIL 3 global level much more probable.

Prevention and Mitigation Layers for Hazardous Events - Virda
As already seen, risk is a function of the probability (or frequency) of a hazardous event and of its severity (or consequence). In an industrial plant the various layers are planned to reduce one or the other. Prevention layers are used to reduce the probability of the hazardous event, while mitigation layers are implemented to reduce the damaging consequences of an already happened hazardous event.

Prevention layers of an industrial plant are usually four and other four are the mitigation layers.
In this chapter ten layers are specified (5 for prevention + 5 for mitigation). This is not relevant if not for a better comprehension and identification of the functions of the different layers.

  • [accordion]
    • Risk Based Process Safety Management
      • Layer of Protection Analysis (LOPA) - Virda
    • 2. Guidelines LOPA by CCPS - PDF
    • 3. CCPS - Risk Based Process Safety Summary

1. Plants and Processes in Their Environmental Context

The main requirement of an industrial process is to be safe, not forgetting the rule that “what is not there cannot be damaged”, which means that it is important to make the process as simple as possible.
Safe processes and systems may be more expensive, but offer greater advantages to the final user throughout the life of the plant.

Plants and Processes in Their Environmental Context - Virda
Risk reduction may result in a simplification and therefore in a reduction of costs. For example the problem of children remaining trapped and suffocated while playing in refrigerators has lead the industry to the use of magnetic latches, which are simpler, less expensive and much safer.Layer 1 takes into consideration all processes, plants and activities which may generate hazardous situations. All these represent the environmental context to which each safety matter refers to.

Arguments which are taken in to evaluation are:
  • Area’s classification.
  • Stocking plants.
  • Production plants.
  • Storage plants.
  • Hot fluid plants.
  • Cold fluid plants.
  • Electric plants.
  • Auxiliary fluid plants.
  • Organizational structure of the layer.
The application field can be chemical, petro-chemical, pharmaceutical, food, cement, and power generation plants. Legislative directives and construction standards can include: ATEX, PED, IECEx, CPD, IEC, ISO, IEEE, CENELEC, DIN, CEI, UNI, ISA, ANSI, UL, FM, ASME, NEPA, AIChE, CCPS, etc. 2. Process Control System
The process control system is the second safety layer. It controls the plant for an optimization of fuel usage, production quality, etc. It attempts to keep all process variables, such as pressure, temperature, range, level, flow, within safe limits. For this reason, this layer can be considered a safety prevention layer. However a failure in the control system may also initiate a hazardous event.
Automation does not eliminate the need of human intervention.
Experience has demonstrated that operators’ actions may result in lowered alertness and vigilance, and lead to over-reliance on  automated  systems. Long periods of passive monitoring can make operators unprepared to act in emergency. One way to solve this problem is to involve operators in safety analysis and design decisions up front. Involve operators more, not less.
Process Control System - Virda

A good knowledge of processes and plant structures at various levels is important in order to organize a satisfactory process control, and this means:
  • Management level:  Management  decisions,  and  organization  of  the
  • information.
  • Productive level: Operative decisions and elaborated information.
  • Field level: Elaborated commands and direct information.
  • Plant level: Direct controls and direct information.
Layer 2 takes into consideration all process instrumentation controls and alarms, such as:
  • Instrumentation management.
  • Operability analysis.
  • Wired systems management.
  • Computerized systems management.
  • Alarms management.
  • Diagnostic management.
  • Surveillance management.
  • Organizational structure of the layer.

3. Alarm system

Monitoring and alarm systems should:
  • Detect problems as soon as possible, to a low enough level to ensure that corrective actions can be taken before reaching hazardous conditions.
  • Be independent from the control devices they are monitoring, which means they should not fail even if the system they are monitoring fails.
  • Add as little complexity as possible.
  • Be easy to maintain, check, and calibrate.
Alarm and monitoring systems are considered to be the safety layers in which the operators are actively involved: not everything can be automated. However this is a double-edged sword because:
  • Operators may not believe that rare events, alarmed by the system, are real or genuine.
  • Operators may take wrong decisions, and fail to act, because overloaded with multiple alarms.
Alarm System - Virda

An alarm system that provides a lot of information may “confuse” the operators instead of helping them. A recent investigation has shown that during emergencies, people are about the worst thing to rely on, no matter how well trained they may be.

Note 1:
Some people might consider operating and maintenance procedures of a plant as an independent protection layer. This is a rather controversial subject. For example, an inspection to detect corrosion and degradation of a vessel may help prevent accidents.
Procedures which limit the operability of a certain unit below the safety limits, or preventive maintenance actions, may help reduce accidents. However all procedures may be violated (intentionally or not), especially in presence of pressures to reduce the costs or the number of the personnel involved. If the procedures are to be accounted as protection safety “layers”, they must be documented, the people have to be trained to follow them, and their use must be regularly audited in order to avoid the operators forgetting them.

Note 2:
Some plant engineers include in the control system (layer 2) critical alarms, such as the ones that alert a possible system shut down by the SIS, if proper corrective actions are not taken. Normally, if the safety alarms are supervised by specific control operators and are generated by independent instrumentation from the process control system, it is right to consider critical alarms as a separate layer (layer 3). If instead a competent technician is not available (and this happens often due to economic reasons) or a separation of the instrumentation does not exist, layer 3 should be included into layer 2. In this case however, operator negligence must be considered as common factor in the failure analysis.

Note 3:
Many safety specialists consider layer 3 together with layer 4. For this reason the considerations accounted on layer 4 can be applied to layer 3.

4. Emergency Shutdown system
 
If the control system (DCS) and the operators fail to act,  the  automatic shutdown system (ESD) takes action. These systems are always completely separated, with their own sensors, logic systems and final elements. Safety systems are designed to:
  • Allow the process to move forward in a safe way when specified conditions require so;
  • Automatically take the process to a safe state if specified conditions are violated;
  • Take action to mitigate the consequences, of an industrial hazard.
Note:
It is important to distinguish between a safety instrumented function (SIF) and a safety instrumented system (SIS). A SIF refers to a single safety function (for example a high or low pressure trip), while a SIS may include hundreds of SIFs. Many SIFs include only one sensor (or transmitter) and one final element (valve).

Emergency Shutdown system - Virda
Layer 4 considers all instrumentation controls and safety instrumented systems. It is structured for instrumentation protection of safety conditions. However, the main concern for a safety system should not only be focused on how the system operates, but rather on how it fails. This is the underlying reason why dormant safety systems (ESD, F&G) differ from active control systems (DCS) and why SISs have unique design considerations.

Emergency Shut Down includes:
  • Safety instrumentation ESD
  • Safety analysis ESD
  • Wired safety systems ESD
  • Computerized safety systems ESD
  • Safety interlock management ESD
  • Diagnostic management ESD
  • Safety surveillance ESD
  • Organizational structure of layer

5. Physical protection and release devices

Emergency Release Devices - Virda
Release valves and rupture discs are one mean of physical protection that could be used to prevent, for example, an overpressure condition. While this may prevent a vessel from exploding due to a high pressure condition, the release of dangerous substances in the atmosphere may result in a secondary hazardous event (such as release of toxic material) or a violation of the environmental protection laws.

Layer 5 considers all the passive physical protections such as release valves and includes:
  • Containment devices.
  • Discharge devices.
  • Conveyances.
  • Organizational structure of the layer.
Considerations on protection levels:
Optimation Safety Scale - Virda
HAZOP studies consider all evaluative activities that, by means of a systematic analytical approach carried out by a team of experts, have lead to a quantitative determination of potential risk levels for each specific portion of the process (node). Such considerations should be taken in consideration of the following:
  • Evaluation of the risk level.
  • Evaluation of the plant’s structures.
  • Evaluation of the control instrumentation.
  • Evaluation of the safety instrumentation.
  • Evaluation of the physical protections.
  • Evaluation of the prevention levels.
  • HAZOP organization structure.
As show in Figure, the expert’s goal is to balance the possible levels of risk levels with the respective levels of prevention. If the scale leans towards the risks, it means there is not enough prevention. Vice versa, if it leans towards the prevention, it means excessive energies (costs) are invested. This can also be applied on a general basis, with prevention and mitigation layers.

6. Physical protections, containment systems

Mitigation layers are implemented to reduce the severity or consequences of a hazardous event once it has already occurred. They may contain, disperse or neutralize the release of a dangerous substance. This layer considers all passive containment physical protections. It is designed to perform the first important actions of mitigation for a dangerous event in consequence of specific out of control plant situations. Any deficiency in this layer may lead to the propagation of hazard consequences inside the productive sites.

Physical Protections Devices - Virda
For example fuel tank dikes can be placed to contain the possible outflow of material. However, holding process fluid within dikes may introduce secondary hazards. Therefore it will be necessary to activate the F&G system (Fire & Gas).

Nuclear reactors are usually set in a proper containment structure (in Chernobyl a specific structure was not available). The control room of a plant which produces TNT is usually surrounded by a reinforced concrete wall, 7 meters in depth, with a roof made of light material that would be able to “fly away” with no harm to persons in case of explosion.

An explosion proof box (e.g. Nema 7 type) allows a safe explosion into its structure, but does not allow the propagation outside.

7. Separator Type Operation

Physical Protections Devices - Virda
Scrubbers are designed to neutralize the release of dangerous substances Flare towers are designed to burn off dangerous gas substances in excess. Note that in Bhopal these two devices were present but not functioning during the maintenance phase the plant was in at the time. Moreover they were not dimensioned to handle a release of such quantity. In other analysis, the seventh layer is included in the sixth one.

8. Physical Protections Fire & Gas Systems

F&G systems are neutralizing systems composed of sensors, a logic solver, and final elements designed to detect any combustible gas, toxic gas, or fire and:
  • Alarm the condition.
  • Take the process to a safe state.
  • Take actions to mitigate the consequences of a hazardous event.
Sensors may consist of heat, smoke, flame, and/or gas and fire detectors, together with manual call boxes. Logic systems can be, DCSs, conventional PLCs, Safety PLCs, special purpose PLCs, or specific multi-loop F&G systems. Final elements may consist of flashing / strobe lights, horns, sirens, phone notification system, fire extinguishing systems, exploding squibs, deluge systems, suppression system, and/or process shutdowns.

Sometimes the F&G system is part of the ESD system. The main difference between the two is that the ESD systems operate normally-energized and de- energize for trip (to take action), while the F&G systems operate at the contrary, which means they are normally de-energize and energize for trip. The reason for this is actually rather simple: ESD systems are designed to bring the plan to a safe state, which usually means stopping the production.
Nuisance trips (shutting the plant down when nothing is actually wrong) are economically expensive, due to lost production downtime, but are not generally catastrophic.

F&G systems are designed to protect equipment and people. Spurious operation of these systems can damage equipment and possibly result in casualties.The risk for people caused by a nuisance alarm, for example, with the release of Halon or CO2 in a control room during normal operation, is not tolerated: this is why the system is normally de-energized. Indeed the solenoid valves of a F&G system are driven (powered) directly by the safety PLC and, if required, the intrinsic safety isolated barriers, between the PLC and the solenoid, are powered by the loop. For this reason the barrier will remain unpowered for most of its life.

Because of this, the input line diagnostic circuit of the barrier cannot constantly monitor the continuity of the lines. To solve this very delicate situation, for F&G application, GM International has developed a special solenoid driver circuit which has a continuously active diagnostic circuit, while the safety function is driven by the safety PLC only (loop powered). By doing so, the mandatory feature of having zero nuisance trips is achieved together with a continuous monitoring of the input lines. To obtain a good SIL level for the safety function of these barriers it is necessary to use 1oo2 architecture, because for ND circuits the PFDavg for 1oo1 architectures is usually too high (see Chapter 5).
The analysis of this layer includes:
  • Containment structures
  • F&G safety instrumentations
  • Analysis for the safety containments
  • Wired F&G safety systems
  • Computerized F&G safety systems
  • F&G operating time management
  • F&G diagnostic management
  • F&G safety surveillance
  • Organization structure of the layer.
Note:
Some plant safety engineers consider layers 6, 7 and 8 as one unique containment layer, because they state that all containment devices must be handled and managed with the same criteria and procedures.

9. Internal Emergency Evacuation Plan

Although evacuation plans are not a physical system (apart from sirens), but a set procedures, they can be assimilated to a real layer. Failures in the procedures indeed may cause a risk for the overall safety. Evacuation alarms are usually announced with the sound of a siren; proper means of transport are available for the safety of the personnel. In Bhopal the sound of the siren signal had the undesired effect to attract people from outside the plant, raising the number of casualties and injuries.

Evacuation Procedures Devices - Virda
The analysis of this layer includes:
  • Internal scenarios analysis
  • Internal emergency plan
  • Internal intervention equipment's
  • Internal organizational structure
This layer is essentially made up of an internal organizational structure, with skilled and trained staff together with specific equipment's, which are promptly used to mitigate the effects of a hazardous event inside and outside of the plant.

10. External Emergency Evacuation Plan

This is a very delicate issue. It may happen that the plant management voluntarily hides the possible hazard for the people and the environment to the authorities and citizens living around the facilities. The external community must be instead informed about any possible hazard, and an emergency plan must be carefully prepared.

This layer considers the sequential actions to be taken in case of an emergency situation that may involve the outskirts of the plant. It is an organized communitarian structure of authorized bodies that intervenes with coordinated actions to mitigate the dangerous effects for the residential community and for the environment.

It is obvious that inadequate responses, or the inefficiency of intervention, may lead to severe consequences, like the ones occurred in Bhopal. Evacuation procedures should consider:
  • valuation of external community impact
  • Mapping of the area exposed to the risk
  • Evaluation of intervention levels
  • Organizational structure of the plan
The implementation of these procedures has to consider:
  • Analysis of the external scenarios
  • External emergency plan
  • External intervention department
  • External organizational structure
Name

Electrical_Instrument,13,Equipment Safety,4,Incidents,1,Petroleum,1,Process_Operation,27,Process_Safety,7,Project,7,Software,6,Tours Indonesia,5,
ltr
item
Virda Chemical Park: Prevention Mitigation Layers for Hazardous Events
Prevention Mitigation Layers for Hazardous Events
Prevention and Mitigation Layers for Hazardous Events are Plants and processes in their environmental context, Process Control, Alarm, Emergency Shutd
https://blogger.googleusercontent.com/img/a/AVvXsEh2YonqnVaSe8-KzbQEmv_rRkGton6FwKI-3nOtQGKNzSJuKFVuiR7yygA3DjD67AoWBZMnrTeZ9RUrRKszAhRtXUlQUsL15j-0KsCU3hr6MpOFYf0gGaZ3nBC2MKjsmGgAeF43TYacI6uu85sWBxt4x0ULeIASt6RfuUpDC6_xFtZPiKD0zjJcozD1sQ=s807-rw
https://blogger.googleusercontent.com/img/a/AVvXsEh2YonqnVaSe8-KzbQEmv_rRkGton6FwKI-3nOtQGKNzSJuKFVuiR7yygA3DjD67AoWBZMnrTeZ9RUrRKszAhRtXUlQUsL15j-0KsCU3hr6MpOFYf0gGaZ3nBC2MKjsmGgAeF43TYacI6uu85sWBxt4x0ULeIASt6RfuUpDC6_xFtZPiKD0zjJcozD1sQ=s72-c-rw
Virda Chemical Park
https://www.virdapark.my.id/2021/10/prevention-mitigation-layers-for-hazardous-events.html
https://www.virdapark.my.id/
https://www.virdapark.my.id/
https://www.virdapark.my.id/2021/10/prevention-mitigation-layers-for-hazardous-events.html
true
7927053966443819879
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content