1.1 Introduction to Process Safety

Use this area for sub-brand logo, business or initiative

(Maximum height 1.5cm)

Use this area for cover image (height 6.5cm, width 8cm)

TSE101

Technical Safety Engineering Foundation

1.1 Introduction to Process Safety

LEARNING OBJECTIVES

Be able to able to:



Explain why process safety is so important



Describe the Shell HSSE & SP Control Framework and its relation to

the management of Health, Safety and Environment (HSE)



Demonstrate a familiarity with DEM1 and DEM2



Describe the basic principles of the Hazards and Effects

Management Process (HEMP), the bowtie and how the TSE 101

course follows the logic of the bowtie and the Onion Model

CONTENT

Why is safety so important?

What is Process Safety Management?

Course Focus

Introduction to the HSSE & SP Control Framework

Introduction to DEM1 and DEM2

Hazards and Effects Management Process and Bow Tie Concept

Tolerability and ALARP Concepts

The Onion Model

PROCESS SAFETY MANAGEMENT

Process Safety Management is about prevention of incidents resulting

from unintentional release of energy or hazardous substances from

assets we operate. It is about “keeping the product in the pipes and

tanks”.

What is necessary to assure the integrity of our assets?

 Design integrity - We design and build so that risks are

As Low As Reasonably Practicable (ALARP).

 Technical Integrity (maintenance, inspection, repair, and

assurance) – We maintain the hardware barriers.

 Operating integrity - We operate all our facilities within

up to date operating envelopes, we comply with procedures and standards (permit to work, overrides management, management of change, etc.)

 Key Enablers – Technical Safety, People and Systems

Design Integrity Technical Integrity Operating Integrity Key enablers (people and systems)

TSE101 COURSE FOCUS: SAFE DESIGN

The foundation to ‘keep the stuff in the pipe’:

Start with a safe design, i.e. in accordance with:

 The most recent applicable Shell Design and Engineering Manuals.  Recognised industry standards, in areas outside the scope of the DEM’s.

Ensure that:

Safe design is included in changes.

Unit is:

Well operated.

Well maintained.

START WITH A SAFE DESIGN

A design starts with a process to safely make the products.

The design of equipment and piping needs to contain the process

under all foreseeable circumstances.

How can a safe design be achieved?

How safe is safe and is safe, safe enough?

What are the boundaries available, set out by our social

environment? (Regulators, customers, Shell)

Is it economic to do so?

Think how within the process the hazard could be released (if something goes wrong).

In Shell, we use the Hazards & Effects Management Process (HEMP) to assess this. We will have a refresher on HEMP later in this module.

PROCESS SAFETY BASICS: CONCEPTS, PRINCIPLES &

ASSUMPTIONS

Design

Equipment design & safeguarding should be able to cope with all foreseeable process conditions including upset scenarios

Equipment design conditions should not be exceeded

Inherent safe design should be considered versus installation of safeguarding Simultaneous occurring of independent upset scenarios is not considered in the design

Major loss of containment occurs when equipment material yield stress levels are exceeded (e.g. internal pressure exceeds equipment test pressure)

Safeguarding instrumentation should be designed fail safe

Mechanical protection prevails over instrumented safeguarding

These design principles and concepts are included or applied in our DEPs, HSE reviews etc

PROCESS SAFETY BASICS: CONCEPTS, PRINCIPLES &

ASSUMPTIONS

General

Operating & Maintenance personnel is well trained and qualified No design for sabotage, gross negligence or wilful misconduct

Upsets and issues within a plant unit should not be exported to other units

Hazard Risk Management

Manage the hazard risk to ALARP (As Low As Reasonably Practicable) Minimize hazard inventory

Prevent or minimize hazardous releases or conditions (e.g. flammable atmospheres)

THE “HSSE & SP CONTROL FRAMEWORK”

Defines the Group HSSE & SP requirements that are mandatory for all

projects and operations:

Simplify - to comply

 simple and clear requirements to support compliance, help prevent incidents, and move

towards Goal Zero.

Standardise - a single Shell HSSE & SP Control Framework

 applicable to all Shell projects & operations,

 use of industry standards; easy to communicate with contractors  with new ways of working – Global Discipline Teams

Eliminate - take out duplication & layers

 separate mandatory requirements from non-mandatory guidance  few layers of documentation at different organisation levels

ASSET INTEGRITY – PROCESS SAFETY MANAGEMENT

The HSSE & SP Control Framework includes a section titled “Asset

Integrity – Process Safety Management”. In this section,

Process Safety means the management of hazards that can give rise

to major accidents involving the release of potentially dangerous

materials, release of energy (such as fire or explosion) or both.

(Definition taken from the Baker Report/UK Health & Safety Exec.)

Asset integrity means the ability of an asset to perform it’s intended

function effectively… while safeguarding life and environment.

CONTROL FRAMEWORK – AI-PSM COMPONENT

DESCRIPTIONS

AI-PSM Standard

 Under HSSE Control Framework and mandatory from Dec ’08 for all ventures under Shell’s operational control  Describes components of AI-PSM and associated roles /responsibilities

Transition Manual

 Outlines the timelines for implementation of AI-PSM Standard Application Manual

 Provides detailed requirements for the full implementation of the AI-PSM Standard

Design and Engineering Manual 1 (DEM1) – Application of Technical Standards

 Identifies the Design and Engineering Practices (DEPs) which are mandatory for new assets and modifications to existing assets Design and Engineering Manual 2 (DEM2) – Process Safety Basic

Requirements

 Identifies the Process Safety Basic Requirements (PSBR's) that are mandatory to retrofit existing assets & build into new assets Overrides of Process Safeguarding Systems

 Management and operational control requirements where safeguarding systems are required to be overridden or bypassed for

DEM 1 – APPLICATION OF TECHNICAL STANDARDS

Applies to Assets that have hazards with RAM red and yellow 5A & 5B

risks; for new projects & modifications/changes to existing assets

Going forward - design & construct to mandatory DEPs & Design risks

are at ALARP

Accountabilities defined (Asset Mgr, Project Mgr, Delegated Technical

Authority, DEP Custodian)

All relevant Process Safety identified “Shall” statements in DEM1

DEP's mandatory

Primary focus is high risk AI-PSM

DEM 1 – APPLICATION IN DESIGN

Project Requirements:

Projects > $100 million to use DEM1 DEPs as from 1/1/09.

Under $100 million total project cost that do not involve Unusual Risk,

DEM1 requires a hierarchy of decisions:

 Apply the relevant DEPs. If not practicable,

 Utilize another recognized standard (Shell, industry), or

 Utilize documented risk assessment methods to design sufficient

barriers to

manage and document risks to ALARP.

In case of Derogation from DEM1, the Delegated Technical Authority

must approve the use of alternative standards, based on a

documented risk assessment that demonstrates that Process Safety

risks are managed to ALARP (Refer to DEM1 Derogations Procedure

Guide)

DEM 2 – OVERVIEW

Process Safety Basic Requirements (PSBRs):

 11 PSBRs

 Based on past large industrial PS Incidents - Includes reference to actual

events

 Applies to Assets that have hazards with RAM red and yellow 5B risks;

existing and new. DEM-2 PSBRs are applied retroactively

 Derogation/deviation from DEM2 requires approval by RDS CEO  Compliance verified in a document called “Statement of Fitness”.

DEM 2 – PROCESS SAFETY BASIC REQUIREMENTS

PSBR Process Safety Basic Requirements

1 Safe Siting of occupied portable buildings 2 ESD Valves on platform risers

3 Temporary refuges 4 Permit to Work

5 Management of Change

6 Avoid liquid release relief to atmosphere 7 Avoid tank overfill followed by vapor cloud

release

8 Avoid brittle fracture of metallic materials

9 Alarm management

10 Sour Gas (H2S)

HEMP (HAZARDS AND EFFECTS MANAGEMENT PROCESS)

The structured hazard analysis methodology involving hazard identification, assessment, control and recovery and comparison with screening and

performance criteria.

HEMP is an umbrella concept of hazard review tools

Review tool examples: HAZOP, EIA (Environmental Impact Assessment), HRA (Health Risk Assessment), PHA (Process Hazard Analysis), PSA (Process Safety Assessment), bow-tie.

Part of HSSE-Management System (MS) - the outcome is linked to the other HSSE-MS elements that govern the day-to-day performance for the site.

HEMP AND BOW-TIES

The “Bow-Tie” representation is used across Group to demonstrate that

hazards have been reviewed and that major risks are managed, that is

risks in the RAM* red and yellow 5A or 5B areas together.

So, let us have a refresher look at some basic definitions and what the

“Bow-Tie” Model looks like.

Note: * For more information on the RAM, refer to the HSSE&SP Control

Framework.

DEFINITIONS – HAZARD

A HAZARD is something with the potential to cause harm to People,

damage to Assets, business loss and impact on the Environment or

Reputation.

Hazard Crude Oil

DEFINITIONS – TOP EVENT

A TOP EVENT is the ‘release’ of the hazard, sometimes called the first

event in a chain of consequences. It is the event we do not want to

happen. Common top events in our businesses are “loss of containment”,

“loss of control” or “exposure to”.

Hazard

Crude Oil

LOSS OF

CONTAINMENT

DEFINITIONS – CONSEQUENCE

A CONSEQUENCE is the ultimate harm that may occur due to a credible

hazard release scenario.

DEFINITIONS – THREAT

A THREAT is something that can cause the release of a hazard and lead

to the top event. Examples of threat are corrosion, equipment failure

(mechanical), excessive pressure or temperature, human factors,

weather, etc...

THREAT – EXAMPLES

Chemical

Physical

Impact by falling object Collision Erosion

Environmental

Process

Excessive pressure or vacuum (while pressure itself is not a threat)

Excessive temperature (temperature by itself is not a threat)

Overfill

Human Factor

Human errors during dedicated

operation (draining a tank, connecting the wrong vessel, etc)

THE MODEL SO FAR

Left hand side

:

before top event

Right hand side

:

after top event

H A Z A R D

Top

Event

Top

Event

DEFINITIONS – BARRIERS: CONTROLS AND RECOVERY

MEASURES

BARRIERS: A Barrier is the common term to designate measures to prevent threats from releasing a hazard or measures to limit the consequences arising from the Top Event. They may be Hardware, referred to as Critical Equipment Barriers, or Human Interventions also called Critical Human Barriers.

Barriers can be or be a combination of hardware or human intervention. An equipment barrier could be a pressure relief valve. A human barrier could be following a procedure. A combination barrier could be a high level alarm and the operator responding to the alarm. For a barrier to be considered valid it must be effective, independent and auditable.

Barriers that prevent threats from releasing the hazard are called CONTROLS. They sit between the Hazards and the Top Event, on the left hand side of the Bow Tie.

Barriers that limit or mitigate the consequences arising from the top event are called RECOVERY MEASURES. They sit between the Top Event and the

DEFINITIONS – BARRIERS: ESCALATION FACTORS

ESCALATION FACTORS are situations, conditions or circumstances that may lead to the partial or full failure of a barrier(Controls or Recovery Measures).

Escalation Factor Examples:

 Abnormal operating conditions (e.g. operating outside design envelope, loss of

power or steam etc)

 Environmental variations (e.g. extreme weather that could affect instrumentation)  Barrier temporarily impaired or removed

Escalation factors are typically shown on Design Barriers of the Bow-Tie

People not doing what is expected of them (i.e. by procedures) should not be shown as escalation factors. These are critical activities that are not being done, which can result in the potential failure of a barrier. These essential human activities are captured as « HSE Critical Activities » for that barrier

CONTROLS

Out of Service for Maintenance Escalation Factor

RECOVERY MEASURES

Recovery measures can vary and can be dependent on the first release

of the hazard and the potential to reduce the risk of escalation or actual

full consequence.

A bundwall in a tank farm prevents the content of one or more tanks to

flow into areas where more damage may occur, like a river. A gas

detection system detects the first gas release and can initiate an

escalation reduction measure like a deluge system, a depressuring

system or any operator intervention.

BARRIER VALIDITY

To be valid, a barrier must be:

INDEPENDENT – of the initiating event (threat) as well as the components of any other barrier already validated for the same condition. Barriers cannot be considered independent from one another if there is a Common Cause Failure (for instance, a high level alarm and high-high level alarms that are on the same transmitter are not independent)

EFFECTIVE – The barrier prevents the consequence when it functions as designed (big enough, strong enough, fast enough). Must have a Sensor,

Logic and Actuator. Examples of barriers containing these three elements are:

 Trip Systems,

 Alarm + Operator Intervention + Pump Shutdown Switch,  Relief Valve.

AUDITABLE – The barrier can be evaluated to verify that it can operate

correctly when it is called upon. The barrier shall reduce the risks by a factor of at least 10, i.e. Probability of Failure on Demand (PFD) is maintained at no greater than 0.1.

VALIDITY RULES FOR BARRIERS

Valid barriers can by themselves fully address the threat or consequence.

The barriers must be

effective, independent and auditable

.

Partially Valid (interdependent) barriers directly address the threat or

consequence but need the assistance/support of another barrier to

fully address the threat or consequence.

IMPORTANT: When a partially valid barrier is found, an attempt

should be made to combine it with a measure that will make it valid.

However, it may need to be kept separate in order to capture the

appropriate HSE-critical activities, which may be allocated to different

departments.

THE BOW-TIE MODEL

Objective:

reduce likelihood

(pro-active/preventative)

Top

Event

Top

Event

Control (keep within control limits) Prepare for emergencies

Objective:

mitigate consequences

and re-instate (reactive)

THE BIG PICTURE

The bow-tie provides a structured approach in the relation to the measures available and required to keep the process and products contained under the foreseeable circumstances.

To contain the feedstocks, processes, and products the process designer

determines the parameters that are required for the basic design of equipment and related systems.

The Basic Design is not particularly a barrier that can be counted as one to be part of the barriers that fulfill the criteria to prevent release of the hazard. As the basic design is expected to be present anyway as it is inherently required to fulfil the objective to produce oil, manufacture hydrocarbon products and sell these.

Within the overall design, measures are incorporated to fulfil the management structure in order to avoid loss of containment and undesirable consequences.

ADDITIONAL DEFINITIONS

TOLERABLE

: Minimum requirements/criteria that have to be met for

managing a risk.

ALARP

: As Low As Reasonably Practicable - The point at which the

cost (in time, money and effort) of further Risk reduction is grossly

disproportionate to the Risk reduction achieved.

HOW MANY BARRIERS DO I NEED TO BE ALARP?

Downstream Manufacturing (DSM) Guidance:

Consequence Red Risk Hazards _{with Potential Fatalities} Yellow Risk Hazards _{Risk Hazards} Other Yellow Total Number of

Barriers 5 4 3

Controls _{or alternative: 4} 3 _{or alternative: 3} 2 2

HOW MANY BARRIERS DO I NEED TO BE ALARP?

Gas Plant Guidance:

ALARP discussion to be held when sufficient barriers are in place

Notes :

1) In all cases the frequency of Initiating event (threat) should be equal to or smaller than 1 for the threat to consequence line under review.

2) Category 2 and 3 for yellow and red risks in the RAM.

Consequence People 5 People 4 A, E, R 4&5 P 3&2 2)

Total Number of barriers 5 4 3 3 Controls or alternative: 3 4 2 or alternative: 3 2 2 Recovery measures 2 or alternative: 1 2 or alternative: 1 1 1

LAYERS OF PROTECTION ANALYSIS (LOPA)

LOPA is a methodology for hazard evaluation and risk assessment, which lies between the qualitative end of the scale (characterized by methods such as hazard and operability HAZOP and “what-if?”) and the quantitative end (characterized by methods using fault trees and event trees). It is mainly used in DS-M and some parts of Upstream.

LOPA helps make consistent decisions on the adequacy of the existing or proposed layers of protection against an accident scenario.

This decision-making process is ideally suited for coupling with risk-decision criteria, such as those displayed in the Risk Assessment Matrix (RAM).

LOPA – DS-M EXAMPLES

IEFs (Initiator Estimated Frequencies):

Controller failure 1x in 10 yrs, i.e. 0.1x/yr

Pump trip 1x in 5 yrs, i.e. 0.2x/yr

Pump seal leak 1x in 165 yrs, i.e, 0.006x/yr Tube rupture 1x in 55 yrs, i.e, 0.018x/yr Human Error (HEP) 0.001-0.003 per action

PFDs (Probabilities of Failure on Demand): Alarm + operator action: 0.1

SIL 1 0.1

SIL 2 0.01

RV (Relief Valve) 0.001 (non fouling)

LOPA – TOLERABILITY AND ALARP (DS-M)

Compare the Residual Risk with Tolerability/ALARP Criteria (DS-M):

Tolerability:

for People: 10-4_{x /yr (for < 10 fatalities) – existing facilities}

10-5_{x /yr (for > 10 fatalities) or new facilities}

for Assets/Env./Rep.: 10-3_{x /yr}

ALARP: 10-6_{x /yr … or ….}

The investment to reduce the risk from Tolerability further down is grossly disproportionate

LOPA – TOLERABILITY AND ALARP (GAS PLANTS )

Gas Plant Guidance:

Minimum criteria before ALARP discussion is held

Notes:

1) In all cases the frequency of Initiating event (threat) should be equal or smaller than 1 for the threat to consequence line under review.

2) Category 2 and 3 for yellow and red risks in the RAM.

Consequence People 5 People 4 A,E,R 4&5 P 3&2 2)

Residual risk

LOPA – TOLERABILITY AND ALARP

A - Does not meet Tolerability Criteria

B – Meet Tolerability Criteria, Might be ALARP

C – Meet Tolerability Criteria, Might be ALARP

D – Meet Tolerability Criteria and is ALARP

THE “ONION MODEL”

The first layer is the basic containment of our feedstock, processes and

products.

The “onion model” is a another way used by some businesses (mostly non-Shell) to display the bow-tie information. It depicts hazards, barriers and recovery measures, reflects the layers of protection and shows how the various measures fit together when

viewed from the perspective of the hazard.

Whilst this is the basic layer, it is viewed not part of the HEMP bowtie methodology to identify and assess risks to the units, and processes.

PROCESS/TECHNICAL SAFETY AND OPERABILITY

PRINCIPLES

Each design is risk based. We will assume that for new designs tolerability and ALARP is obtained by the application of the local legislation, codes, international standards and Shell internal practices DEM1/2, Prensap/EG’s and expert judgment.

For new Designs DEP will be ALARP. 'Shall' is a discriminator for safe design. Overpressure protection shall be preferably done by mechanically and robustly executed systems. Alternatives shall be individually assessed for acceptability. Above hydrostatic test pressure severe loss of containment will be assumed for risk based methods.

There will always be an open path between the equipment and its overpressure protection.

For risk based assessments, the hydrostatic test pressure that is compensated for the process temperature conditions will be taken as failure criteria of equipment.

Hazardous substances shall be processed via well designed and robust disposal systems.

SUMMARY

Process safety management is about “keeping the product in the pipes and tanks”

 Start with a safe design and ensure that safe design is included in changes.  Process safety basics: concepts, principles and assumptions

Introduction to the HSSE & SP Control Framework

 AI-PSM Standard  Transition Manual  Application Manual

 Design and Engineering Manual 1 (DEM1)

 Applies to Assets that have hazards with RAM red and yellow 5A & 5B risks; for new projects &

modifications/changes to existing assets

 Derogation process

 Design and Engineering Manual 2 (DEM2)

 11 Process Safety Basic Requirements (PSBRs)

 Existing and new assets: also to be applied retroactively

SUMMARY (CONTINUED)

Hazards and Effects Management Process

 HEMP is an umbrella concept of hazard review tools: HAZOP, EIA, HRA, PHA, PSA,

bow-tie

Bow Tie Concept

 Basic definitions: hazard, top event, consequence, threat

 Barriers (controls and recovery measures) must be effective, independent and

auditable

Tolerability and ALARP Concepts

 Barrier counting  LOPA

The Onion Model