1.1 Introduction to Process Safety
April 8, 2017 | Author: Franklin Revilla | Category: N/A
Short Description
INTRODUCTION TO PROCESS SAFETY...
Description
TSE101 Technical Safety Engineering Foundation 1.1 Introduction to Process Safety
Use this area for cover image (height 6.5cm, width 8cm)
Use this area for sub-brand logo, business or initiative (Maximum height 1.5cm)
GSNL-HPTS
Copyright of Shell Projects & Technology
RESTRICTED
September Month 2010 2011
1
LEARNING OBJECTIVES Be able to able to: Explain
why process safety is so important
Describe
the Shell HSSE & SP Control Framework and its relation to the management of Health, Safety and Environment (HSE)
Demonstrate
a familiarity with DEM1 and DEM2
Describe
the basic principles of the Hazards and Effects Management Process (HEMP), the bowtie and how the TSE 101 course follows the logic of the bowtie and the Onion Model
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
2
CONTENT Why is safety so important? What is Process Safety Management?
Course Focus Introduction to the HSSE & SP Control Framework Introduction to DEM1 and DEM2
Hazards and Effects Management Process and Bow Tie Concept Tolerability and ALARP Concepts The Onion Model
Process/Technical Safety and Operability Principles
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
3
WHY IS SAFETY SO IMPORTANT?
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
4
PROCESS SAFETY MANAGEMENT Process Safety Management is about prevention of incidents resulting from unintentional release of energy or hazardous substances from assets we operate. It is about “keeping the product in the pipes and tanks”.
What is necessary to assure the integrity of our assets? Design Integrity
Technical Integrity
Design integrity - We design and build so that risks are As Low As Reasonably Practicable (ALARP).
Technical Integrity (maintenance, inspection, repair, and assurance) – We maintain the hardware barriers.
Operating integrity - We operate all our facilities within up to date operating envelopes, we comply with procedures and standards (permit to work, overrides management, management of change, etc.)
Key Enablers – Technical Safety, People and Systems
Operating
Integrity
Key enablers (people and systems)
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
5
TSE101 COURSE FOCUS: SAFE DESIGN The foundation to ‘keep the stuff in the pipe’: Start with a safe design, i.e. in accordance with:
The most recent applicable Shell Design and Engineering Manuals.
Recognised industry standards, in areas outside the scope of the DEM’s.
Ensure that: Safe design is included in changes. Unit is:
Well operated. Well maintained. We learn from incidents.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
6
START WITH A SAFE DESIGN A design starts with a process to safely make the products. The design of equipment and piping needs to contain the process under all foreseeable circumstances. How can a safe design be achieved? How safe is safe and is safe, safe enough?
What are the boundaries available, set out by our social environment? (Regulators, customers, Shell) Is it economic to do so? Think how within the process the hazard could be released (if something goes wrong).
In Shell, we use the Hazards & Effects Management Process (HEMP) to assess this. We will have a refresher on HEMP later in this module. Copyright of Shell Projects & Technology
RESTRICTED
September 2011
7
PROCESS SAFETY BASICS: CONCEPTS, PRINCIPLES & ASSUMPTIONS Design Equipment design & safeguarding should be able to cope with all foreseeable process conditions including upset scenarios Equipment design conditions should not be exceeded Inherent safe design should be considered versus installation of safeguarding Simultaneous occurring of independent upset scenarios is not considered in the design
Major loss of containment occurs when equipment material yield stress levels are exceeded (e.g. internal pressure exceeds equipment test pressure) Safeguarding instrumentation should be designed fail safe Mechanical protection prevails over instrumented safeguarding
These design principles and concepts are included or applied in our DEPs, HSE reviews etc
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
8
PROCESS SAFETY BASICS: CONCEPTS, PRINCIPLES & ASSUMPTIONS General Operating & Maintenance personnel is well trained and qualified
No design for sabotage, gross negligence or wilful misconduct Upsets and issues within a plant unit should not be exported to other units Hazard Risk Management Manage the hazard risk to ALARP (As Low As Reasonably Practicable)
Minimize hazard inventory Prevent or minimize hazardous releases or conditions (e.g. flammable atmospheres) Release prevention prevails over release mitigation
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
9
THE “HSSE & SP CONTROL FRAMEWORK” Defines the Group HSSE & SP requirements that are mandatory for all projects and operations: Simplify - to comply
simple and clear requirements to support compliance, help prevent incidents, and move towards Goal Zero.
Standardise - a single Shell HSSE & SP Control Framework
applicable to all Shell projects & operations,
use of industry standards; easy to communicate with contractors
with new ways of working – Global Discipline Teams
Eliminate - take out duplication & layers
separate mandatory requirements from non-mandatory guidance
few layers of documentation at different organisation levels
integration with existing business processes, e.g. ORP, DCAF
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
10
ASSET INTEGRITY – PROCESS SAFETY MANAGEMENT The HSSE & SP Control Framework includes a section titled “Asset Integrity – Process Safety Management”. In this section, Process Safety means the management of hazards that can give rise to major accidents involving the release of potentially dangerous materials, release of energy (such as fire or explosion) or both. (Definition taken from the Baker Report/UK Health & Safety Exec.)
Asset integrity means the ability of an asset to perform it’s intended function effectively… while safeguarding life and environment.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
11
CONTROL FRAMEWORK – AI-PSM COMPONENT DESCRIPTIONS AI-PSM Standard
Under HSSE Control Framework and mandatory from Dec ’08 for all ventures under Shell’s operational control
Describes components of AI-PSM and associated roles /responsibilities
Transition Manual
Outlines the timelines for implementation of AI-PSM Standard
Application Manual
Provides detailed requirements for the full implementation of the AI-PSM Standard
Design and Engineering Manual 1 (DEM1) – Application of Technical Standards
Identifies the Design and Engineering Practices (DEPs) which are mandatory for new assets and modifications to existing assets
Design and Engineering Manual 2 (DEM2) – Process Safety Basic Requirements
Identifies the Process Safety Basic Requirements (PSBR's) that are mandatory to retrofit existing assets & build into new assets
Overrides of Process Safeguarding Systems
Management and operational control requirements where safeguarding systems are required to be overridden or bypassed for short periods
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
12
DEM 1 – APPLICATION OF TECHNICAL STANDARDS Applies to Assets that have hazards with RAM red and yellow 5A & 5B risks; for new projects & modifications/changes to existing assets
Going forward - design & construct to mandatory DEPs & Design risks are at ALARP Accountabilities defined (Asset Mgr, Project Mgr, Delegated Technical Authority, DEP Custodian) All relevant Process Safety identified “Shall” statements in DEM1 DEP's mandatory Primary focus is high risk AI-PSM
RAM red & yellow 5A & 5B Copyright of Shell Projects & Technology
RESTRICTED
September 2011
13
DEM 1 – APPLICATION IN DESIGN Project Requirements: Projects > $100 million to use DEM1 DEPs as from 1/1/09.
Under $100 million total project cost that do not involve Unusual Risk, DEM1 requires a hierarchy of decisions:
Apply the relevant DEPs. If not practicable,
Utilize another recognized standard (Shell, industry), or
Utilize documented risk assessment methods to design sufficient
barriers to
manage and document risks to ALARP. In case of Derogation from DEM1, the Delegated Technical Authority must approve the use of alternative standards, based on a documented risk assessment that demonstrates that Process Safety risks are managed to ALARP (Refer to DEM1 Derogations Procedure Guide) Copyright of Shell Projects & Technology
RESTRICTED
September 2011
14
DEM 2 – OVERVIEW Process Safety Basic Requirements (PSBRs):
11 PSBRs
Based on past large industrial PS Incidents - Includes reference to actual events
Applies to Assets that have hazards with RAM red and yellow 5B risks; existing and new. DEM-2 PSBRs are applied retroactively
Derogation/deviation from DEM2 requires approval by RDS CEO
Compliance verified in a document called “Statement of Fitness”.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
15
DEM 2 – PROCESS SAFETY BASIC REQUIREMENTS PSBR
Process Safety Basic Requirements
1
Safe Siting of occupied portable buildings
2
ESD Valves on platform risers
3
Temporary refuges
4
Permit to Work
5
Management of Change
6
Avoid liquid release relief to atmosphere
7
Avoid tank overfill followed by vapor cloud release
8
Avoid brittle fracture of metallic materials
9
Alarm management
10
Sour Gas (H2S)
11
Deepwater Well Design and Construction
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
16
HEMP (HAZARDS AND EFFECTS MANAGEMENT PROCESS) The structured hazard analysis methodology involving hazard identification, assessment, control and recovery and comparison with screening and performance criteria. HEMP is an umbrella concept of hazard review tools Review tool examples: HAZOP, EIA (Environmental Impact Assessment), HRA (Health Risk Assessment), PHA (Process Hazard Analysis), PSA (Process Safety Assessment), bow-tie. Part of HSSE-Management System (MS) - the outcome is linked to the other HSSE-MS elements that govern the day-to-day performance for the site.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
17
HEMP
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
18
HEMP AND BOW-TIES The “Bow-Tie” representation is used across Group to demonstrate that hazards have been reviewed and that major risks are managed, that is risks in the RAM* red and yellow 5A or 5B areas together.
RAM red & yellow 5A & 5B
So, let us have a refresher look at some basic definitions and what the “Bow-Tie” Model looks like. Note: * For more information on the RAM, refer to the HSSE&SP Control Framework. Copyright of Shell Projects & Technology
RESTRICTED
September 2011
19
DEFINITIONS – HAZARD A HAZARD is something with the potential to cause harm to People, damage to Assets, business loss and impact on the Environment or Reputation.
Crude Oil Hazard
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
20
DEFINITIONS – TOP EVENT A TOP EVENT is the ‘release’ of the hazard, sometimes called the first event in a chain of consequences. It is the event we do not want to happen. Common top events in our businesses are “loss of containment”, “loss of control” or “exposure to”.
Crude Oil
Hazard
LOSS OF CONTAINMENT
Release of the hazard Copyright of Shell Projects & Technology
RESTRICTED
September 2011
21
DEFINITIONS – CONSEQUENCE A CONSEQUENCE is the ultimate harm that may occur due to a credible hazard release scenario.
Resulting event or chain of events Copyright of Shell Projects & Technology
RESTRICTED
September 2011
22
DEFINITIONS – THREAT A THREAT is something that can cause the release of a hazard and lead to the top event. Examples of threat are corrosion, equipment failure (mechanical), excessive pressure or temperature, human factors, weather, etc...
Crude Oil
Hazard EXCESSIVE PRESSURE THREAT
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
23
THREAT – EXAMPLES Chemical Internal corrosion External corrosion
Physical Fatigue
Process Excessive pressure or vacuum (while pressure itself is not a threat)
Excessive temperature (temperature by itself is not a threat) Overfill
Vibration Impact by falling object Collision
Erosion
Human Factor Human errors during dedicated operation (draining a tank, connecting
Environmental
the wrong vessel, etc)
Hurricane
Earthquake
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
24
THE MODEL SO FAR Left hand side: before top event
H A Z A R D
CONSE QUENCE
SCENARIO
Top Event
CONSE QUENCE
CONSE QUENCE
Right hand side: after top event Copyright of Shell Projects & Technology
RESTRICTED
September 2011
25
DEFINITIONS – BARRIERS: CONTROLS AND RECOVERY MEASURES BARRIERS: A Barrier is the common term to designate measures to prevent threats from releasing a hazard or measures to limit the consequences arising from the Top Event. They may be Hardware, referred to as Critical Equipment Barriers, or Human Interventions also called Critical Human Barriers. Barriers can be or be a combination of hardware or human intervention. An equipment barrier could be a pressure relief valve. A human barrier could be following a procedure. A combination barrier could be a high level alarm and the operator responding to the alarm. For a barrier to be considered valid it must be effective, independent and auditable. Barriers that prevent threats from releasing the hazard are called CONTROLS. They sit between the Hazards and the Top Event, on the left hand side of the Bow Tie.
Barriers that limit or mitigate the consequences arising from the top event are called RECOVERY MEASURES. They sit between the Top Event and the possible Consequences on the right hand side of the Bow Tie.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
26
DEFINITIONS – BARRIERS: ESCALATION FACTORS ESCALATION FACTORS are situations, conditions or circumstances that may lead to the partial or full failure of a barrier(Controls or Recovery Measures). Escalation Factor Examples:
Abnormal operating conditions (e.g. operating outside design envelope, loss of power or steam etc)
Environmental variations (e.g. extreme weather that could affect instrumentation)
Barrier temporarily impaired or removed
Escalation factors are typically shown on Design Barriers of the Bow-Tie People not doing what is expected of them (i.e. by procedures) should not be shown as escalation factors. These are critical activities that are not being done, which can result in the potential failure of a barrier. These essential human activities are captured as « HSE Critical Activities » for that barrier Copyright of Shell Projects & Technology
RESTRICTED
September 2011
27
CONTROLS
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
28
CONTROLS
Out of Service for Maintenance Escalation Factor
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
29
RECOVERY MEASURES Recovery measures can vary and can be dependent on the first release of the hazard and the potential to reduce the risk of escalation or actual full consequence.
A bundwall in a tank farm prevents the content of one or more tanks to flow into areas where more damage may occur, like a river. A gas detection system detects the first gas release and can initiate an escalation reduction measure like a deluge system, a depressuring system or any operator intervention. Copyright of Shell Projects & Technology
RESTRICTED
September 2011
30
BARRIER VALIDITY To be valid, a barrier must be: INDEPENDENT – of the initiating event (threat) as well as the components of any other barrier already validated for the same condition. Barriers cannot be considered independent from one another if there is a Common Cause Failure (for instance, a high level alarm and high-high level alarms that are on the same transmitter are not independent) EFFECTIVE – The barrier prevents the consequence when it functions as designed (big enough, strong enough, fast enough). Must have a Sensor, Logic and Actuator. Examples of barriers containing these three elements are:
Trip Systems,
Alarm + Operator Intervention + Pump Shutdown Switch,
Relief Valve.
AUDITABLE – The barrier can be evaluated to verify that it can operate correctly when it is called upon. The barrier shall reduce the risks by a factor of at least 10, i.e. Probability of Failure on Demand (PFD) is maintained at no greater than 0.1. Copyright of Shell Projects & Technology
RESTRICTED
September 2011
31
VALIDITY RULES FOR BARRIERS Valid barriers can by themselves fully address the threat or consequence. The barriers must be effective, independent and auditable. Partially Valid (interdependent) barriers directly address the threat or consequence but need the assistance/support of another barrier to fully address the threat or consequence.
IMPORTANT: When a partially valid barrier is found, an attempt should be made to combine it with a measure that will make it valid. However, it may need to be kept separate in order to capture the appropriate HSE-critical activities, which may be allocated to different departments. Copyright of Shell Projects & Technology
RESTRICTED
September 2011
32
THE BOW-TIE MODEL CONSE QUENCE
SCENARIO
H A Z A R D
Top Event
CONSE QUENCE
THREATS CONTROLS
Control (keep within control limits)
Objective: reduce likelihood (pro-active/preventative) Copyright of Shell Projects & Technology
CONSE QUENCE
RECOVERY MEASURES
Prepare for emergencies
Objective: mitigate consequences and re-instate (reactive) RESTRICTED
September 2011
33
THE BIG PICTURE The bow-tie provides a structured approach in the relation to the measures available and required to keep the process and products contained under the foreseeable circumstances. To contain the feedstocks, processes, and products the process designer determines the parameters that are required for the basic design of equipment and related systems. The Basic Design is not particularly a barrier that can be counted as one to be part of the barriers that fulfill the criteria to prevent release of the hazard. As the basic design is expected to be present anyway as it is inherently required to fulfil the objective to produce oil, manufacture hydrocarbon products and sell these. Within the overall design, measures are incorporated to fulfil the management structure in order to avoid loss of containment and undesirable consequences.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
34
THE BIG PICTURE
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
35
ADDITIONAL DEFINITIONS TOLERABLE : Minimum requirements/criteria that have to be met for managing a risk.
ALARP : As Low As Reasonably Practicable - The point at which the cost (in time, money and effort) of further Risk reduction is grossly disproportionate to the Risk reduction achieved.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
36
ALARP DETERMINATION PROCESS - OVERVIEW
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
37
HOW MANY BARRIERS DO I NEED TO BE ALARP? Downstream Manufacturing (DSM) Guidance: Red Risk Hazards
Yellow Risk Hazards with Potential Fatalities
Other Yellow Risk Hazards
5
4
3
Controls
3 or alternative: 4
2 or alternative: 3
2
Recovery Measures
2 or alternative: 1
2 or alternative: 1
1
Consequence Total Number of Barriers
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
38
HOW MANY BARRIERS DO I NEED TO BE ALARP? Gas Plant Guidance: ALARP discussion to be held when sufficient barriers are in place Consequence
People 5
People 4
A, E, R 4&5
P 3&2 2)
5
4
3
3
Controls
3 or alternative: 4
2 or alternative: 3
2
2
Recovery measures
2 or alternative: 1
2 or alternative: 1
1
1
Total Number of barriers
Notes : 1) In all cases the frequency of Initiating event (threat) should be equal to or smaller than 1 for the threat to consequence line under review. 2) Category 2 and 3 for yellow and red risks in the RAM. Copyright of Shell Projects & Technology
RESTRICTED
September 2011
39
LAYERS OF PROTECTION ANALYSIS (LOPA) LOPA is a methodology for hazard evaluation and risk assessment, which lies between the qualitative end of the scale (characterized by methods such as hazard and operability HAZOP and “what-if?”) and the quantitative end (characterized by methods using fault trees and event trees). It is mainly used in DS-M and some parts of Upstream. LOPA helps make consistent decisions on the adequacy of the existing or proposed layers of protection against an accident scenario. This decision-making process is ideally suited for coupling with risk-decision criteria, such as those displayed in the Risk Assessment Matrix (RAM).
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
40
LOPA – ADDITIONAL DEFINITIONS
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
41
LOPA – DS-M EXAMPLES IEFs (Initiator Estimated Frequencies): Controller failure
1x in 10 yrs, i.e.
0.1x/yr
Pump trip
1x in 5 yrs, i.e.
0.2x/yr
Pump seal leak
1x in 165 yrs, i.e, 0.006x/yr
Tube rupture
1x in 55 yrs, i.e,
Human Error (HEP)
0.001-0.003 per action
0.018x/yr
PFDs (Probabilities of Failure on Demand): Alarm + operator action:
0.1
SIL 1
0.1
SIL 2
0.01
RV (Relief Valve)
0.001 (non fouling)
Residual Risk of a scenario = IEF x PFD1 x PFD2 x ……= ……x/yr Copyright of Shell Projects & Technology
RESTRICTED
September 2011
42
LOPA – TOLERABILITY AND ALARP (DS-M) Compare the Residual Risk with Tolerability/ALARP Criteria (DS-M): Tolerability: for People:
10-4x /yr (for < 10 fatalities) – existing facilities
10-5x /yr (for > 10 fatalities) or new facilities for Assets/Env./Rep.:
10-3x /yr
ALARP:
10-6x /yr … or ….
The investment to reduce the risk from Tolerability further down is grossly disproportionate
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
43
LOPA – TOLERABILITY AND ALARP (GAS PLANTS ) Gas Plant Guidance: Minimum criteria before ALARP discussion is held
Consequence Residual risk frequency per year
People 5
People 4
A,E,R 4&5
10-5
10-4
10-3
P 3&2
2)
10-3
Notes: 1) In all cases the frequency of Initiating event (threat) should be equal or smaller than 1 for the threat to consequence line under review. 2) Category 2 and 3 for yellow and red risks in the RAM.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
44
LOPA – TOLERABILITY AND ALARP A - Does not meet Tolerability Criteria B – Meet Tolerability Criteria, Might be ALARP
C – Meet Tolerability Criteria, Might be ALARP D – Meet Tolerability Criteria and is ALARP
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
45
THE “ONION MODEL” The “onion model” is a another way used by some businesses (mostly non-Shell) to display the bow-tie information. It depicts hazards, barriers and recovery measures, reflects the layers of protection
and shows how the various measures fit together when viewed from the perspective of the hazard. The first layer is the basic containment
of our feedstock, processes and products.
Whilst this is the basic layer, it is viewed not part of the HEMP bowtie methodology to
identify and assess risks to the units,
and processes. Copyright of Shell Projects & Technology
RESTRICTED
September 2011
46
PROCESS/TECHNICAL SAFETY AND OPERABILITY PRINCIPLES Each design is risk based. We will assume that for new designs tolerability and ALARP is obtained by the application of the local legislation, codes, international standards and Shell internal practices DEM1/2, Prensap/EG’s and expert judgment. For new Designs DEP will be ALARP. 'Shall' is a discriminator for safe design. Overpressure protection shall be preferably done by mechanically and robustly executed systems. Alternatives shall be individually assessed for acceptability. Above hydrostatic test pressure severe loss of containment will be assumed for risk based methods. There will always be an open path between the equipment and its overpressure protection. For risk based assessments, the hydrostatic test pressure that is compensated for the process temperature conditions will be taken as failure criteria of equipment. Hazardous substances shall be processed via well designed and robust disposal systems.
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
47
SUMMARY Process safety management is about “keeping the product in the pipes and tanks”
Start with a safe design and ensure that safe design is included in changes.
Process safety basics: concepts, principles and assumptions
Introduction to the HSSE & SP Control Framework
AI-PSM Standard
Transition Manual
Application Manual
Design and Engineering Manual 1 (DEM1)
Applies to Assets that have hazards with RAM red and yellow 5A & 5B risks; for new projects & modifications/changes to existing assets
Derogation process
Design and Engineering Manual 2 (DEM2)
11 Process Safety Basic Requirements (PSBRs)
Existing and new assets: also to be applied retroactively
Overrides of Process Safeguarding Systems
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
48
SUMMARY (CONTINUED) Hazards and Effects Management Process
HEMP is an umbrella concept of hazard review tools: HAZOP, EIA, HRA, PHA, PSA, bow-tie
Bow Tie Concept
Basic definitions: hazard, top event, consequence, threat
Barriers (controls and recovery measures) must be effective, independent and auditable
Tolerability and ALARP Concepts
Barrier counting
LOPA
The Onion Model
Process/Technical Safety and Operability Principles
Copyright of Shell Projects & Technology
RESTRICTED
September 2011
49
View more...
Comments
