Allison De Man
ACM Facility Safety
#300, 926 5th Avenue
Calgary, AB, Canada, T2P 0N7
1400 Ravello Dr
Houston, Texas USA 77449
Prepared for Presentation at American Institute of Chemical Engineers
2017 Spring Meeting and 13th Global Congress on Process Safety
San Antonio, TX
March 26 – 29, 2017
Process Hazard Analysis (PHA) studies are required to identify process and operations risks for process plants. PHAs enable management and process safety staff to make decisions that improve safety performance, minimize downtime, and optimize utilization.
Operating companies also must make these key decisions under financial capital constraints and ensure maximum return on investment for safety. These decisions require a clear understanding of the interconnectivity of the risks associated with a facility’s operations which are captured in a PHA. Most PHA studies generate recommendations based on residual risk and consequence levels, but they do not directly address how safeguards and recommendations are linked to the hazard scenarios. By improving the way PHA data are analyzed, using data analytics, additional insight is generated that is typically hidden, or not considered, when traditional PHA approaches are followed. These insights include more intuitive identification of critical safeguards (barriers), better prioritization of recommendations from a cumulative risk perspective, and visual aids to improve awareness and communication of risk drivers to operational staff and decision makers.
Traditional PHAs require a substantial investment in time and resources, which results in a potential gold mine of useful data that can be further extracted and exploited. With an ever shifting focus on new technology and innovation, data analytics is the next key step for improving risk management practices within organizations and the industry as a whole. Taking PHA data analytics further, “Big Data” data mining techniques can be utilized to extract information from the collected data and expose trends and patterns in industry PHA data. These trends can be benchmarked across various industries providing an advanced level of decision making insight not available from a single PHA. Statistical analysis of the trends and deviations, along with analysis of incident data can also predict increasing levels of risk, thus creating strong leading indicators to aid in decision making before incidents occur. This paper showcases a case study for a unit within a refinery which demonstrates how application of PHA with data analytics can greatly improve decision making.
Process Hazard Analysis (PHA) studies are used, and in some countries required by regulatory bodies, to identify process and operations risks for process plants. These studies enable management and process safety staff to make decisions that improve safety performance and reduce health and safety and environmental impacts while minimizing downtime and optimizing process utilization. Operating companies must make these key decisions under financial capital constraints and ensure maximum return on investment for safety. These decisions require a clear understanding of the interconnectivity of the risks associated with a facility’s operations and processes which are captured in a PHA. Most PHA studies generate recommendations based on intolerable risk scenarios, but they do not directly address how safeguards and recommendations are linked to the hazard scenarios. Traditional PHAs require a substantial investment in time and resources, which results in a potential gold mine of useful data that can be further extracted and exploited. With an ever shifting focus on new technology and innovation, data analytics is the next key step for improving risk exposure practices within organizations and the industry as a whole.
By improving the way PHA data is analyzed using data analytics, additional insight is generated that is typically hidden, or not considered. The information provided by data analytics can guide the decision-making process throughout the life cycle of a facility including front-end engineering design, detailed engineering, operation and decommissioning. These insights include:
- more intuitive identification of critical safeguards (barriers);
- better prioritization of recommendations from a cumulative risk exposure perspective and;
- awareness and communication of risk drivers to operational staff and decision makers with visual aids;
- ability to provide benchmarking comparisons within an organization or across industry.
This case study demonstrates how application of PHA with data analytics can greatly improve decision making. The case study focused on a Hazard and Operability (HAZOP) study performed on a hydrocracker process unit to be built at a refinery and petrochemical complex. The Center for Chemical Process Safety’s (CCPS) publication on Layers of Protection Analysis (LOPA) was used for the case study when risk reduction credits were applied to safeguards and recommendations .
2 Process Hazard Analysis Summary
This section provides a summary of the PHA details. These details include the number of causes identified in the PHA and the number of resulting consequences, as well as the number of safeguards and recommendations used for risk reduction. Some existing information in the PHA can be analyzed as was recorded in the PHA, but other information, such as causes, consequences, or safeguards, needs to be classified into categories to allow further analysis. Risk rankings can usually be analyzed as recorded in the PHA session by counting up the risk ranking results for all the scenarios analyzed in the PHA. However, some PHAs may only have one or two risk rankings completed in the session. Depending on the risk ranking methodology and the information recorded in the PHA, it is possible to back calculate and/or forward calculate the risk ranking to provide the full spectrum of risk rankings before safeguards, after safeguards and after recommendations. Additionally, some PHA methodologies include assigning categories to elements such as causes (e.g. equipment failure, human failure), safeguards (e.g. alarm, mechanical) and recommendations (e.g. design review, procedure). If that information is available, it can speed up the analysis process as it can likely be analyzed as is. However, if that information is not available the data conditioning process will include assigning relevant categories. Furthermore, the analysis requires a clear understanding of which safeguards and recommendations were taken credit for (provide risk reduction) in the PHA. This information will also have to be conditioned if it was not directly recorded in the PHA. PHA facts for the Hydrocracker PHA analyzed in this case study are shown in Table 1.
Table 1 Hydrocracker PHA Information
|No. of Credible Causes||375|
|No. of Total Consequence Scenarios||738|
|No. of Risk-reducing Safeguards||346|
|No. of Risk-reducing Recommendations||37|
2.1 Cause Type Distribution
Part of the cause classification process is to assign categories to every valid cause in the PHA. Causes that contain phrases such as “no concerns identified” or “no credible cause” are not assigned a cause category. Cause categories include Equipment Failure, Human Failure and External Event causes. Some causes are assigned a category of undetermined as the root cause was not clearly identified or described in the PHA. Table 2 shows the breakdown of cause categories identified in the Hydrocracker PHA.
Table 2 Cause Distribution by Cause Category 
|No. of Equipment Failure||313|
|No. of Human Failure||41|
|No. of External Event||2|
|No. of Undetermined||19|
2.2 Consequence Type Distribution
Consequences resulting from a cause are identified in the PHA along with the risk receptors that are impacted. The Hydrocracker unit PHA considered Health and Safety (H&S), Public Image (PUBIMG), Asset (ASSET), and Business Interruption (BI) impact scenarios. Table 3 shows the distribution of the consequences identified.
Table 3 Scenario Distribution by Consequence Category
|No. of Health and Safety (H&S)||95|
|No. of Public Image (PUBIMG)||95|
|No. of Asset (ASSET)||184|
|No. of Business Interruption (BI)||364|
2.3 Risk Profile
By understanding the breakdown of scenarios by risk level before safeguards, after safeguards and after recommendations, clarity is gained on the actual level of risk in the facility and the impact of existing safeguards and recommendations to reach tolerable levels of risk as defined by the PHA team and the Corporate Risk Matrix. Risk Rankings after implementation of recommendations were not captured during the PHA study, but were assigned a credit outside of the study for the purpose of this analysis. The risk profile for the case study, which includes risk levels before safeguards, after safeguards and after recommendations is shown in Figure 1.
Figure 1 A) shows the risk rankings of all 738 scenarios identified in the PHA study before taking credit for safeguards or mitigating factors. This can be considered the inherent risk of the facility or unit if protection layers such as alarms, shutdowns, safety valves and operator rounds are not in place. A combined total of 71% of the scenarios risk ranked had risk levels as High (III) and Very High (IV) before safeguards. 3.4% of the scenarios were risk ranked as Low (I) risk before safeguards. When interpreting inherent risk, a higher percentage of low risk scenarios indicates a more inherently safe facility.
Figure 1 B) shows the risk rankings of all 738 scenarios identified in the PHA study after safeguards were credited for risk reduction. This can be considered the “residual” risk of the facility/unit as per the current operation assuming all risk reducing safeguards are functional and utilized. The greater the percentage reduction of High (III) and Very High (IV) risk scenarios when compared to Figure A) Risk Before Safeguards, the more effective the utilization of safeguards. 95.6% of the High (III) and Very High (IV) risk scenarios are mitigated to Medium (II) or Low (I) with existing safeguards.
Figure 1 C) shows the risk rankings of all 738 scenarios identified in the PHA study, assuming all risk reducing recommendations made by the PHA team were implemented. The number of High (III) and Very High (IV) risk scenarios reduced to Medium (II) or Low (I) risk by recommendation implementation is approximately 1.9%. This chart shows that even if all the additional mitigation for risk reduction proposed in recommendations were implemented, 1.8% of the scenarios would still remain at a High (III) risk. High (III) risk scenarios may require additional mitigation or appropriate management level signoff as defined by the Corporate risk matrix.
Figure 1 Risk Rankings A) Before Safeguards, B) After Safeguards and C) After Recommendations
2.4 Safeguard Distribution
Detailed safeguard categories were assigned to each safeguard and recommendations based on the safeguard details provided in the PHA file. This safeguard and recommendation classification is required to process the respective analytics. The safeguards and recommendations are classified within the following categories shown in Table 4.
Table 4 Safeguard and Recommendation Categories
|PSV||Pressure Safety Valves||Mechanical|
|Mechanical||Mechanical (e.g. Check Valves, Restriction Orifices, Dual Mechanical Seals)||Mechanical|
|Alarm with Operator Action||Alarm through the Primary Control Panel with defined operator action to address process excursion||Personnel Reliant|
|Automated Shutdown||Automated action/shutdown through the Primary Control Panel||Automated Action|
|Automated Control||Automated control action (without shutdown) through the Primary Control Panel||Automated Action|
|SIS||Safety Instrumented System||Automated Action|
|Operating Procedure||Operating procedure followed for a certain activity.||Personnel Reliant|
|Operator Round||Operator rounds (regular monitoring, and sampling activities)||Personnel Reliant|
|Inherent Design||Existing Equipment Inherent to the Design|
|Other||Other types of Safeguards (e.g., Spare Equipment)|
|Process Design Review||This category applies to Recommendations only. An action must be taken, but the PHA Team did not have a clear solution in the session, so the determination of the solution was deferred to outside of the session.|
Understanding the PHA safeguard category distribution can lead to further insight and understanding with respect to the balance of safeguards, the risk reduction provided, and the efforts in place to ensure the integrity of all types of safeguards. Figure 2 A) shows the distribution of safeguard categories for the nodes reviewed in the PHA session. Each safeguard which provides risk reduction is counted once, regardless of how many scenarios it is applied to in the PHA. Figure 2 B) shows the distribution by safeguard category of risk reduction credit taken in the PHA (how many credits the safeguards were given and how many scenarios the safeguard was applied to).
Figure 2 A) shows the safeguard category distribution of the 346 unique safeguards used for risk reduction in the PHA. Figure 2 B) shows the safeguard category distribution of the 1,513 risk reduction credits taken in the PHA (see notes below figure). By taking a ratio between the number of risk reduction credits provided for each category of safeguards and the number of unique safeguards in that category, an approximation of the risk reduction return on investment (ROI) for each safeguard in that category can be determined. The greater the ratio the higher the average utilization of each unique safeguard of that category. Additionally, each safeguard category has a different capital cost and operating cost associated with maintenance of that safeguard type. This cost information could be evaluated along with the ratio of safeguard risk reduction to unique safeguard, to provide the operating company with an estimate on ROI (in terms of risk reduction) achieved.
Figure 2 Safeguard Distribution by A) Unique Safeguards B) Risk Reduction from Safeguards*
* All PSV safeguards were given 2 “credits” for risk reduction as pressure relief devices were assumed to provide two levels of protection for the purposes of this study.
* SIS were assigned 1 “credit” only in the PHA. Additional SIS crediting was deferred to a further LOPA study.
* Most operating procedure safeguard descriptions were generically recorded as “Operating Procedure” in the PHA. This means that “Operating Procedure” was counted as 1 unique safeguard in the PHA, when in reality they may be referring to 10 or 20 different unique procedures.
2.5 Recommendation Distribution
Understanding the overall PHA safeguard distribution (existing safeguards and recommended safeguards) can lead to further discussion and understanding with respect to the types of recommendations made, the risk reduction provided, the efforts in place to implement the recommendation, and the resulting balance of overall safeguards. Figure 3 A) shows the overall unique safeguard and recommendation distribution by safeguard category for the nodes reviewed in the PHA session. Figure 3 B) shows the risk reduction credit taken for overall safeguards in the PHA by safeguard category. The same assumptions considered for the credits applied to safeguards were also applied to the recommendations.
Figure 3 A) shows that 9.8% of unique overall safeguards are recommendations. Existing safeguards make up the remaining 90.2% of the overall unique safeguards. Figure 3 B) shows a 4.2% reliance on recommendations for risk reduction in the PHA study. Existing safeguards provide 95.8% of the risk reduction. The higher the overall reliance on recommendations for risk reduction, the more important it is to ensure proper evaluation and timely implementation of the recommendations to ensure the significant risk gaps are closed.
It is also important to understand the relationship between the risk reduction credits to unique safeguard numbers calculated for each overall safeguard type. In instances where the ROI change with recommendations is significant, it is important to consider if the change is in a desirable manner for the organization and their specific operating philosophies. Considering these factors along with the capital and operating costs for each safeguard type can provide additional insight into the ROI of the recommendations.
Figure 3 Overall Safeguard (SG) and Recommendation (REC) Distribution by A) Unique B) Risk Reduction
3 Critical Top 3
3.1 Criticality Methodology
The criticality calculations provide further insight on the risk reduction provided by safeguards, and recommendations, and the risk contribution from causes. The criticality calculations take into consideration the severities, likelihoods (before or after safeguards) and tolerable likelihoods of the scenarios. Each severity value on a Risk Matrix can be associated with a tolerable likelihood (probability of occurrence). These tolerable likelihood levels are usually identified on the Corporate Risk Matrix and are based on the operating company’s risk tolerance.
Safeguard criticality takes into consideration the risk of the scenario with and without that safeguard when determining safeguard risk reduction contribution values, whereas recommendation criticality takes into consideration the residual risk after safeguards to determine the risk reduction contribution value for each recommendation. Cause criticality has two methods, one which considers the inherent risk (risk ranking before safeguards) and one which considers the residual risk (risk ranking after safeguards) associated with the cause. The Critical Top 3 section is a snap shot in time that needs to be continually updated as recommendations are implemented and safeguards are taken in and out of service, to provide an updated view of risk in the facility.
The cumulative risk contribution value (criticality) for each cause, safeguard and recommendation was determined by uploading the PHA results into SafeGuard Profiler (a Safety Integrity Level Determination (SIL-D) tool). SafeGuard Profiler analyzes cause, safeguard and recommendation distribution across hazardous scenarios by generating failure tables for each unique instance. Initiating Event Frequencies (IEF) were assigned based on the cause likelihoods selected by the PHA Team. For this case study, a Probability of Failure on Demand (PFD) of 0.1 was assigned to each safeguard/recommendation given 1 “credit” of risk reduction in the PHA. Safeguards/recommendations given 2 “credits” were assigned a PFD of 0.01 and safeguards/recommendations given 3 “credits” were assigned a PFD of 0.0011. In this case study no safeguards/recommendations were shown to provide 3 credits of risk reduction. Companies can use specific IEFs and PFDs from their internal equipment databases for the cumulative risk contribution calculations to improve the precision of the calculations. Safeguards and recommendations reviewed in this report are assumed to be specific, independent, dependable and auditable.
3.2 Safeguard Criticality
Safeguard Criticality provides a further insight on the risk reduction provided by each safeguard. The safeguard criticality calculation not only counts the number of instances a safeguard was used in the PHA, but also considers the severity and likelihood of each consequence where the safeguard was used. For instance, the criticality of a safeguard that is used to reduce the risk of a fatality would be higher than the criticality of a safeguard used to reduce the risk of a first aid.
Cumulative risk reduction contribution is used to represent the risk exposure in a facility when a safeguard is not available to provide risk reduction as identified in the PHA (e.g. bypassed). The greater the cumulative risk reduction contribution is for a safeguard, the more critical that safeguard becomes. This information can be used for training and awareness to ensure that all personnel have an understanding of critical safeguards, especially when the critical safeguards are human dependent safeguards such as operator response and procedures. It is important that a classification and understanding of critical safeguards exists in the facility, so that critical safeguards are not taken out of service without adequate considerations and safety contingencies in place.
3.2.1 Top 3 Critical Safeguards
All Top 3 critical safeguards were found to be alarm with operator action safeguards that contribute to 32.7% of the overall cumulative risk reduction contribution provided by safeguards in the PHA. Figure 4 shows the Top 3 critical safeguards identified in the PHA.
Figure 4 Top 3 Critical Safeguards
Figure 4 shows that the top critical safeguard contributes equally to providing risk reduction for H&S, ASSET, and PUBIMG scenarios. The second and third critical safeguards contribute only to providing risk reduction for BI scenarios. All of the top 3 critical safeguards are alarm with operator action safeguards. This is significant as human dependent safeguards have a large range of reliability . This high reliance on personnel related safeguards indicates an increased importance of routine training to ensure the reliability of these safeguards remains high.
3.2.2 All Data Safeguard Criticality
The top 3 critical safeguards provide clear information on which three safeguards are responsible for providing the most risk reduction for the area analyzed in the PHA. However, it is important to consider the remaining safeguards and evaluate the value that they provide.
Figure 5 and Figure 6 below, shows the relative criticality of the top 50 safeguards used for risk reduction within the PHA by cumulative risk reduction contribution by consequence receptor and safeguard category type respectively. The safeguards are identified by a unique safeguard number and category. A total of 346 safeguards were used in the PHA for risk reduction; additional safeguards were listed in the PHA, but were not included in the analysis as they did not provide risk reduction. Insight gained from the criticality analysis can influence maintenance and reliability spending by showing which individual safeguards provide significant risk return and which safeguards provide very little.
Figure 5 shows the top 50 critical safeguards by the cumulative criticality contribution to each receptor category based on the risk reduction contribution values calculated for each unique safeguard. For all 346 safeguards in the PHA, 43.0% of the cumulative criticality was associated with BI scenarios and 23.8% of the criticality responded to H&S scenarios. The remaining 18.5% and 14.8% responded to ASSET and PUBIMG scenarios, respectively. It is important to understand the consequence receptor contribution to each unique safeguard as each operating company may place a higher emphasis on understanding and maintaining safeguards that are primarily contributing to specific consequence receptors such as H&S. For instance, contribution of the overall third most critical safeguard (247) compared with the fourth most critical safeguard (100) toward H&S is significantly lower. Therefore, if the safeguard criticality contribution towards H&S is deemed to be more significant than the contribution of other receptors, safeguard 100 would be more critical than safeguard 247.
Figure 5 Safeguard Cumulative Risk Reduction Contribution by Consequence Receptor
Figure 6 shows the top 50 critical safeguards by safeguard category. These safeguards provide 90.0% of the cumulative criticality in the PHA.
Figure 6 Cumulative Risk Reduction Contribution by Safeguard Category
3.3 Recommendation Prioritization
Recommendation prioritization was conducted using a similar methodology as safeguard criticality as described in section 3.1. However, instead of determining the criticality by evaluating the impact of removing the safeguard in question, the cumulative risk reduction contribution for recommendations is determined by calculating the impact of implementing one risk reducing recommendation at a time. This means that when multiple recommendations are applied to the same scenario their collective impact on reducing the risk is not considered as recommendation prioritization only considers the impact of one recommendation at a time. This means that when decisions are made to implement a recommendation; its impact on the criticality/prioritization of other safeguards/recommendations needs to be considered. Implementing one recommendation may discount the need for an additional recommendation for the same scenario. Therefore, recommendation prioritization and safeguard criticality are snap shots in time that can be continually updated as recommendations are implemented and safeguards are taken out of service, to provide an understanding of risk in a facility. Recommendation prioritization can also help with the justification of recommendations related to scenarios in ALARP (As Low As Reasonably Practicably) regions of risk as the analysis provides an understanding of the cumulative risk reduction impact of the recommendation. Recommendation prioritization assumes all risk reducing safeguards identified in the PHA are functioning correctly.
3.3.1 Top 3 Critical Recommendations
The top 3 recommendations were found to contribute to 65.5% of the cumulative risk reduction provided by all risk reducing recommendations. Figure 7 shows the top 3 critical recommendations identified in the PHA.
Figure 7 Top 3 Critical Recommendations
Figure 7 shows that the top recommendation identified in the PHA (R37) is for an automated shutdown safeguard. The second and third critical recommendations are both related to the inherent design of the system. The first and second most critical recommendations contribute equally to providing risk reduction for H&S, ASSET, and PUBIMG scenarios. The third most critical recommendation contributes only to providing risk reduction for BI scenarios. It is interesting to note that all the Top 3 critical recommendations are related to vendors, which is likely explained by the fact that this PHA occurred during the design phase.
Recommendation prioritization is a snap shot in time analysis that provides information on which recommendation is most critical at a given time. In this case study the top two priority recommendations (Rec. # 37 and Rec #2) were used for mitigation on the same scenario (Rec # 37 was also used independently on additional scenarios which increased its overall criticality contribution value). Since recommendation prioritization evaluates the recommendations independently of each other, each recommendations was found to be critical to reduce the residual risk of the scenario. If one of these recommendations were implemented it would result in a drastic decrease in priority of the other recommendation as the residual risk of the specific scenario would be lower. An iterative method for recommendation prioritization is being developed to determine the ideal implementation order of recommendations giving consideration to the relationship between recommendations and the scenarios they share.
3.3.2 All Data Recommendation Prioritization
The criticality contribution values of all 37 risk reducing recommendations identified in the PHA are shown in Figure 8 below by contribution of consequence receptor. Recommendation criticality can also be broken down recommendation category type similar to Figure 6 (data not shown). The recommendations are identified by a recommendation number and category. Thirty-seven (37) recommendations were used in the PHA for risk reduction.
Figure 8 shows the prioritization of the recommendations by cumulative risk reduction contribution broken down by the criticality contribution to each consequence receptor. For all 37 recommendations in the PHA, 40.8% of the cumulative criticality was associated with BI scenarios and 20.1% of the criticality responded to H&S scenarios. The remaining 19.9% and 19.2% responded to ASSET and PUBIMG scenarios, respectively. It is equally important to understand the consequence receptor contribution to each unique recommendation as each operating company may place a higher emphasis on implementing recommendations that are primarily contributing to specific consequence receptors such as H&S. For instance, recommendations 16, 43, 17, and 26 are all shown to primarily contribute to reducing the risk of BI scenarios. Depending on the operating company, BI recommendations may not be weighted as highly as recommendations that contribute to H&S consequences like recommendation 41.
67.6% of the cumulative risk reduction contribution for recommendations comes from inherent design safeguards. In this case study the majority of the inherent design recommendations were to improve the reliability of the valve whose failure would lead to the hazardous scenario. The top 12 recommendations in Figure 8 (from left to right) are responsible for providing 97.5% of the overall cumulative risk reduction contribution of the recommendations. It would be important to evaluate the individual scenarios that require the remaining 25 recommendations as the risk reduction return on investment may not be very high given the low cumulative risk reduction contribution value. A cost benefit analysis type study can be used to verify the feasibility/need of implementing these recommendations.
Figure 8 Recommendation Cumulative Risk Reduction Contribution by Consequence Receptor
3.4 Cause Criticality
There are two methods for calculating cause criticality: one that takes into consideration the inherent risk level using the risk rankings before safeguards, and one that looks at the residual risk level of the cause considering the risk ranking after safeguards.
3.4.1 Inherent Risk Cause Criticality
Inherent cause criticality gives a clear understanding of the causes that pose the largest inherent threat to the facility. The inherent risk contribution does not take into consideration any safeguards or recommendations when evaluating the risks associated with the cause. Therefore, there is often a relationship between critical inherent causes and critical safeguards, as those safeguards are extremely important to reduce the inherent risks associated with these critical causes.
3.4.2 Top 3 Inherent Risk Causes
Figure 9 shows the Top 3 inherent causes identified in the case study.
Figure 9 Top 3 Inherent Risk Causes
Figure 9 shows that the top 3 critical causes identified are all related to equipment failure threats. Almost half of the risk contribution of the first critical cause is towards H&S scenarios. The remaining risk contribution is towards ASSET and PUBIMG scenarios with a small risk contribution towards BI scenarios. The second and third most critical causes provide equal risk contribution to H&S, ASSET, BI and PUBIMG scenarios. The top inherent cause is the same scenario that the highest critical safeguard is on. The second and third inherent causes are scenarios that the 4th most critical safeguard is on (see Figure 6). Similar to safeguards, the relative criticality of the inherent risk causes can also be displayed graphically by cause type as well as consequence receptor contribution (data not shown).
3.4.3 Residual Risk Cause Criticality
Residual risk cause criticality gives a clear understanding of the causes that pose the greatest risk to you today (before implementation of recommendations) assuming all safeguards are functioning as identified in the PHA. It is often found that the top 3 critical causes, using the residual methodology, are related to the top 3 Recommendations as the recommendations are there to reduce the risk to a tolerable level.
3.4.4 Top 3 Critical Residual Causes
Figure 10 shows the Top 3 Residual causes identified in the case study.
Figure 10 Top 3 Residual Threats
Figure 10 shows that all of the top 3 residual causes are related to equipment threat scenarios. The top most critical cause shows equal risk exposure to H&S, ASSET, and PUBIMG scenarios. The second and third most critical causes shows equal risk exposure to H&S, ASSET, and BI scenarios and a small risk exposure towards PUBIMG scenarios. In this case study the top 2 critical recommendations identified (Rec #37 and Rec #2) were both used for mitigation on the top residual cause.
In this case, the top residual risk cause is also the same as the top inherent risk cause. This cause (UV-7 fails in the closed position) identified resulted in 8 inherently high risk or very high risk consequences. Existing safeguards were able to provide mitigation for 5 of the inherently high or very high risk consequences reducing the residual risk to a medium (tolerable risk). However, 3 of the inherently high or very high risk consequences were not reduced to an acceptable level with existing safeguards leaving a high intolerable risk for the recommendations to reduce. The second and third critical residuals causes relate to high risk scenarios that had no safeguards or recommendations listed for mitigation in the PHA. It is likely that these scenarios were being questioned for their feasibility as there was a comment making reference to a Parking Lot item. Additionally, it is possible that these high risk scenarios were deferred to a more detailed study such as a LOPA. If these scenarios are found to be feasible, it will be important to ensure safeguards and/or recommendations are identified for these scenarios to reduce the residual risk contribution of these causes. Similar to safeguards, the relative criticality of the residual risk causes can also be displayed graphically by cause type as well as consequence receptor contribution (data not shown).
4 Report Card Metrics and Comparison
The Report Card provides comparisons between “You” and Others” for three consequence categories (Health and Safety, Environment and Asset). This case study focuses on 4 metrics: Equipment Threats; Human Threats; Reliance on Personnel; and Inherent High Risk Before Safeguards. The main purpose of the report card metrics is to raise flags where differences were found between the results of “You” and “Others” to prompt further analysis into the cause of the deviation. For this case study the hydrocracker unit PHA featured in the analysis above is the “You” and the results of Other hydrocracker process unit PHA studies were averaged to determine the values for “Others”.
The comparisons can be conducted on the metric results of the whole PHA, specific process units or nodes within the PHA or on cause-consequence pair scenarios involving specific pieces of equipment. For this case study, the comparisons are focused on the cause-consequence pair scenarios involving the fractionator. Two of the critical causes identified in the hydrocracker unit PHA analyzed in this study were on the fractionator. Other hydrocracker units were identified and the cause-consequence pair scenarios involving product fractionators were extracted for the analysis. Each of the Other files were analyzed individually then averaged to generate the “Others” value for the purpose of the benchmarking analysis. The standard deviation of the “Others” values is used to determine the color of the “You” bar. If the “You” value falls within one half standard deviation above or below the “Others” distribution then the bar will be green. If the “You” value falls between one half standard deviation and one standard deviation of the “Others” distribution then the bar will be yellow. If the “You” value is greater than one standard deviation of the “Others” distribution then the bar will be red.
The report card section focuses on the results for the three most commonly analyzed consequence receptors, health and safety (H&S), environmental (ENV), and asset (ASSET). The hydrocracker unit PHA utilized in this study did not consider environmental impact scenarios. Therefore, there are no report card values for “You” under the environmental column.
4.1 Equipment and Human Threats
The equipment and human threat metrics look at the percentage of causes leading to hazardous consequences that are equipment failure or human failure related. There is a strong relationship between these metrics as the majority of causes identified in the PHA can be classified as either equipment failure or human failure related. The remaining causes are either classified as external event or undetermined. The undetermined category is assigned to causes that that do not have a clear root cause identified in the description. The equipment threat and human threat metrics help provide clarity into what is causing the majority of potential consequences in the PHA. Ultimately, these insights aim to influence maintenance or training budgets among others to ensure that the likelihood of occurrence of these threats does not increase. Figure 11 shows the equipment threat comparison and Figure 12 shows the human threat comparison for “You” and “Others” for potential consequences involving the product fractionator.
Figure 11 Equipment Threats Metric (Fractionator)
Figure 12 Human Threats Metric (Fractionator)
Figure 11 shows that the percentage equipment threats was found to be higher for “You” compared to “Others” for H&S product fractionator scenarios and similar for “You” compared to “Others” for ASSET product fractionator scenarios. Figure 12 shows a similar number of human threats identified for H&S product fractionator scenarios, but a higher percentage of human threats identified for ASSET product fractionator scenarios for “You” compared to “Others”. There are a couple possible explanations for the differences observed in the threat metrics:
- Comparing Figure 11 and Figure 12 shows that there were no external event or undetermined causes identified for product fractionator scenarios as the equipment failure and human failure scenario percentages add up to 100 percent. The “Others” PHAs all had a couple external event or undetermined causes addressed in the PHA. If the “You” PHA considered a few of these additional causes the metrics for H&S would likely be closer to “Others”.
- Additionally, the PHA methodology/assumptions can influence the types of causes considered in the analysis. For instance, the consideration of manual valve inadvertent manipulation as causes in the PHA is directly influenced by the PHA assumptions of the operating company. Some operating companies analyze every single manual value as a potential human failure cause, however, other operating companies make the assumption – manual valves are in the position shown on the P&IDs and operators are trained and follow procedures to actuate the manual valves – and therefore do not consider these human failure causes in the PHA. Furthermore, some operating companies consider manual valves based on the frequency of manipulation. Manual values that are manipulated on a routine basis will be considered as a human failure cause, but manual valves that aren’t frequently manipulated will not be considered as a valid cause in the PHA. This difference in assumptions around manual valve consideration can explain the high deviation observed for the human threats ASSET metric.
For this case study the most reasonable explanation for the difference in equipment and human threats is the lack of external event or undetermined causes. Often undetermined type causes tend to be causes related to past incidents/issues in the facility that the team wants to consider even though the root cause may not be entirely clear. Given that the “You” PHA is in design phase it is unlikely that these types of causes would be identified in this study.
4.2 Reliance on Personnel
The reliance on personnel metric compares the reliance on human dependent safeguards such as alarms and procedures for providing risk reduction to the scenarios analyzed for each consequence receptor. Based on standards for independent protection layers, human dependent safeguards have a large range of reliability . A higher reliance on human dependent safeguards may indicate an increased importance of routine training.
Figure 13 Reliance on Personnel Metric (Fractionator)
Figure 13 shows that the reliance on personnel related safeguards was less for “You” compared to “Others” for fractionator related scenarios. It was significantly less for H&S scenarios, but only slightly less for ASSET scenarios. There are a few possible explanations for this deviation:
- The primary source of deviations for H&S scenarios is if the PHA considered occupancy as a modifier for likelihood reduction (e.g. personnel in area less than 10% of a time). PHAs that consider occupancy for likelihood reduction tend to have a higher reliance on personnel for H&S scenarios.
- Secondly, the age of facility/unit being analyzed can have a significant impact on the results of the reliance on personnel metric. Older facilities/units tend to have a higher reliance on personnel due to the process being less automated and vice versa for newer facilities.
- Additionally, whether the PHA is for a facility in design versus and operating phase can have a significant impact on the reliance on personnel metric. During the design phase PHA administrative safeguards such as procedures and rounds may not exist or be as clearly defined as automated safeguards. Therefore, credit for existing safeguards may be less reliant on personnel based safeguards.
- Alternatively, an operating company’s methodology around control system safeguards such as alarms or trips can influence the results of the metric. For instance, a level transmitter may have a level high alarm as well as a level has a level high high trip. Most operating companies will only take credit for one of these safeguards in PHA due to the common mode of failure (the transmitter) between these safeguards. Operating companies methodologies on which safeguard to take credit for can vary. If the operating company chooses to take credit for the alarm(s), it may result in a higher reliance on personnel result.
For this case study the most reasonable explanation for the difference in reliance on personnel is that occupancy was not used as a safeguard and that there was a higher reliance on trips over alarms when compared to “Others”.
4.3 Inherent High Risk Before Safeguards
The inherent high risk metric compares the high or very high equivalent risk ranked scenarios before safeguards between “You” and “Others” for the scenarios analyzed.
Figure 14 Inherent High Risk Before Safeguards Metric (Fractionator)
Figure 14 shows that the percentage of inherent high risk fractionator scenarios for “You” was significantly higher than “Others”. All of the H&S fractionator related scenarios were found to be inherently high risk compared to 80% for “Others”. The percentage inherent high risk fractionator scenarios for ASSET for “You” was double the amount for “Others”. There are a few possible explanations for the observed deviations in Figure 14:
- The first possible explanation is through differences in the Risk Matrix and the operating company’s selection of risk level for each severity-likelihood combination. Some operating companies risk matrices tend to be more risk adverse putting more unacceptable risk levels on their risk matrix to encourage further risk reduction efforts. Other operating companies are more risk accepting and may choose a lower risk level on their risk matrix requiring less safeguards to get to an acceptable level. This difference in operating companies risk matrix development can heavily influence the results of the inherent high risk metric.
- Secondly, the PHA team’s consideration or lack of consideration of worst credible consequences can also influence this metric. If the PHA team did not adequately consider the worst credible consequence when identifying the severity of a consequence, and/or were influenced by the presence of existing safeguards when determining the likelihood of a cause, they will not end up with the worst case scenario risk ranking.
For this case study the most reasonable explanation for the difference in inherent high risk before safeguards metric is the difference between operating companies risk matrices and the risk levels they have selected.
PHA Data Analytics provides a detailed review and analysis of a facility’s safeguarding systems (existing and recommended). PHA Data Analytics provides a facility’s management and process safety professionals with risk ranking profiles, category distribution of safeguards and risk reducing recommendations, ranking of critical safeguards, and prioritization of recommendations. It also demonstrates the safeguards’/recommendations’ cumulative criticality for the facility, which indicates the safeguards/recommendations overall effectiveness in risk control.
In order for PHA data analytics to be possible, a minimum quality and availability of data is required. A few key points were addressed in the study, such as using detailed safeguard descriptions for ease of safeguard classification and clear identification of unique safeguards. Additionally, indication of which safeguards are providing risk reduction and the amount (credits) of that risk reduction for each scenario is essential for analysis. This overall improvement of how data is collected and recorded in the PHA not only improves the ability to analyze the data, but it also improves the quality of the standalone PHA document. Additionally, the desire for new metrics may drive a change in the overall methodology of how the PHA data is collected so that all desired questions and metrics can be extracted through the use of Data Analytics.
PHA Data Analytics can be completed systematically throughout the life of a facility to continually validate the facility’s safeguards’ effectiveness, and provide a more comprehensive understanding of the facility’s associated level of risk. This will enable department leaders and management to prioritize the most important process safety activities required to close risk gaps, and subsequently reduce and manage the level of risk personnel are exposed to at site on a regular basis. Regular reviews of a facility’s key process safety metrics can allow management to continuously monitor and improve process safety performance, and objectively determine the impact of changes made to their process safety philosophy. Additionally, benchmarking these metrics across other facilities owned by the same operating company, and even other similar facilities in industry, can further highlight areas of exceedances and threats in regards to process safety metrics of interest.
This case study highlighted a few key findings of the application of data analytics to PHA data. The ability to use Data Analytics on PHA data is responding to a need in the process safety industry to have improved process safety metrics and transparency. As new metrics are identified to further drive process safety performance, additional analytics can be created to support these new metrics.
- Center for Chemical Process Safety (CCPS). Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis. Hoboken, NJ, USA: John Wiley & Sons, Inc., 2012
- Center for Chemical Process Safety (CCPS). Layer of Protection Analysis. New York, New York, USA. American Institute of Chemical Engineers, 2001