HSE COMAH Regulatory Model Targeting Interventions
IAN TRAVERS
www.iantravers.co.uk
BackgroundWhy HSE wants to use the HID Reg Model approach to intervention targeting:
◦ HSE must be in a position to demonstrate it is going to the right COMAH places, looking at the right COMAH things and closing out actions placed upon operators in a proportionate way.
◦ To use the targeting methodology for a range of COMAH establishments to facilitate the creation of an implementation framework for use in COMAH intervention planning.
◦ In doing so HSE will obtain a clearer picture of the sector performance as a whole and derive more representative intelligence of the sector performance across the many different COMAH establishments.
◦ HSE and the COMAH CA can then use that information in reviewing its strategic topics and delivery guides to ensure it continues to look at the right things.
HID Reg Model – why it was produced?• State clearly how HSE regulates
major hazards
• Go to the right places
• Do the right things
• Finish what you start
• Inspection based on sampling
• Sampling based on assessing the company’s process safety management system
Current Initiative2014/15o Background training on Process Safety Management to all HSE major hazards inspectors
2015/16
o 10 workshops with COMAH regulatory teams to prepare intervention plans for 2016/17
o Range of sites reviewed
o Refineries, complex chemical sites, fuel storage, explosives manufacturers
Methodology◦ Stage 1: Site overview and key major hazard scenarios
◦ Stage 2: Selection of Plant / Process or activity. Description of the process stages – prepare and outline schematic process diagram
◦ Stage 3: Identifying failure mechanisms and challenges to the integrity
◦ Stage 4: Identifying the risk control systems (relevant preventative and mitigatory barriers
◦ Stage 5: Assessing vulnerability in the control systems
◦ Stage 6: Outline inspection agenda, topics and evidence to be sought during inspection. Agreeing specialist input
Translating the inspection agenda onto Intervention Plan Template◦ Review the HRM inspection agenda alongside current Intervention Plan
Process Safety Management System
People Processes
Plant
Risk Assessment
Risk Profile
Loss of Control
OutcomeMAJORHAZARD
Preventive Barriers Mitigation Barriers
Determine the Control Measures (Barriers)
Major Hazard Control Measures (Barriers)
Potential
Impact/
Consquences
Probability
Challenges to
Integrity or
Containment
Corrosion
High/LowPressure
Overfilling
Human Error
Physical Damage
High/LowTemperature
CHECK,MEASURE& REVIEW
Leading & lagging indicators to measure performance of control
measures
Audit Programme to check the design and suitability of control
measures
Investigate loss of containment events and major hazard incidents to identify failures in the control
measures
MAJOR HAZARD MANAGEMENT
(the big picture)
Hazard IdentificationProcesses or
Activities
Undertaken
Hazardous-
Property:
Condition
Volume
Activity/ Processes:
Storage
Reacting
Separating, Distillation
Mixing, Blending
Product Transfer
Propagating
Concentrating
Plant Life
CycleStart-up
Operate
Modify
Shutdown
Toxic
Flammable
Reactive
Corrosive
Explosive
Infectious
Temperature
Pressure
Solid
Liquid
Gas
Intrinsic Hazard
Physical PropertyFor example:
Stage in Plant Life Cycle – where relevant
LeadershipTo set an effective vision
ans culture for major hazard management
©
People Processes
Plant
Risk Assessment
Risk Profile
Loss of Containment
OutcomeMAJORHAZARD
Preventive Barriers Mitigation Barriers
Determine the Control Measures (Barriers)
Process Safety Control Measures (Barriers)
Potential
Impact/
Consquences
ProbabilityChallenges to
Containment
Corrosion
High/LowPressure
Overfilling
Human Error
Physical Damage
High/LowTemperature
CHECK,MEASURE& REVIEW
Process safety leading & lagging indicators to measure
performance of control measures
Audit Programme to check the design and suitability of control
measures
Investigate loss of containment events and process safety incidents
to identify failures in the control measures
PROCESS SAFETY MANAGEMENT
(the big picture)
Hazard IdentificationProcesses or
Activities
Undertaken
Substance:
Hazardous-
Property:
Condition
Volume
Chemical
Processes:
Storage
Reacting
Separating,
Distillation
Mixing, Blending
Product Transfer
Plant Life
CycleStart-up
Operate
Modify
Shutdown
Toxic
Flammable
Reactive
Corrosive
Explosive
Temperature
Pressure
Solid
Liquid
Gas
Leardership to set an effective vision and
culture for major hazard management
Act
Do Check
Plan
Plan Do Check Act
Hazard Indentification
Policy / MAPP
Risk Assessment
Plant Design
Organisation &
AccountabilityOperating Procedures
Competence
Code
s / s
tan
dard
s
ALARP
HAZOP / HAZIDManagement of
Change
Inspection &
Maintenance
Procurement
Management of
Contractors
Permit to Work
Operational
Parameters
Incident reporting &
Investigation
Auditing
Performance
Monitoring and KPIs
Emergency
Arrangements & Plan
Improvement plans
Action follow up
Investment programs
Elements of a
Process Safety
Management
System
Discipline
Po
licy
Org
anis
atio
n
Haz
ard
ID
Ris
k A
sses
smen
t
Des
ign
Op
erat
ion
al p
aram
eter
s
Op
erat
ion
al p
roce
du
res
Co
mp
eten
ce
Man
agem
ent
of
Ch
ange
Insp
ecti
on
& m
ain
ten
ance
Per
mit
to
Wo
rk
Pro
cure
men
t
Man
agem
ent
of
Co
ntr
acto
rs
Emer
gen
cy A
rran
gem
ents
Inci
den
t In
vest
igat
ion
Au
dit
ing
Per
form
ance
Mo
nit
ori
ng
& K
PIs
Imp
rove
men
t P
lan
s
Act
ion
Fo
llow
up
Risk models & guidance Risk Assessors
Process Safety
EC&I
Mechanical
Human factors
Safety Management
Systems. Guidance,
Standards & Codes
Reg Specialist
Plan Do Check Act
Guidance, Standards and
Codes
PSM – who does what (approx.)
The 5 Most Important Questions:• How could it go catastrophically wrong?
• Where / when will most likely go wrong?
• What controls or systems are there to prevent a major accident?
• Which of these are most vulnerable to failure?
• What information do we have to show those systems continue to operate to the desired performance standard?
Sampling
Potential
Impact/
Consquences
ProbabilityChallenges to
Containment
Corrosion
High/LowPressure
Overfilling
Human Error
Physical Damage
High/LowTemperature
Processes or
Activities
Undertaken
Substance:
Hazardous-
Property:
Condition
Volume
Chemical
Processes:
Storage
Reacting
Separating,
Distillation
Mixing, Blending
Product Transfer
Toxic
Flammable
Reactive
Corrosive
Explosive
Temperature
Pressure
Solid
Liquid
Gas
Loss of Containment
Preventive Barriers Mitigation Barriers
Site Risk Profile
Whole-Site Major Hazard Scenarios
Most Credible / Greatest Inpact MH Scenario
Relevant Plant / Process
Challenges to Integrity on that Plant
Control Systems to maintain integrity
Most Vulnerable Control Systems
Sketch out the process in outline
Compressor
Compressor
Reject
CO Gas
N2 Gas
Feed
Reactor Chiller
Condenser
Separator -
separates NH3 liquid
from un-reacted
H2 & N2
Storage Tank
Double-Skinned
Insulated and
Refrigerated
Scrubber
Ammonia Plant
Process Description
H2
Feed
H2
Feed
P28 barg
P28 barg
Single isolation
valve
Cold
Box
P
T
L
28 barg
- 190oC
P
T 550oC
235oCT
1.9km
Start-up
Heater
P T
P
T
Ammonia
Removal of
CO from
H2 feed
Fe Catalyst
Vacuum
ValvePRV
P T L
-33oC
Gas
detection
in tank
wall
Liquid
Ammonia
Un-reacted
H2 & N2Off Gas
Vapour Return
Compressor
140 barg
FFlow
meter
F
Compressor
Compressor
Reject
CO Gas
N2 Gas
Feed
Reactor Chiller
Condenser
Separator -
separates NH3 liquid
from un-reacted
H2 & N2
Storage Tank
Double-Skinned
Insulated and
Refrigerated
Scrubber
Ammonia Plant
Challenges to Integrity
H2
Feed
H2
Feed
P28 barg
P28 barg
Single isolation
valve
Cold
Box
P
T
L
28 barg
- 190oC
P
T 550oC
235oCT
1.9km
Start-up
Heater
P T
P
T
Ammonia
Removal of
CO from
H2 feed
Fe Catalyst
Vacuum
ValvePRV
P T L
-33oC
Gas
detection
in tank
wall
Liquid
Ammonia
Un-reacted
H2 & N2Off Gas
Vapour Return
Compressor
140 barg
MF
MF
C
C
CF
MF
MF
MF
MF
MF
MF
C
OF
HE
OP
HE
C
CMF CF
IMFC
MF
MF
MF
C
I
Challenges to Integrity
Corrosion
Stress Corrosion
Mechanical Failure
Overfilling
Over Pressure
Human Error
Cold Fracture Embrittlement
Impact
S C
C
M F
O F
O P
H E
C F
I
OF SC C OP HE OP
F
FFlow
meter
HE
HE
HE
HESC
I
MF
How and where can a loss of containment occur?
Compressor
Compressor
Reject
CO Gas
N2 Gas
Feed
Reactor Chiller
Condenser
Separator -
separates NH3 liquid
from un-reacted
H2 & N2
Storage Tank
Double-Skinned
Insulated and
Refrigerated
Scrubber
Ammonia Plant
Control Measures
H2
Feed
H2
Feed
P28 barg
P28 barg
Single isolation
valve
Cold
Box
P
T
L
28 barg
- 190oC
P
T 550oC
235oCT
1.9km
Start-up
Heater
P T
P
T
Ammonia
Removal of
CO from
H2 feed
Fe Catalyst
Vacuum
ValvePRV
P T L
-33oC
Gas
detection
in tank
wall
Liquid
Ammonia
Un-reacted
H2 & N2Off Gas
Vapour Return
Compressor
140 barg
FFlow
meter
F
Control Measures - Process
Temperature Control
Pressure Control
Level Control
Gas Detection (CO / NH3)
Vibration Monitoring
T C
P C
DG
LC
MV
Control Measures - Generic
Inspection & Maintenance
Competence
Spares Procurement
Emergency Plan
C
S P
E P
I M
T C
T C
T C
T C
T C
P C
P C
P C
P C
LC
LC
DG
DG
MV
I M
I M
I M
I M
I M
I M
I M
I M
S P
S P
C
C
CE P
E P
E P
T C
P C
S PS P
S P
S P MV
MVS P
What control measures should be in place?
Compressor
Compressor
Reject
CO Gas
N2 Gas
Feed
Reactor Chiller
Condenser
Separator -
separates NH3 liquid
from un-reacted
H2 & N2
Storage Tank
Double-Skinned
Insulated and
Refrigerated
Scrubber
Ammonia Plant
Vulnerability
H2
Feed
H2
Feed
P28 barg
P28 barg
Single isolation
valve
Cold
Box
P
T
L
28 barg
- 190oC
P
T 550oC
235oCT
1.9km
Start-up
Heater
P T
P
T
Ammonia
Removal of
CO from
H2 feed
Fe Catalyst
Vacuum
ValvePRV
P T L
-33oC
Gas
detection
in tank
wall
Liquid
Ammonia
Un-reacted
H2 & N2Off Gas
Vapour Return
Compressor
140 barg
FFlow
meter
F
Control Measures - Process
Temperature Control
Pressure Control
Level Control
Gas Detection (CO / NH3)
Vibration Monitoring
T C
P C
DG
LC
MV
Control Measures - Generic
Inspection & Maintenance
Competence
Spares Procurement
Emergency Plan
C
S P
E P
I M
T C
T C
T C
DG
DG
MV
I M
I M
I M
I M
S P C
C
CE P
E P
E P
S P
I M
Which controls are most vulnerable to failure?
Vulnerability analysis• the system is safety critical – that is, if it failed and there was an associated
loss of containment would this potentially lead to a major accident or a serious incident?
• the control measure is towards or is ‘the last in line’ using the bow-tie analogy,
• the system provides any ‘early warning’, of failure,
• there is opportunity to recover the loss of containment, and
• the correct functioning of the control measure relies partly or wholly on human intervention.
Safety Critical
Vulnerableto failure
Challenge Control Measures / barriers SC V Comment
Corrosion Design and material specification H L A one-off design decision so no dynamic change
during plant operation.
Corrosion protection / coating. H M Corrosion occurs relatively slowly.
Inspection and maintenance of the
equipment – corrosion detection or
deterioration of the corrosion
protection.
H H The 1.9 km liquid full pipeline presents the highest
risk. A crack or hole in the pipeline or a leaking joint
would be difficult to detect and then contain.
Inspection relies on human intervention.
Stress
Corrosion
Design and material specification. H L A one-off design decision so no dynamic change
during plant operation.
Maintaining the temperature and
pressure within safe design limits and
avoiding excessive temperature /
pressure cycling.
H H This is a very critical control measure as cycling
represents the largest threat. This barrier relies on
competent operators (below) who follow the
designated control procedure. There are no automatic
safety cut-offs that detect and prevent temperature /
pressure cycling.
Competent Process Control operators. H H See above - operators are the last in line for this
threat.
Suitable operating procedures. H L Having a written procedure is safety critical but
procedures do not tend to change or deteriorate.
What matters most is that process control operators
follow the procedure - see above.
Inspection and maintenance of the
temperature and pressure sensors and
control system.
H H The entire pressure / temperature control system
relies on accurate temperature / pressure sensors and
control loops. This system is not SIL rated so
completion of the inspection and calibration of these
sensors is vital.
Vulnerability Analysis
EC&IEvidence of outcomes of RCS to deliver assurance on control temperature & pressure at ammonia tank. • Delivery Guide• Standards & Codes• BS EN 61511 etc
MechanicalEvidence of outcomes of RCS to deliver assurance on integrity of at ammonia tank & Pipelines. • Delivery Guide• Standards & Codes• EMMUA, Safid
Process SafetyEvidence of outcomes of RCS to deliver assurance on operating conditions and safety controls of ammonia tank & Pipelines. • Delivery Guide• Standards & Codes
Human FactorsEvidence of outcomes of RCS to deliver assurance on competence and operating procedures, alarm handling etc for the control of integrity of ammonia tank & ship loading
Deployment of Specialist Inspectors
EC&I• Delivery Guide• Standards & Codes• BS EN 61511 etc
Mechanical• Delivery Guide• Aging Plant• Standards & Codes• EMMUA, Safid
Process Safety• Delivery Guide• Standards & Codes
Human Factors• Human factors
roadmap• HF Delivery Guide
Investigating Broader Process Safety Management Issues
Reg Specialists• Emergency Arrangements• Suitability of Process Safety
Management System
Human FactorsEvidence of outcomes of RCS to deliver assurance on competence and operating procedures, alarm handling etc for the control of integrity of ammonia tank & ship loading
EC&IEvidence of outcomes of RCS to deliver assurance on control temperature & pressure at ammonia tank. • Delivery Guide• Standards & Codes• BS EN 61511 etc
Reg Specialists• Emergency Arrangements• Suitability of Process
Safety Management System
Process SafetyEvidence of outcomes of RCS to deliver assurance on operating conditions and safety controls of ammonia tank & Pipelines. • Delivery Guide• Standards & Codes
Sample Inspection Conclusions on Effectiveness of PSM
Building a picture of PSM