In the last EHS Quarterly issue, we began a series on process hazard analysis (PHA) inconsistencies with “Impacts of PHA Inconsistencies” which addressed safety, operability, and cost. We are continuing this series with a focus on the root causes of inconsistency in PHAs. The fictional case of RT Industries that we introduced in the first article illustrated two causes that contributed to the inconsistency between the three PHAs: inaccurate information, and varying staff experience.
As described previously, RT Industries is a fictional chemical manufacturer trying in earnest to comply with the Occupational Safety and Health Administration's (OSHA) process safety management (PSM) regulations. Recently, an incident occurred at a competitor's site that makes a chemical that is very similar to RT's product. Out of an abundance of caution, RT's Vice President of Operations tasked teams to review the most recent PHAs for related units.
Three independent PHA teams at three different RT Industries facilities previously conducted hazard and operability studies (HAZOPs) involving nearly identical scenarios, with similar chemicals and processes. Although the scenarios and chemicals were nearly identical, the analysis initiated by the vice president revealed that the recommendations from the three independent HAZOPs were completely different.
In this example based on real situations, inaccurate process safety information led to a lack of source material consistency between the PHA teams. Beyond that, the difference in personal experience of the PHA team members impacted the likelihood and severity determination of the consequences, which then affected the risk ranking. Exactly how did these situations cause inconsistency in the PHAs? How could these inconsistencies happen? To answer these questions, we must examine each one independently.
Cause #1: Inaccurate Process Safety Information
Access to accurate and verified process safety information (PSI) is paramount to PHA consistency. OSHA 29 CFR 1910.119, the Process Safety Management standard, requires a company to compile PSI and provide it to personnel and the PHA team. OSHA provides guidance on the type of information to include in PSI records, which generally includes piping and instrumentation drawings (P&IDs), process chemistry, equipment, information technology, and other documentation “pertaining to the hazards of the highly hazardous chemicals used or produced by the process, information pertaining to the technology of the process, and information pertaining to the equipment in the process.”
While the information should be the same across different sources within your facility-i.e., the maintenance database, the nameplate, the P&ID-the information may not always match. It could be a small discrepancy such as the title of the piece of equipment being recorded differently in two different data systems, or it could be more serious like different Maximum Allowable Working Pressure (MAWP) designations for the same vessel.
For example, a P&ID may display an out-of-date value of MAWP if there was an inspection of the vessel and a subsequent de-rating of the MAWP. If the management of change (MOC) does not capture the change correctly in all the places where the MAWP is captured, the Inspection Data Management System (IDMS) could provide the correct lower MAWP, but the out-of-date P&ID would then indicate an older, higher value.
Likewise, a change in MAWP might be missed in the pressure relief system design documentation. When a team starts a PHA with the incorrect MAWP on the outdated P&ID and then reviews the other data sources, they are faced with multiple values for MAWP and will have to determine the correct value to use. Worse still, only one value may be noted and it may be incorrect.
The three PHA teams at RT Industries faced exactly this type of problem. Table 1 shows the different PSI data sources and data sets that should have been consistent but were not.
Depending on which source of information is referenced will affect the way in which the PHA team ranks the risks for a given scenario. Based on the example Table 1, Team One used the P&ID, and Team Two used the name plate as the reference for evaluating an over-pressure scenario. Not surprisingly, the scenario consequences based on these varying data sets result in an inconsistent consequence analysis.
Furthermore, when personnel notice these types of inconsistencies in the data, they place less trust in the PSI. Verifying the accuracy of questionable or inconsistently recorded data adds another layer of workload to the HAZOP team and slows down the PHA process. If the inconsistent data is crucial to the analysis, many times the team will wait for confirmation before moving forward, adding unnecessary time and cost to the process.
Many times, a PHA team in this situation ends up making a judgment based on their personal experience or what they know about the equipment in order to keep the process moving. This common tendency, while understandable, comes with its own risks to PHA consistency.
Cause #2: Differences in Personal Experiences
At minimum, each PHA team needs to have one member with experience in engineering and process operations specific to the technology being analyzed, plus an additional member who knows the specific PHA methodology being used (facilitator).
According to the OSHA booklet, Process Safety Management Guidelines for Compliance, “the other full- or part-time team members need to provide the team with expertise in areas such as process technology; process design; operating procedures and practices; alarms; emergency procedures; instrumentation; maintenance procedures, both routine and nonroutine tasks, including how the tasks are authorized; procurement of parts and supplies; safety and health; and any other relevant subjects.”
Those individuals bring with them their expertise as well as their personal history of incidents and events, either first-hand or learned. While many teams are excellent at the analytical process of determining cause, consequence, and applicable safeguards, the task of assigning a level of risk by its nature includes a judgment call-that is where personal experience and bias can creep in.
How Personal Experience Impacts Likelihood Determinations
During the risk ranking process, the team reviews the scenario and makes two determinations-the likelihood of the consequence happening and the severity of that consequence. The company risk matrix is used to combine those two elements to produce the risk ranking.
“Likelihood” is generally understood in ratio terms of “once every X year(s).” Most company risk assessment guidance includes a range of likelihoods for scenarios that might occur more commonly, such as “once every year (Frequent),” to extremely rare events, such as “once in 10,000 per year (Improbable).” Even if a PHA team contains decades of collective experience, there are going to be many scenarios and events the team members will not have seen in their careers. Table 2 below shows where the typical 40-year career fits into the “once per year (Frequent)” to “once in 100 per year (Likely)” columns on the right side of a typical risk matrix.
An individual worker is more likely to experience the scenarios with a higher likelihood-“Likely” or “Frequent.” However, the target frequency for most scenarios reviewed during a PHA are on the left side between “once in 100 per year (Unlikely)” and “once in 10,000 per year (Improbable).” In other words, there is a discrepancy between what people will likely have personally seen in a typical career and the events being examined during a PHA.
It is important to note that during a 40-year career, an individual will see more events than just those which are “once in 100” (or “Likely”). They may see a variety of the events that can happen on the left side of the chart, but not all of them. To assemble a PHA team with the level of experience to cover most of the events that could occur would be impossible.
Instead, when a team has not seen a particular event or heard of that event occurring, many will risk rank the scenario lower because the risk does not feel as realistic. And, a team that has seen the event will risk rank it higher, possibly higher than is appropriate. Experience bias can affect the risk rank in either direction.
This is a major factor in the PHA inconsistencies at RT Industries (view the entire scenario in Part 1: Impacts of PHA Inconsistencies) one team had never experienced the event of concern; and the other two teams had, which led to very different risk rankings (Table 3). Teams One and Two ranked it high enough to trigger a Layer of Protection Analysis (LOPA) review, while Team Three's analysis and lack of exposure to the scenario led them to a low risk ranking.
How Personal Experience Impacts Severity Determinations
Even if different teams agree on the “likelihood” of an event, personal experience can produce different severity determinations. Severity is generally based on the impact of the event on people present when it happens. It ranges from “first aid injury” to “fatality,” as seen in the risk matrix above (y-axis).
While severity seems like it should be straightforward to determine, it is more nuanced than some expect. Severity is often impacted by external factors that are difficult to control, such as ignition sources and personnel in the area at the time.
One team member may have worked at a petroleum storage facility for a very long time and experienced a tank overfill due to instrument error or human error. They likely learned through that experience that an overfilled tank event requires cleanup of the material from the tank dike and possibly little else. On the other hand, another team member may have experienced an event such as what occurred at the CAPECO facility in 2009, where a large amount of liquid overflowed a tank and ignited.
October 2009 - Tank Explosion & Fire (Caribbean Petroleum Corporation CAPECO, Bayamón, Puerto Rico)
According to the Chemical Safety Board (CSB), in 2009 nearly 200,000 gallons of gasoline rushed out of six vents in an overfilled tank at the CAPECO facility. With a light breeze that night, the escaped gasoline formed a low-lying vapor cloud that encompassed an area equivalent to 107 acres. The vapor cloud exploded, creating a pressure wave that damaged hundreds of homes and businesses up to 1.25 miles from the site. The fire propagated through the vapor cloud and ignited multiple subsequent tank explosions, registering as an earthquake 2.9 on the Richter scale.
After the explosion, fuel in the damaged tanks burned for over two days while emergency responders fought to control the fire and prevent other tanks from igniting. Local fire departments, assisted by an industrial firefighting company, took 66 hours to extinguish the fire after the explosion. As a result, 17 of the 48 tanks burned, according to the CSB report. Luckily, no one was killed (although three people did sustain minor injuries), but it very easily could have been a fatal incident.
The team member who has mostly experienced overfills with no consequence is less likely to relate to the potential impact of an incident like CAPECO simply because their experience indicates that this type of incident usually does not have a severe impact on personnel. On the other hand, the team member who has experienced an event like CAPECO will probably be concerned about significant and potentially fatal results.
It is important to be aware of the human tendency to generalize from our own experiences in the PHA process. In a PHA, the team is looking for the worst credible scenario. An EFR tank overfill filling a dike but not igniting is certainly notthe worst credible scenario, as was evidenced by CAPECO in 2009. However, even in that case there were no fatalities or major injuries when there easily could have been. The team must balance their experience carefully with the awareness that it could cause over- or underestimating documented severity.
Avoiding Inaccurate Information and Narrow Thinking
The root causes of PHA inconsistencies often boil down to inaccurate process safety information and differing personal experience.
In the end, a PHA team will have experienced some of the PHA events but not others. Their risk ranking will be affected by what they experienced, even if it's not necessarily the worst consequence, causing the risk of the scenario to be over- or understated based on the team members themselves and not on data. One key to minimizing the inconsistency between PHA team results is to recognize where personal experience is informing the process and where it is limiting it.
It is also critically important to be aware of the duplicity of information within a facility. How many places does a vessel's MAWP reside? Are they consistent? Are they accurate? This type of data “housekeeping” can be seen as a tedious task, but the ability to provide the PHA team (and anyone else relying on PSI) with verifiable, accurate, trust-worthy technical information is crucial to enabling them to do the most thorough job possible.
For assistance with PHA Inconsistencies, please contact the author or call 800.229.6655.