Inconsistencies in a company's process hazard analyses (PHA) have become more of a concern over the past few years, particularly for larger organizations. In fact, few organizations have mastered consistency when it comes to their PHAs. To assist in addressing this, we are beginning a three-part series on PHA inconsistencies, with this first article discussing the impact of inconsistencies on safety, operability, and costs. Our second article will examine why inconsistency is occurring, and the third article will focus on how inconsistencies can be avoided and how industry is trying to be more consistent.
While the purpose of both PHAs and the related Layers of Protection Analysis (LOPA) are to identify important safety issues related to specific processes, what we truly mean by “consistency” is conformity in logic-coming to the same conclusions when having the same information, even if the path is slightly different. When performing PHAs on the same processes, the results should be similar, regardless of who is involved or how the analysis is performed. Consider the fictional industry example described below.
RT Industries is a chemical manufacturer that is trying to do the right thing under the Occupational Safety and Health Administration's (OSHA's) process safety management (PSM) regulations. RT has been largely following the letter of the law despite a few incidents and citations over the years and has received some fines. Recently, an incident occurred at a competitor's facility that makes a very similar chemical. Out of an abundance of caution, RT's Vice President of Operations felt it was time to review the process safety efforts to make sure that such an incident could not happen at any of RT's facilities. Thus, he tasked teams to review the most recent PHAs for related units.
Within the last five years, three independent PHA teams at three different facilities conducted hazard and operability studies (HAZOPs) involving nearly identical scenarios, with similar chemicals and processes. Although the scenarios and chemicals were nearly identical, the analysis revealed that the resulting recommendations from the three independent HAZOPs were completely different.
How did that happen? Why did it happen? And, what did RT do to address the discrepancy? To answer these questions, and to consider the impact these types of inconsistencies can have on an organization's operations, safety, and costs, we begin by examining RT's HAZOP process.
HAZOP Process: The Starting Point for Inconsistency
The teams conducted their PHAs on identical processes in three facilities. They all began with the same process safety information and the same types of equipment.
As outlined in Figure 1, the teams were looking at a centrifugal pump pumping a gasoline-like substance downstream. There is a discharge valve, and previous PHAs at each of the three units had identified the need for two safeguards: a high-pressure alarm (PAH) and a local hazards atmosphere detector (AAH). Each team reviewed the node and identified a consequence for the initiating event of a closed discharge valve.
Team One recently had a very similar experience with a leak that resulted in a fire, which led to the team projecting the following consequences: the pump will deadhead, the seal will be damaged, and the gasoline spill will immediately ignite due to the hot seal. In the actual incident, no one was injured, but the team realized that someone could have been severely burned if they had been nearby. They predicted that it could have led to a permanent disability.
Team Two did not have a recent event but heard about what happened at Facility 1, so they came up with approximately the same consequence: deadheading and permanent disability.
Team Three was not aware of the recent incident but knew of numerous recent seal leaks. Since nothing ever seemed to come of those seal leaks, they agreed in general with the series of events but instead predicted the results would be a small fire leading to a first aid injury.
So, from the beginning, results varied based on each team's experience with incident severities. (See Figure 2)
In situations like this, the PHA facilitator should step in and ensure the team has thoroughly considered the possibilities. However, in reality, both consequences are realistic based on what each team has experienced in their facilities. The teams' variance training and judgment will always impact the consequence consideration. Although this introduces bias into the process, it's not the PHA facilitator's place to render an opinion unless they have information guiding that determination. Essentially, all three teams are doing what is required based on company procedures and OSHA PSM requirements.
Safeguard Considerations & Divergence
Next in the HAZOP, each of the three teams must identify available safeguards. (See Figure 3)
Team One's recent experience informed them that proper functioning of the high-discharge pressure alarm and the hazards atmosphere detector is what ultimately prevented someone from being injured. They, therefore, concluded that these two safeguards are appropriate.
Team Two observed that the seal leak happened regardless of the alarms and concluded that the high-pressure discharge alarm may not have been helpful. They also determined that the hazardous atmosphere detector would not be useful if personnel were already in the vicinity. They, therefore, concluded that there are no useful safeguards available.
Team Three assumed that they were looking at only a potential first-aid injury, so they concluded that the high-discharge pressure alarm would be sufficient and listed that as the single safeguard.
Once again, all three teams based their analysis on their experience, as they should in a HAZOP. Nonetheless, their conclusions differ significantly from one another.
Ranking the Risk
The next HAZOP step is to estimate the risk ranking for each of the three scenarios. The severity of the consequences was discussed above, but we also need to consider the likelihood. At this point, most organizations would look at the likelihood of the initial valve failure and then evaluate that likelihood after mitigation with safeguards. Table 1 compares each team's risk rankings before and after mitigation via the identified safeguards. Generally, RT company standards allow for likelihood to be reduced by one degree for each assigned safeguard.
Team One identified two safeguards, so the likelihood of personnel injury was reduced from “likely” to “remote.
Team Two identified no safeguards, so the likelihood remains “likely.”
Team Three, identified one safeguard, resulting in an “unlikely” likelihood.
The next step is to evaluate how these likelihood selections affect the risk ranking (see Table 2).
Team One found that the likelihood of permanent disability was “remote,” resulting in a “medium” risk ranking.
Team Two, on the other hand, had the same permanent disability, but considered it as “likely” because no safeguards were identified. The risk, in this case, was, thereby, ranked as “high.”
Team Three projected only a first-aid injury that was “unlikely” to occur, resulting in a “low” risk overall.
The three teams, leveraging their own experience and the information available to them, came up with three substantially different risk rankings. This is not particularly unusual to see in a PHA when different groups are presented with the same information, because the outcome depends on the assumptions made and the experience of the team.
What is perhaps more concerning than this difference in risk ranking is the ripple effect it can cause. If the consequence severity is a permanent disability or higher, for example, the next step is usually performing a Layers of Protection Analysis (LOPA), which provides a more detailed assessment of the risks and layers of protection associated with hazard scenarios. In this example, only two of the teams must conduct that more rigorous analysis according to the company's internal standards.
Team One concludes the risk is “medium” and makes no recommendations, but a LOPA review is needed. Team Two concludes the risk is “high,” so recommends adding another safeguard like a high-discharge pressure or trip on the pump and will evaluate that scenario in the LOPA. Team Three ranks the risk as acceptable, and a LOPA is not triggered because the severity of the consequences is low (i.e., only first aid).
Design Changes and LOPA Impacts
Given the discrepancy in recommendations, what are the implications within the facility? See Figure 4.
Team One's results are similar to what they started with: a hazardous atmosphere detector and a high-discharge pressure alarm.
Team Two added a high-discharge pressure trip and removed the other two safeguards because they were deemed unnecessary.
Team Three continues with just a high discharge pressure alarm.
Differences in process design will result from the HAZOP results as well as the subsequent LOPA analysis or lack thereof.
During the LOPA, Team One foresaw a permanent disability, and based on RT's requirements, two safeguards are thus needed as independent protection layers (IPLs). Under their internal requirements, the high-pressure alarm qualifies as one layer. Because a second IPL is needed, the team recommends adding a Safety Integrity Level (SIL) 1 high-discharge pressure trip.
Team Two's LOPA also finds that two IPLs are needed. The team recognizes that it will be difficult to find multiple effective IPLs for this scenario, so recommends adding a SIL 2 high discharge pressure trip, which will provide the equivalent protection of two IPLs. According to their calculations, the team finds that the risk reduction factor is high enough that the protection layer must meet SIL 2 criteria. Because of the higher mitigated risk ranking and subsequent needed risk reduction, Team Two recommends adding a SIL 2 high-discharge pressure trip that satisfies the risk reduction requirements.
Team Three did not conduct a LOPA, so there were no further recommendations.
Let's examine how the facilities would look based on the LOPA recommendations. As shown in Figure 4, Team One has a SIL 1 and a high-pressure alarm. Team Two has a three-transmitter SIL 2 system with no high-discharge pressure alarm. Team Three has only a high-pressure alarm.
These differences are the result of inconsistent assumptions and conclusions compounded throughout the process. Although each was reasonable on its own, there are now significant differences in process design that create cost and operability impacts.
Cost & Operability Impacts
Imagine trying to cross-train operations staff at these different facilities, and they're looking at completely different safeguards for the same type of technology and the same type of unit. This can lead to issues with bypassing equipment, not trusting equipment, or not understanding why certain equipment is required.
For example, if someone is trained in Facility 3 but goes to work in Facility 2, they're going to see a SIL 2 trip and think it's unnecessarily conservative. For an operations team, it can be hard to tell which set of safeguards is appropriate.
There are also impacts on cost. Every IPL incurs a certain cost to install and maintain. As shown in Table 3, the different safeguards recommended by the different teams result in costs that differ by orders of magnitude.
Although this is a fictional example, it illustrates the variation that can be observed depending on the experience of the PHA team when they're determining the required safeguards. More importantly, significant additional costs may be incurred if a company installs differing safeguards at different facilities and then later decides that only one is correct, in which case they remove the others and spend more resources to correct the design.
Incident Investigation Impacts
What happens if there's an incident? In addition to other tasks, the company will look at the PHAs. If someone is injured, OSHA will be involved and more closely scrutinize PHAs of the facility where the event happened. It's possible they will request to see similar PHAs at different facilities. For this example, they would find three teams that ranked the risk of this scenario differently, and perhaps the incident occurred at Facility 3, where it was deemed “low” risk.
OSHA will also examine what safeguards were implemented, and once again, the differences between the three facilities will be discovered. If the incident occurred at the facility with the fewest safeguards, it could appear safety is not a priority. OSHA could recommend that more safeguards be implemented based on what other facilities are doing. Ultimately, this could lead to fines and citations from OSHA-all stemming from the ripple effect of inconsistencies in the PHAs.
Safety Culture Impacts
In addition to potential fines, having inconsistent safety systems across different facilities results in an inconsistent safety culture that impacts employees moving between the different facilities. Furthermore, when cross-training operations staff or engineers, effectiveness is reduced due to the inconsistency in safeguards.
Ultimately, the larger risk here is inconsistent safety culture within the organization. Staff may look at similar units and see that they have more, or perhaps fewer, safeguards and therefore decide to change, bypass, or remove safety equipment based on what they consider “necessary.”
Inconsistencies in PHAs have Real Impacts
Inconsistent PHAs will result in unnecessary spending, will reduce operability, and can negatively impact safety culture. Understanding why those inconsistencies manifest is crucial.
In our next issue, we will further examine the root causes of PHA inconsistencies.