1

Trends in Industrial Safety

Bhopal Gas Tragedy and its Effects on Process SafetyInternational Conference on the 20th Anniversary of the

Bhopal Gas Tragedy

Indian Institute of Technology, Kanpur, IndiaDecember 1 to 3, 2004

C.M. Pietersen MSc.TNO Safety Solutions Consultants BV

General manager

Aspects of industrial Safety

Technical Safety:

• Hazard Identification and SIL Classification according to IEC 61508• Qualitative Risk Evaluation e.g. by using Risk Graphs or- Matrices• Quantitative Risk Analysis as also required by authorities (Location Specific

Risk and Group Risk)

Organisational Safety:

• Organisational factors associated with Safety• Measuring effectiveness from audits en accident analysis studies• The Tripod method for determining the Basic risk factors of an organization

Safety Culture:

• Safety Culture Maturity assessment• Behaviour Safety Programs

2

Safety Management has Evolved

Assurance

1960 1970 1980 1990 2000

Equipment

Human error / factor

Management focusSMS - HSE -MS

Safety Performance

Behavioural

Technical Safety

• Hazard Identification and SIL Classification according to IEC 61508/ 61511

• Qualitative Risk Evaluation e.g. by using Risk Graphs or- Matrices

• Quantitative Risk Analysis as also required by authorities (Location Specific Risk and Group Risk)

3

HAZOP

Objective:

To identify and evaluate the unwanted causes and consequences of foreseeable deviations in the process. This in a structured, and systematic way.

How:

By a multi- disciplinary team in brainstorm sessions Check acceptability of the risks involvedIf necessary, formulate recommendations for improvement.

Alle leidingen rond vat zijn nodes

4

Scenario: Overfilling LPG sphere

Scenario from the HAZOP:

> Overfilling and overpressure LPG sphere

Fit for Purpose Safety: When is risk acceptable?

> Determine the Loss of Containment (LOC) scenario

> Evaluate the consequences and frequency of the LOC scenario

> Determine the required risk reduction

> Deteremine the way to implement the risk reduction (e.g

overfill protection system)

Example: Mexico City disaster 1984 (500 victims)

Mexico City LPG depot

5

Consequences of overfilling

IEC 61508/ 61511 Standards

Risk evaluation in relation tot Safety Instrumeneted systems

SIL Classification/-verification

6

Bow-tie model:‘Barriers’

PREVENT

BEHAVIOUR

ORGANISATION

ENGINEERING

INCIDENT

HAZARDS

MITIGATECONSEQUENCES

Equipment Under Control (EUC)

Safety Instrumented System (SIS)

EUC

Logic SolverSensor Final Element

BPCSProcess

Alarm & Monitoring panels

7

15/01/96

Risk ReductionACTUAL

REMAINING RISKTOLERABLE

RISKINTERMEDIATE

RISKINITIAL RISK

Risk without theaddition of anyProtectivefeatures

INCREASINGRISK

Partial riskcovered bySIS

Total risk reduction

Risk with theaddition of otherrisk reductionfacilities

Partial risk covered by other

risk reduction facilities

NECESSARY MINIMUMRISK REDUCTION

ACTUAL RISK REDUCTION

Risk with theaddition of otherrisk reductionfacilities andIPF function

4

W3 W2 W1C1

C2

C3

C4

a - -

1 a -

2 1 a

2 1 a

3 2 1

3 2 1

4 3 2

na 3

P1

P2

P1

P2

F1

F2

F1

F2

The risk graph for safety

8

TR

Trip Amplifier

s

Safety Interlocks

Process Pipe

Logic Solver

Sensors

SIS = from Pipe to Pipe

Safety Functions

TR

TR

AirVent

Process Pipe

AirVent

Final Elements

solenoid

Fail SafeOutput

Fail SafeOutput

Complete SIS

TYPICAL SIL 2 Type A

Process

Sensors

LOGIC SOLVERSIL 2

FinalElements

Typical SIL 2A_1.0

. T

. T

FO

XEV

XPV

fromDCS

Process PipeFO

.EV

.PV

SAFETY Type A SFF<60%

Type A SFF<60%

SAFETY Type A SFF<60%

Type A SFF<60%

Acceptable,If fail to danger of control valve is not part of the scenario.

9

Technical Safety

Quantified Risk Analysis (QRA)

Location Specific Risk

Group Risk

Location Specific Risk

10

Group- or Societal Risk

>Yellow Book: Physical Effects of releases

>Greene Book: Damages to people from the effects

>Purple Book: QRA parameters and data

>Red Book: Failure frequencies and probabilities

TNO Colored Books

11

Plant data

Generic failurerate data

Derive failure cases

Calculate frequencies Calculate consequences

Populationdata

Calculate risks

Assess risks

Meteorologicaldata

Ignition data

QRA scheme

Pressure vessels Failure frequencies(purple book)

Installation G1Instantanious

G2Instantanious

10 min

G3ContinuousØ 10 mm

Pressurevessel

5 x 10-7 5 x 10-7 1 x 10-5

Processvessel

5 x 10-6 5 x 10-6 1 x 10-4

Reactor 5 x 10-6 5 x 10-6 1 x 10-4

12

Organisational Safety

• Organisational factors associated with Safety• Measuring effectiveness from audits en accident

analysis studies• The Tripod method for determining the Basic risk

factors of an organization

HSE MS“fully implemented”

HSE MS“in place”

Measurablerequirements

Non-measurableissues, alertness,imagination, flexibility, expectingthe unexpected

HSEMS

Culture

performance

compliance

A

B

C

Why is ‘good performance’ not enough?

13

SAFETY BY COMMAND

Senior management commitment

Management style

Visible management

Good communication between all levels of employee [management action]

A balance of health and safety and production goals [management prioritisation]

Organisational Factors Associated with a Safety Culture

14

HSE management

JSA/JHATechniques Workplans

Trends/benchmarking

DiagnosticSurveys

ViolationSurvey

Hazardous SituationUnsafe Act reporting

AuditsReviews

Incident Investigation(Tripod Beta)

Incident Reporting

Contract/ContractorManagement

CompetencyProgrammes

Permit toWork System

HSE Assuranceletter

HSE SelfAppraisal

Site Visits

SituationalAwareness

HSE Standards& Procedures

PATHOLOGICAL

REACTIVE

CALCULATIVE

PROACTIVE

GENERATIVE

Safety Culture

chronic uneasesafety seen as a profit centrenew ideas are welcomed

we are serious, but why don’t they do what they’re told?endless discussions to re-classify accidentsSafety is high on the agenda after an accident

the lawyers said it was OKof course we have accidents, it’s a dangerous businesssack the idiot who had the accident

resources are available to fix things before an accidentmanagement is open but still obsessed with statisticsprocedures are “owned” by the workforce

we cracked it!lots and lots of auditsHSE advisers chasing statistics

15

Why Behavioral safety

Safety Improvement tomorrowHuman Behavior

Equipment/Hardware/

Systems/Methods

Ten elements of Safety Culture Maturity®

Visible management commitmentSafety communicationProductivity versus safetyLearning organisationParticipation in safetyHealth & safety resourcesRisk-taking behaviorTrust between management and frontline staffIndustrial relations and job satisfaction Safety training

16

What is behavior safety?

A programme, which becomes a habit, involving…> Analysis of behavior and other causes of accidents> Management (and later workforce) focusing on behaving safely to avoid injury> Observation, intervention, feedback and reinforcement

Some examples:STOP DuPontBehavior safety programs

What is behavior safety?

1 1Identify at risk behaviors and definesafe behavior

2Observation of behaviors and feedback

3Data gathering and creating score carts 4

Steering team: shop floor & staff personell

Results to steering team

Analyses of observations to SHE cie

5SHE committee/ MT team

Observationsresults

ABC analyses and action implementation

17

Emerging Level 1

Managing Level 2

Continuallyimproving

Level 5

Safety culture maturity model

Involving Level 3

Cooperating Level 4

Develop management commitment

Realise the importance of frontline staff and develop personal responsibility

Engage all staff to develop cooperation and commitment to improving safety

Develop consistency and fight complacencyIm

proving safet

y cultu

re

Increasin

g consis

tency

Accident analysis

“Missed Opportunities”

Trevor Kletz: (4/12/2000, Singapore):We find only a single cause (often last one in chain)We find only the immediate causesWe list human error in a too general wayWe list causes we can do little aboutWe do not share our lessonsWe forget the lessons

18

Learning from incidents

Six steps for effective learning from incidents

www.safety-sc.com

Necessary steps

1. Detection of a SHE incident2. Reporting of the incident3. (Tripod) analysis of the incident4. Establishing of the learning effects5. Implementation of the learning effects6. Checking the effectiveness of the implementation

19

Step 4: Establishing learning effects

DRIVERSstandards,

policiesMETHODS

e.g. planning, coordination, control

RESOURCESe.g. time, money, people, materials WORKING

ENVIRONMENTincidents

INTENTIONSManagement

ACTIONSSupervisors

CONSEQUENCESOperational staff

1: Single-loop learning2: Double-loop learning3: Triple-loop learning

1

23

Learning loops

• Single-loop learning affects the way operational goals are achieved:

- Without changing the goals, methods or resources.

- It can be described as doing the same things better. It is visible

in modifications of a task protocol, working instructions or

procedures.

• Double-loop learning affects norms and organizational targets:

- It can be described as doing things in a better way. Such

changes are visible as changes in resources and methods used.

• Triple-loop learning affects the drivers (policies and values) of an organization on a high level.

- It can be described as doing other things.

20

Learning on various organizational levels

Corporate SHE&M

BG 1 or regional Group

BG 2 or regional Group

Site X Site Y

Site A

Site B

LearningFrom incidents

Learning from incidents

Learning from incidents

Learning from incidentsFrom incidents

Learning on various organizational levels

• Learning can take place on several levels (see figure):a. on site level;b. on regional, BU / BG level, i.e. for groups of plants/sites that have

similar activities and use similar technologies;c. on corporate level, i.e. for the whole or for several BG’s.

• Site level: over the shifts, the learning process varies, depending on:

1. quality of information given (see communication)2. support given by the (SHE-)manager3. involvement felt (“can it happen to me?”)

• Other levels: effective learning become more complex. On higher organizational levels, learning can only take place based on selected issues that are shared by a larger number of units within the organization and that are controlled by a higher organizational level

21

Tripod accident investigation

Measure fore effectiveness of Safety Management Measure for vulnerability for Human Factor problemsManagement of Human Factor ProblemsControl the Controllable

The Prevention BRFs> Design (DE)> Tools & Equipment (TE)> Maintenance (MM)> Housekeeping (HK)> Error Enforcing Conditions (EC)> Procedures (PR)> Training (TR)> Communication (CO)> Incompatible Goals (IG)> Organisation (OR)

The Mitigation BRF

> Defences (DF)

Tripod Basic Risk Factors (BRFs)

22

0

25

50

75

100

DE TE MM HK EC PR TR CO IG OR DF

Mean score forIndustrial sector

'State of the art'

Best 25%

Worst 25%

Disastrous

Company 1Company 2

BRF

Measure of control

High

Low

Tripod Condition Survey

Bow-tie model

PREVENT

BEHAVIOUR

ORGANISATION

ENGINEERING

INCIDENT

HAZARDS

MITIGATECONSEQUENCES

23

HET diagram as part of the Bow-tie

Event/ Consequence Target

Control

Latent Failure

Precondition

Active failure

Defence

Latent Failure

Precondition

Acitivefailure

Hazard Event/ Consequence

Event/ Consequence Target

Control

Latent Failure

Precondition

Active failure

Defence

Latent Failure

Precondition

Acitivefailure

Hazard

Closing Remarks

>Technical Safety is ‘ only’ starting point

>Technical safety is undermined by Human Factors as a result of the Safety Culture and the related behavior.

>A mature HSE system includes Organizational and Safety Culture aspects

>Constant feedback from detailed accident analysis studies is required.