Improve Process Safety with Near-Miss Analysis

1 On the Horizon Improve Process Safety with Near-Miss Analysis Ulku G. Oktem Valuable information about unsafe conditions Univ. of Pennsylvania Near-Miss Management LLC resides in the large alarm databases of Warren D. Seider distributed control systems and emergency Univ. of Pennsylvania shutdown systems. This overlooked and Masoud Soroush Drexel Univ. underutilized information can be analyzed to Ankur Pariyani identify Process near-misses and determine Near-Miss Management LLC the probability of serious accidents. A. utomated control and Safety systems that help a able to its normal range. If the Safety systems fail to bring plant return to normal operating conditions when the Process variable into normal operation and the variable abnormal events occur are prevalent in modern moves into an orange-belt zone, a high-high or low-low chemical plants. The databases associated with these alarm is triggered, causing higher-level Safety systems systems contain a wealth of information about Near-Miss to act.

2 If the variable moves into a red-belt zone, Safety occurrences that, if subjected to frequent statistical Analysis , systems will attempt emergency shutdown (unplanned can provide metrics to predict and ideally prevent accidents. shutdown), and if the Safety systems are unsuccessful, an Such Analysis is referred to as dynamic risk Analysis . accident occurs. This article introduces the concept of dynamic risk Analysis (DRA) based on alarm databases. It provides a general overview of what this is, how it can be used in Red Belt ESD Threshold chemical processing to Improve Safety , and challenges that Orange Belt High-High Alarm ( Process /Quality). Primary Variable Threshold must be addressed over the next 5 10 years. It also high- Yellow Belt High Alarm lights current research in this area and offers perspective on Threshold methodologies most likely to succeed. Green Belt Low Alarm Threshold Alarms, near-misses, and accidents Yellow Belt Low-Low Alarm Figure 1 is a generic control chart for a Process variable.

3 Least-Critical Orange Belt Threshold Abnormal Event ESD Threshold An abnormal event occurs when control systems are unsuc- Red Belt cessful in keeping all Process (and product-quality) variables Moderately-Critical Most-Critical within their normal operating ranges, , green-belt zones. Abnormal Event Abnormal Event When a variable moves into a yellow-belt zone, a high or low alarm is triggered and the Safety systems (operators p Figure 1. A control chart for a Process variable indicates an abnormal and/or automated systems) take action to return the vari- event when the variable moves outside of its green-belt zone. 20 May 2013 CEP Copyright 2013 American Institute of Chemical Engineers (AIChE). These accidents are low-probability, high-consequence events, and are often accompanied by large economic Despite advances in alarm management, losses, personnel injuries, and even fatalities. (The costs of existing alarm-data- Analysis unplanned shutdowns which happen more frequently methods have inadequately utilized than accidents are also quite significant.)

4 Of course, the layers of protection in place are usually successful, the risk information contained in and therefore the majority of abnormal events are arrested alarm databases. before accidents occur. When an abnormal event is stopped before causing any damage and the variable returns to its ment tool by AIChE's Center for Chemical Process Safety green-belt zone, this is considered a Process Near-Miss (CCPS) in the 1990s as a means to evaluate potential risks (which is simply referred to as a Near-Miss in this article). when qualitative methods are inadequate. CPQRA is used to Near-misses are high-probability, low-consequence events. identify incident scenarios and evaluate their risk by defining Accidents are typically preceded by several near-misses. the probability of failure, the various consequences, and Many companies record these alarm occurrences in the potential impacts of those consequences. This method distributed control system (DCS) and emergency shutdown typically relies on historical data, including chemical Process (ESD) databases.

5 Operators, engineers, and managers seek and equipment data, and human reliability data to identify guidance from these databases by recording key indicators hazards and risk-reduction strategies. and paying special attention when alarm flooding occurs. Other risk assessment methods were subsequently Most of the time, further Analysis is done after Process developed to analyze industry-wide incident databases upsets, unanticipated trips, and accidents occur. (1 5). These databases include: CCPS's Process Safety Companies are becoming increasingly aware that these Incident Database (1), which tracks, pools, and shares pro- databases are rich in information related to near-misses. In cess Safety incident information among participating com- recent years, researchers have been developing key per- panies; the Risk Management Plan database, RMP*Info (2), formance indicators, or metrics, associated with potential developed by the Environmental Protection Agency trips (shutdowns with no associated personal injury, equip- (EPA); the National Response Center (NRC) database, an ment damage, or significant environmental problem) and online tool set up by NRC to allow users to submit and accidents; leading indicators ( , events or trends indicat- share incident reports; and the Major Accident-Reporting ing the times these trips and accidents are likely to occur); System (MARS), which is maintained by the Major and probabilities of failure of the individual Safety systems Accident Hazards Bureau (MAHB).

6 Recent risk analyses and the occurrence of trips and accidents. When conducted associated with chemical plant Safety and operability have at frequent intervals, the analyses that are associated used Bayesian statistics to incorporate expert opinion (6 8), with these performance indicators are often referred to as and fuzzy logic to account for knowledge uncertainty and dynamic risk analyses, or simply Near-Miss analyses. data imprecision (9 10). Such methods have significantly improved quantitative risk assessment. Conventional risk analyses While these methods have been important in quantifying Risk assessment is an important component of the Safety performance, a large amount of precursor informa- Occupational Safety and Health Administration's tion pointing to unsafe conditions has been overlooked and (OSHA) Process Safety management (PSM) standard, unutilized, because it resides in large alarm databases ( , which includes (among other elements) inherently safer DCS and ESD).

7 The alarms help plant operators assess and design, hazard identification, risk assessment, consequence control plant performance, especially in the face of potential modeling and evaluation, auditing, and inspection. Over Safety and product-quality problems. The alarm databases, the last decade, PSM has become a popular and effective therefore, contain information on the progression of distur- approach to maintain and Improve the Safety , operability, bances and the performance of regulating and protection and productivity of plant operations. As part of this, several systems. However, despite advances in alarm management risk assessment methods have been developed. standards and procedures, existing alarm-data Analysis The use of quantitative risk Analysis (QRA), which methods reported in the literature have inadequately utilized was pioneered in the nuclear industry in the 1960s, was the risk information contained in alarm databases and have extended to the chemical industry in the late 1970s and early used the data for incident and reliability analyses only.

8 1980s after major accidents such as the 1974 Flixborough Several comprehensive algorithms and software packages explosion in the , the 1984 Bhopal incident in India, to evaluate Process Safety risks with an eye toward develop- etc. Chemical Process quantitative risk Analysis (CPQRA) ing and implementing appropriate protective measures have was first fully described and introduced as a Safety assess- been developed over the last two decades (11 12). Most of Copyright 2013 American Institute of Chemical Engineers (AIChE) CEP May 2013 21. On the Horizon these systems rely on the accident and failure databases men- nt tioned above, which provide information such as accident ve a lE. frequencies, consequences, and associated economic losses, n orm Ab to perform quantitative risk analyses. (Other tools, discussed later, utilize a quantitative methodology for risk Analysis either in real-time or on-demand, but they do not focus on estimating the likelihood of incidents or the failure of Safety Risk systems.)

9 The analyses that involve accidents and failures Mitigated only, and exclude day-to-day alarm information and associ- ated Near-Miss data, are not highly predictive. They overlook Safety System 1. the progression of events leading up to near-misses infor- mation that can only be obtained by analyzing data found in Safety System 2. alarm databases. A study of an ammonia storage facility conducted by Safety System 3. the Joint Research Centre and Denmark Risk National Safety System 4. Laboratory of the European Commission (13) found that risk estimates based on generic databases of reliability and failure data for commonly used equipment and instru- en t l Ev ments are prone to biases and could provide widely varying r ma no results depending on data sources. Ab For these reasons, the importance of utilizing Process - specific databases for risk analyses has been gaining recognition. Safety System 1. Dynamic risk Analysis Safety System 2.

10 Accidents are rare events, often described using the popular Swiss cheese model (14), in which the layers Safety System 3. of protection are envisioned as pieces of Swiss cheese Safety System 4. lined up in a row, with the holes (which vary in size and Risk placement) corresponding to weaknesses in the individual Propagated layers of protection (Figure 2). According to this model, p Figure 2. The Swiss cheese model depicts the relationship between failures occur when the holes in the individual slices line layers of protection and accidents. Each slice of cheese represents one up, creating trajectories of accident opportunities. This layer of protection, and the holes in the cheese correspond to weaknesses view implies that an element of chance is involved in the within each layer. According to this model, failures occur when the holes in the individual slices line up. occurrence of failures. Most major accident investigations have identified 3.