“Safety Science”?

A science provides generic knowledge

• A science can be viewed as the most

warranted statements that can be made The criterion used to
at the time being on the subject matter Knowledge judge the risk (Covid-
19)
covered by the relevant knowledge
community (Pigliucci and Boudry, 2013)
Information A 14-days
temperature profile
Is Safety a science?
Data: objective and subjective Daily temperature
measurement
Yes and No!
Pigliucci, M. and Boudry (Eds). (2013). Philosophy of pseudoscience, University of Chicago Press 9 10

Science-policy process Safety as a science and practice

• 1st approximation • 2nd approximation of • A multi-disciplinary domain and lack a

information flow unifying theory.
of information flow
• Safety is no longer the exclusive domain
of only the technician in industry, it is a
melting-pot of expertise and experts.
• The need to further develop of safety
science comes from the growing
complexicity of technology and
organizations.

Hansson and Aven (2014). Is risk analysis scientific? Risk Analysis, 34 (7), 1173-1183 Swuste, P. et al. (2020). The future of safety science. Safety Science, 125, 104593.
11 12
The focal point of safety science Safety?
Residual risks • What is Health? • What is Safety?
• Absence of illness/sickness • Absence of accidents
• How to measure and • How to measure and
maximize? maximize?
Reliability
• Check for any illness or • Check for any accident

Human factors
sickness causing situation - RISK
• Avoid unhealthy conditions • Minimize Risk
• Do regular checkups • Monitor and Manage Risk

Health to the human is Safety to the System

Accident focused/ risk focused
Furuta, K. (2020). Resilience engineering, a new horizon of systems safety. 13 Khan, F. Presentation on “Dynamic risk management of process operations”. 14

The focus of Safety I efforts The ‘mechanism’ and foundation of Safety I

• Safety I promotes the general solution, known as • Safety I is the causality credo.
‘find and fix’.
• Safety I promotes a bimodal view of work and • The systems are decomposable into their
activities. constituent parts.

• Systems and their parts either function or fail

(they are bimodal).

Hollnagel E., Wears R.L. and Braithwaite J. From Safety-I to Safety-II: A White Paper. The
Resilient Health Care Net: Published simultaneously by the University of Southern Denmark, University of 15 16
Florida, USA, and Macquarie University, Australia.
Rapid technological developments
• Replace ‘fallible’humans
with ‘less fallible’
technology.
• Problems are selected
based on just one criterion:
whether they are ‘solvable’
with a nice and clean
technological solution at
our disposal.
• We must accept that the
systems today are
increasingly intractable.
The reasons why things work again!
Some Navy aircraft were ferrying missiles from • Some degrees of variability, flexibility, or
one point to another. One pilot executed a
planned test by aiming at the aircraft in front adaptivity are required for the system to work.
(as he had been told to do) and firing a dummy
missile. Apparently nobody knew that the
“smart” software was designed to substitute a
• Human makes mistakes but we also provide the
different missile if the one that was
commanded to be fired was not in a good capacity of variabillity, flexibility, or adaptivity.
position. In this case, there was an antenna
between the dummy missile and the target, so
the software decided to fire a live missile
located in a different (better) position instead.
What aircraft component(s) failed here?

17 18

Work-As-Imagined and Work-As-Done Operational success vs. operational failure

• Taylor (1911) Scientific Management Theory

provided the theoretical and practical foundation
for the notion that Work-As-Imagined as a
necessary and sufficient basis for Work-As-Done.
• The more intractable environments that we have
today means that Work-As-Done differs
significantly from Work-As-Imagined.

Smith, D. et al. (2017). Understanding industrial safety: comparing fault tree, Bayesian network, and FRAM
19 approaches. Journal of Loss Prevention in the Process Industries, 45, 88-101. 20
 Things that go right and things that go wrong
Transition to Safety II
happen in the same way!
• Focusing on the lack of safety does not show us
which direction to take to improve safety.

Hollnagel E., Wears R.L. and Braithwaite J. From Safety-I to Safety-II: A White Paper. The
Resilient Health Care Net: Published simultaneously by the University of Southern Denmark, University of
21 Florida, USA, and Macquarie University, Australia. 22

The premises for today’s safety management Safety II definition

• Complex systems cannot be decomposed in a • Safety II is the systems’s ability to function as

meaningful way. required under varying conditions, so that the
• System functions are not bimodal but their number of intended and acceptable outcomes is
everyday performance must be flexible and as high as possible. – (E. Hollnagel)
variable.
• Outcomes emerge from human performance
variability.

23 24
The mechanism and foundation of Safety II Comparision between Safety I and Safety II
Safety I Safety II

Definition of safety
• Performance variability rather than bimodality
Safety management principe
• Emergence rather than causality
View of the human factor in safety
management
Accident investigation
Risk assessment
Casality Emergent
25
That as few things as possible go
worng
Reactive, respond when something
happens or is categorized as an
unacceptable risk
Humans are predominantly seen as
liability or hazard. They are a
problem to be fixed.
Accidents are caused by failures
and malfunctions. The purpose of
an investigation is to identify the
causes.
Accidents are caused by failures
and malfunctions. The purpose of
an investigation is to identify causes
and contributory factors.
That as many things as possible go
right
Proactive, continously trying to
anticipate developments and
events
Humans are seen as resource
necessary for system flexibility and
resilience. They provide flexible
solutions to many potential
problems.
Things basically happen in the same
way, regardless of the outcome.
The purpose of an investigation is
to understand how things usually
go right as a basis for explaining
how things occasionally go wrong.
To understand the conditions
where performance variability can
become difficult or impossible to
monitor and control.
26

Transition to Safety II Safety? (in resilience-based thinking)

• What is Health? • What is Safety?
• Look for what does right • Strong immunity and absence of illness • Strong ability to handle
• Focus on frequent events disruptions and maintain
desired performance
• Remain sensitive to the possibility of failure • How to measure and
• How to measure and maximize?
• Be thorouh as well as efficient maximize?
• Do healthy things (exercise regularly, • Check for functionality
• Investiing in safety, the gains from safety variability balancing productivity
Hydrate, get plenty of sleep)
and safety - Resilience
• Do regular checkups (both immunity and
• Maximize resilience
disease)
• Monitor and Manage Resilience
Health to the human is Safety to the System
Let’s build up our immunity!
27 28
 Select 2018/2019 major accidents

Risk?
Risk management is not only a matter of financial risk.
29 30

Deepwater Horizon Accident Risk is of all times

• History of risks in a world perspectives:

– 2500 BC: Chinese
– 1600 BC: Egyptians
– 400 BC: Greeks
– 1 AD: Romans
– 1500 AD: Continental Europeans
– 1700 AD: English
– 2000 AD: Americans and Europeans

31 32
 What do engineers do? -Engineering as a
word
• It is commonly agreed that that term engineer and by extension
engineering comes from the root-word, gene. genə-, also gen-, is
a Proto-Indo-European root meaning "give birth, beget" (You may
find evidence of this root in Sanskrit, Greek and later Latin)
• It is actually through Latin and specifically the words Ingenium
(device or machine) and Ingeniare (devise or make), which
created the link between the root gene- and modern engineering,
which nowadays refers to “Devise/Design things* under
Constraints”.
33
The Bhopal disaster 1984
• Massive toxic gas leak from Union Carbide India
Limited (UCIL) chemical plant at Bhopal in
December, 1984.
• Thousands killed and hundreds of thousands
injured by 40 ton release of methyl isocyanate
(MIC).
• Caused by unsafe conditions and series of
failures in poorly maintained and understaffed
plant.
35
What is the most important thing to you as an engineer?
Bhopal accident, 1984.
Immediate death of 2258
Ensure “Safety”
Minimize “Risk”
34
Some Context:
• The Bhopal Plant
– Built in late 1960’s to process pesticides
– Expanded in 1970’s to add production capability
– Production cut in 1980’s due to market forces and decision to sell plant
• Ownership and Operation
– Union Carbide owned controlling share (50.9%) of UCIL
– Plant managed and staffed locally by UCIL
• Climate
– Plant initially welcomed at Bhopal for its economic potential
– Located 2 miles from city center; surrounding population expanded
significantly between construction and disaster
– Government classified plant as “general” (not “hazardous”) industry in
1976, even after approving MIC-based processes at plant and
establishing a “hazardous industry” zone 15 miles from city
Adopted from The Bhopal Plant Disaster, IDEESE Case Study Series, © 2008 IDEESE
36
Some facts of the Bhopal accident
37
The Disaster: Contributing Factors
Human Error
– Critical isolation valve not closed before pipes were flushed with water,
causing the fatal pressurization of tank containing MIC.
– Flare for flame neutralization of escaping gas was shut down
Inadequate Safety Equipment
– Reach of sprayer for water neutralization of escaping gas was
inadequate. Plant managers were aware of deficiency.
– Flare system lacked capacity for major gas leak.
Failure of Safety Equipment
– Stack scrubber, activated by operator during leak, failed.
Poor Maintenance
– Tank refrigerators inoperable; had been drained of freon
– Blockage in pipes meant to drain water that pressurized tank
Adopted from The Bhopal Plant Disaster, IDEESE Case Study Series, © 2008 IDEESE
39
Contributing factors…
38
The Disaster: Contributing Factors (cont.)
Inadequate Staffing
– Union-Carbide-trained supervisors had left Bhopal by 1984
– Staffing in MIC unit had been cut below half of recommended level
– Second-shift maintenance supervisor position eliminated weeks before
disaster
Lack of Evacuation Plans
– Visiting Union Carbide engineers repeatedly stressed need for a plan to
alert and evacuate population in the event of a gas leak
– UCIL claimed to have developed such plans
– City and state officials claimed no knowledge of such plans
Inadequate Response
– Warning siren activated upon leak, but only for a few minutes
– Public response panicked, evacuation slow and uncoordinated
– Response of medical workers hampered by lack of info about MIC
Adopted from The Bhopal Plant Disaster, IDEESE Case Study Series, © 2008 IDEESE
40
 Risk = Expected loss Events/Scenarios S, Consequences C, Probabilities P

Risk = F (S(C,P))
Risk= Probability ☓
Consequence

41 41 42

I am offering you a game: throwing a coin Background knowledge

• “Head”: +50 Euro • Assumption 1: The platform jacket structure will withstand a ship collision
energy of 20 MJ
• “Tail”: - 10 Euro
• Assumption 2: There will be no hot work on the platform
• Assumption 3: The reliability of the blowdown system is R
• Assumption 4: There will be N crane lifts per year
• …
• ….
• What is your risk?
• …
• Asumption 50:…
• (C,P)
• -10, 1/2
This risk is based on an assumption:
- The coin is fair!

43 44
Main problems with the risk definition Risk perspective

1. Assumptions can
2. Presume Proabability-based
conceal important
existence of
Knowledge dimension Surprises
aspects of risk and
probability models
historial data
uncertainties

3. The probabilities
can be the same
but the knowledge Probabilities, historial Knowledge,
4. Suprises occur
they are built on data, risk matrics surprises
could be strong or
weak

45 46

The risk concept

How to represent the risk here?
Uncertainty
Knowledge,
data,
information

Events and Risk description S(C, P, K)

Activity consequences
C: specific consequences
Values at stake P: measured uncertainty
K: Knowledge that C and P
are based on.

47 48 48
 Risk Dynamic Risk
Conceptual
Conceptual Design • Risk
• Risk
Design
FEED • Risk
Risk= F{s(c, f)} Dynamic Risk= F{s(c, p, k),t}
Detailed
FEED • Risk design
• Risk

Dynamic Installation • Risk

Risk Risk
Detailed • Risk
design Operation • Risk
Time Time

49 49 50

Accident Precursor Concept for risk

Some take-aways
modelling
Safe (Normal) state
• To assess risk in engineering domain, we need to see
Gas leaked but beyond expected values and probabilities
Near Miss vented to safe
location
• Uncertainty is a key aspect of risk (dependent on
Gas leaked and knowledge and information available)
Mishap vented onto rig
• Risk = F (S(C,P,K),t) to be investigated
Small scale fire
Incident
CAUSES
Fire and major
Accident accidents

Yang, M., Khan, F., Lye, L. (2013). Precursor-based hierarchical Bayesian approach for rare event frequency
estimation: a case of oil spill accidents. Process Safety and Environmental Protection, 91(5), 333-342. 51 52
Examples of hazards
• Fire, explosion
• Chemical, spills (poisoning, pollution)
• Radiation
• Moving objects (planes, trains, automobiles,
ships, rockets, robots, machines)
• Heights, weights (scaffolds, ladders)
• Floods, earthquakes, natural hazards
• Failure of electric/hydraulic systems
• Human error in design and exploitation
• Building errors
• Deterioration / lack of maintenance
53
Definition of risk
• Oxford English Dictionary: (Exposure to)
the possibility of loss, injury, or other
adverse or unwelcome circumstance; a
chance or situation involving such a
possibility.
• Risk of an undesired event is a function
of the probability of the event and the
effect of the event. It is closely related to
uncertainties in variables.
55
Definition of hazard (danger or threat)
• A hazard is any agent that can cause
harm or damage to humans, property, or
the environment.
• A hazard poses no risk if there is no
exposure to that hazard.
• An event that is caused by interaction
with a hazard is called an incident.
• If there is no possibility of a hazard
contributing towards an incident, there is
no risk.
54
Definition of safety
• Safety is the state of being "safe" (from
French sauf), the condition of being
protected from harm or other non-
desirable outcomes.
• Safety can also refer to the control of
recognized hazards in order to achieve
an acceptable level of risk.
56
 Analogy between exact sciences and
Definition of security industrial practices
• Also called social safety or public safety, Healthy person Healthy organization
security addresses the risk of harm due
Optimized
to intentional criminal acts such as Medicine production
assault, burglary or vandalism.
Optimized
• Security is of higher importance to many Biochemistry
management
people than safety. For example, a death
due to murder is considered worse than a Chemistry Sustainability

death in a car crash, even though in

many countries, traffic deaths are more Physics HSE and Quality

common than homicides.

Engineering risk
Mathematics
management
57 58

59 60
The crocodile metaphore Types of barriers

Eliminate hazard

Move away target

Add (passive) barriers

Protect targets (active barriers)

61 62

Failure mechanisms (non-Physical) Failure mechanisms

• Describe (physically) how the failure of a
system, process or structure occurs
• The failure mechanisms of a relay which
may fail to open or close contacts on
demand:
– corrosion, welding of contacts due to an
abnormal electric current, return spring
fatigue failure, unintended command failure,
dust accumulation and blockage of
mechanism
• The real root causes can in most cases
be traced back to a human- or
organizational factor, e.g. design failure,
operational errors, management failures,
maintenance induced failures,
specification failures, etc.

63 64
 The engineering risk management process
Risk management methods in general
Problem and
• Systemic thinking: the whole is primary contexts
definition

and the parts are secondary (dynamic,

Review of
circular, complexity, resiliency) processes and
interventions
Risk assessment

Risk
• Analytic thinking: the parts are primary communication
and the whole is secondary (static, linear, Identification
simple cause-consequence relationships, Implementation
of interventions
and
consideration of
options
additivity of elementary properties).
Choice of
strategy

65 66

Risk analysis framework

Risk Analysis Define context and
criteria

• Basic questions Define system

– What can go wrong? And how?
Monitor and review Identify hazard
– What is the likelihood of that happening? scenarios
– What can be the consequences?
– Which measures should be taken to reduce the Analyse Analyse probabilities
likelihood and/or consequences? consequences

Identify risk
Analyse sensitivities
• Approaches scenarios

– Deterministic: based on scenario’s, often limited

Assess risks
to MCA (maximum credible accident)
– Probabilistic: All ‘conceivable’ accidents in relation Risk treatment
to their probability of occurrence

67 68
Define context and criteria Methods for hazard identification

• Who are the actors? • Past experience (incident, accident

• Related to risks of new technology or reports / databases)
existing technology? • Failure Mode Effect and Criticality
• External risks or internal risks? Analysis (FMECA)
• Risk criteria on individual level or group • Fault Tree Analysis
level? • Hazard and Operability study (HAZOP)
• Risk levels vs. conflicting values?
• We will come back to this later.

69 70

Probability Probabilities

• The probability that a given event will occur

Dying in an airplane crash 10-6 per flight

Having a car accident 0.6 x 10-5 per km travelling in the

Netherlands
Human error on a simple, 10-3 per demand
frequently performed task,
under minimal stress

71 72
Data sources for probability
• Accident and incident databases
• Data generated from simulations /
experiments / VR rooms
• Data from ALT by manufacturers /
inspectorates
73
Risk criteria : fundamentals
• Individual acceptable level of risk
• Societal acceptable level of risk
75
Consequence analysis
• Direct vs. indirect effects
• Deterministic vs. stochastic effects
• Objective vs. subjective impacts
• Factors which influence risk perception
(next slides)
74
Individual acceptable risk
• “The acceptable probability that an individual will
lose his life as the result of somebody else’s
activity”. The life expectancy of the Dutch
population serves as a basis for determining the
personally acceptable risk.
• An analysis of statistical data revealed that
people of the ages 6 to 20 have a probability of
decease of 10-4 in a year. This analysis takes all
possible causes of death into consideration and
no distinction is made between activities.
76
 Individual Risks near Airport Schiphol
Restricted area Blue = 10-6
Restricted area Red = 10-5
• For the acceptance of an activity it has
been set that the increase of the probability
Mitigation measures
of decease may not exceed 1 %. The Restricted area 1 is called
maximum allowed probability of decease demolition zone
• No building of new
for an activity is then 10-6. houses;
• No building of new
offices and industrial
buildings/factories;
10-6 in a year • Existing houses are
Pfi £ purchased and
Pd fi
demolished on a
voluntary basis;

77 78

Individual acceptable level of risk Societal acceptable risk

• The probability of losing ones life in • Outcome of a political process:

normal daily activities such as driving a • The death of 10 people in a year as a
car or working in a factory is one or two result of failure of an LPG-station with a
orders of magnitude lower than the probability of 10-5 is accepted.
overall probability of dying.
• Only purely voluntary activities (such as
mountaineering) has a higher risk (see
Figure).

79 80
Acceptable RISK? ALARA principle Consequence analysis
As Low as Reasonably Achievable

Intolerable region Risks have to be excluded
ALARA or Acceptable only if further
tolerable region reduction is impossible or too
expensive
Broadly acceptable region Prevent that the risk increases
• Purpose: To assess the extent of damage
• Typical Hazard
• Toxic Release, Fire and Explosion
• Modelling of hazard scenario
– Toxic Release: Source (Release) Model, Dispersion
– Fire and explosion: Source Model, Fire and Explosion,
Heat Dispersion
– Fatality Assessment: Probit Analysis
– Nonfatal Consequence: Skin-burn, Property damage

81 82

Loss functions An example

• The loss function of the reactor

Asymmetric inverted normal loss functions Quartic loss functions

83 84
CFD Modeling
FLACS – a CFD fire and explosion software
qThe common method of estimating the overpressure caused by an
explosion (Multi-Energy method and TNT-Equivalence method) assume that
the blast generated is similar in all directions with no directional effects.
However, these methods do not take into account factors such as:
–Directional effects
–Focusing effects
–Reflection effects
–Factors related to the source of the explosion (e.g. initial strength,
shape)
Thus, Computational Fluid Dynamics (CFD) modeling has been introduced
to allow for the better predictions of the strength of blast waves generated
by gaseous explosions.

qComputational Fluid Dynamics (CFD): a powerful and useful tool for

predictive analysis of flow, mass, momentum, and energy associated with
dispersion and explosion phenomenon.

85 86

Management & Decision Making

Phast by DNV

•Risk Management
– Strategies
– How far do you need to go
– Acceptance

•Decision making under risk

– What are the issues?
– Some methods for decision making

87 88
Risk management strategy? A case study
• All we have to do is get the numbers right.
• All we have to do is tell them the numbers.
• All we have to do is explain what we mean by
the numbers.
• All we have to do is show them that they’ve
accepted similar risks in the past.
• All we have to do is show them that it’s a good
deal for them.
• All we have to do is treat them nice.

When we want to sustain public acceptance we

have to be trusted, by involving the public
meaningfully and informed in risk assessments!

89 90

Thank you!
Group discussion

• What is the risk here? How to describe it?

• What are the influencing factors?
• How to assess the risk? Steps?
Questions?

Ming Yang, PhD, P.Eng.

Assistant Professor of Safety and Security Science
Faculty of Technology, Policy, and Management,
TU Delft, the Netherlands
Email: m.yang-1@tudelft.nl
91 92
 Outline of lecture 2

Risk assessment techniques – • Hazard identification approaches

part 1 • Accident modeling approaches

Lecture 2 of TPM024A

Dr. Ming Yang, Safety and Security Science Section

May. 02 2022
Email: m.yang-1@tudelft.nl

1 2

What hazard identification aim to answer? Hazard Evaluation Techniques

What types of hazards are present?

Where are they located? 1960 - 2001

Safety
1960 - 2001
Check Lists
1965 - 2001
Relative
1970 - 2001
PHA
1972 - 1974
What if
1974 - 2001
HAZOP
Review Ranking

Walk Historical ICI Mond Preliminary Brainstorming Hazards

Through Lists Index Hazard Operability
Inspection Analysis Analysis
Yes / No Dow FEI
Hazardous Mtls Line by Line
Hazardous Opns Deviation
Analysis
This presentation only considers the HAZOP technique.

3 4
 Checklist

A checklist is a list of questions about

plant organization, operation,
maintenance and other areas of concern
to verify that various requirements have
been fulfilled and nothing is neglected or
overlooked.

5 6

HAZOP
HAZOP
• HAZOP was developed by Lawley (1974) of
• HAZOP is a simple structured
ICI. Based on early account by Elliott & Owen
methodology for hazard identification and
(1968).
assessment, PI&D's, PFD, material flow
• Hazop studies are carried out by an diagrams, and operating manuals are
experienced, multidisciplanary team. examined to identify causes and
• Review all physical aspects of a process consequences for all possible deviations
(lines, equipment, instrumentation) to from normal operation that could arise.
discover potential hazards.

7 8
 PRINCIPLES OF HAZOPS

Principles of HAZOP
Concept GUIDE WORDS*
NONE
•Systems work well when operating under design conditions.
MORE OF
•Problems arise when deviations from design conditions occur.
LESS OF
PART OF
Basis
MORE THAN
•a word model, a process flow sheet (PFD) or a piping and
OTHER
instrumentation diagram (P&ID)

Method CAUSE DEVIATION CONSEQUENCES

•use guide words to question every part of process to discover what (from standard (trivial, important,
deviations from the intention of design can occur and what are their condition catastrophic)
causes and consequences may be.
or intention) -hazard
-operating difficulties
*COVERING EVERY PARAMETER RELEVANT TO THE SYSTEM
UNDER REVIEW:
i.e. Flow Rate. Flow Quantity, Pressure, Temperature, Viscosity, Components
9 10

STUDY NODES Hazop Guide Words

The locations (on P&ID or procedures) at which the process
parameters are investigated for deviations. These nodes are points
where the process parameters (P, T, F etc.) have an identified design NO or NOT Negation of intention No Flow of A

intent. MORE Quantitative increase Flow of A greater than design flow

INTENTION LESS Quantitative decrease Flow of A less than design flow
The intention defines how the plant is expected to operate in the AS WELL AS Quantitative increase Transfer of some component additional to A
absence of deviations at the study nodes.
PART OF Quantitative decrease Failure to transfer all components of A
DEVIATIONS
REVERSE Logical opposite of intention Flow of A in direction opposite to design direction
These are departures from the intension which can be discovered by
systematically applying the guide words. OTHER THAN Complete substitution Transfer of some material other than A

•Process conditions More recent computerization techniques use a Standard Set Of Generic Deviations
•activities For Specific Section Types. See Dev'ns tab for examples.
•substances
•time
•place

11 12
Deviations Generated by Each Guide Word Common HAZOP Analysis Process
Guide word Deviations Parameters

Flow Time Frequency Mixing

Pressure Composition Viscosity Addition

Temperature pH Voltage Separation

Level Speed Toxicity Reaction

REVERSE: reverse flow

13 14

EXAMPLE A B HAZOP DISPLAY

The flowsheet shows that raw material streams A and B are transferred
C
b y
pump to a reactor, where they react to form product C. Assume that the
flow rate of B should not exceed that of A. Otherwise, an explosion may
occur. Let’s consider the flow of A in line 1:
FB £ FA
NONE No flow of A
MORE Flow of A greater than design flow
LESS Flow of A less than design flow
AS WELL AS Transfer of some component additional to A
PART OF Failure to transfer a component of A
REVERSE Flow of A in a direction opposite to design direction
OTHER THAN Transfer of some material other than A

15 16
 Hazop Select a process
section or
Prepare for the Review Flow operating step

Explain design Repeat for all

Sheet intention process sections

Attitude
Select a process Repeat for all
Preparation Meeting Leadership
variable or task process variables

HAZOP
Review By Documentation Follow-up Apply guide word Repeat for all
to process variable guide words
Team

Knowledge Info for study Examine Develop action

Experience Teams HAZOP P&Ids, Layout Consequences items
associated with
Experience
deviation

Table
List possible Assess acceptability
causes of of risk based on
deviation consequences
Deviation Causes Consequences Safeguards Action

Identify existing
safeguards to
prevent deviation
17 18

Hazop Pitfalls Other Pitfalls

Poor understanding by management of the HAZOP procedure
• Inexperienced HAZOP team.
An Ethylene plant has 100 P&IDs, 625 equip't items. 625 items
Consider 5 variables, Pressure, Temperature, Flow • Inadequately trained or in-experienced leader.
Composition and Function. 5 variables
Consider 6 Guidewords, None, More of, Less of
Part of, More than and Other than. 6 guide words
Questions to be answered = 18750 questions
Consider 5 minutes per question = 5 min./question
Time for ethylene plant HAZOP study = 93750 minutes
4 hour, 240 minutes sessions per day = 250 minutes/day
No. working of days = 375 days
Days per week = 5 days/week
No. of weeks to complete HAZOP for plant = 75 weeks

19 20
 HAZOP Example Standard Set of Deviations
To Compressor Inlet ID No. Deviation Column Vessel Line Exchanger Pump Compressor
1 High Flow X
2 High Level X X
LAH
FV Teams tend to quickly identify alarms, shut-downs 3 High Interface X
1 and controls, and claim them for safeguards. 4 High Pressure X X X X
5 High Temperature X X X X
An alarm not tested may not work when called upon 6 High Concentration X X X
Inlet Line to do so. 7 Low / No Flow X X
LIC
1
8 Low Level X X
Nuisance alarms are frequently bypassed and are 9 Low Interface X
not effective as safeguards. 10 Low Pressure X X X X
11 Low Temperature X X X X
Often operators are not monitoring control panel.
12 Low Concentration X X X
13 Reverse / Misdirected Flow X X
Valve in manual Automatic control routines are often set in manual
14 Tube Leak X
mode.
15 Tube Rupture X
16 Leak X X X X X X
17 Rupture X X X X X X

21 22

Typical Hazop Worksheet

Company Nova
Location Corunna
Revision
Dwg No.
0
Cor -123-4567
Date
Page
02-Jun-97
1
Check List Example
Leader RAH Proc Des JB Research Op Tech
Scribe GFR Instr'ts GH Electrical HH Other
Prod'n PM Mech FD Safety MN Other 1 Changes In Quantity a High Flow 1 Pump racing, delivery vessel pressure lost, Loss of automatic
suction pressurized, scale dislodged, leak in control
Node No. 1 Describe Transfer Ethane from Deethanizer to C2 KO Pot heat exchanger
b Low Flow 2 Pump failure, scaling of delivery, presence of Operator error
Intention The intent is to transfer 150,000 lb/hr of C2/C2= mix at 300 psig and at -30 °F for the startup period. foreign body, poor suction condition,
cavitation, leak in heat exchanger, drain
leak, valve jammed
c No Flow 3 Pump failure, delivery vessel Failure of joint, pipe,
Guide Wrd High Param Flow Dev'n High Flow overpressurized, gas blockage, presence of valve, trap, bursting
foreign body, scale, sediment, suction vessel disc, relief valve.
Possible Causes empty.
1 FV-1 Wide open d Reverse Flow 4 Pump failure, pump reversed, delivery vessel
2 Line break. over pressurized, poor isolation, gas locking,
3 surging, back siphoning.
Consequences
1 High level in KO pot with liquid carry-over to compressor with serious damage to rotor. Potential hydrocarbons release.
2 Potential hydrocarbon release.
3
Safeguards
1 High level alarm LAH-1
2 High - High level alarm HHLA - 1 shutdown.
3 Vessel inspection yearly.
Recommendation / Actions Respib By Date
1 Consider limiting flow orifice, auto SD trip on High-High level, smart check valve. 1 JB 01-Jan-99
2 Determine extent of typical hydrocarbon release. 2 PM 15-Jan-99
3 Set-up vessel inspection yearly. 3 FD 30-Jan-99
23 24
 Check List Cont’d Check List Cont’d
3 Changes in chemical a High or Low 1 Changes in proportion of mixture, in water or
condition Conentration solvent content.
2 Changes in physical a High or Low 1 Boiling, cavitation, freezing, chemical b Contaminants 2 Ingress of air, water, steam, fuel, lubricant,
condition pressure breakdown, flashing, condensation, corrosion products, other process materials
sedimentation, scaling, foaming, gas from high pressure system, leakage through
release, priming, exploding, imploding. heat exchangers. gas entrainment, spray,
Changes in viscosity, density. External Fire, mist.
Weather conditions, Hammer.
b High or Low 2 same as 1
Temperature 4 Startup and a Testing 1 Vacuum, pressure testing with with harmless
Shutdown Condition. material.
b Commissioning 2 Concentration of reactants, intermediates

c Maintenance 3 Purging, venting, sweetening, drying,

warming. Access, spares.

5 Hazardous Pipelines a Pipeline 1 Should this pipe be considered for

registration registration?

25 26

Failure Mode Effect Analysis (FMEA) What Is A Failure Mode?

It is an examination of individual A Failure Mode is:

component such as pumps, vessels, – The way in which the component,
valves, etc. to identify the likely failures subassembly, product, input, or process
which may have undesired effects on could fail to perform its intended function
system operation Failure modes may be the result of
upstream operations or may cause
downstream operations to fail
– Things that could go wrong

27 28
FMEA FMEA
Why
– Methodology that facilitates process A structured approach to:
improvement
– Identifies and eliminates concerns early in the – Identifying the ways in which a product or
development of a process or design process can fail
– Improve internal and external customer – Estimating risk associated with specific
satisfaction causes
– Focuses on prevention
– Prioritizing the actions that should be taken to
– FMEA may be a customer requirement (likely
contractual) reduce risk
– FMEA may be required by an applicable – Evaluating design validation plan (design
Quality Management System Standard (possibly FMEA) or current control plan (process
ISO) FMEA)

29 30

When to Conduct an FMEA The FMEA Form

Early in the process improvement investigation

When new systems, products, and processes are
being designed
When existing designs or processes are being
changed
When carry-over designs are used in new
applications
After system, product, or process functions are
defined, but before specific hardware is selected or
released to manufacturing

Identify failure modes Identify causes of the Prioritize Determine and

and their effects failure modes assess actions
and controls
31 32
Types of FMEAs FMEA: A Team Tool
• A team approach is necessary.
Design • Team should be led by the Process Owner
– Analyzes product design before release to who is the responsible manufacturing
production, with a focus on product function engineer or technical person, or other
– Analyzes systems and subsystems in early similar individual familiar with FMEA.
concept and design stages • The following should be considered for
Process team members:
– Used to analyze manufacturing and assembly – Design Engineers – Operators
processes after they are implemented – Process Engineers – Reliability
– Materials Suppliers – Suppliers
– Customers

33 34

FMEA Procedure FMEA Procedure (Cont.)

1. Identify modes of failure (e.g., car won’t stop)
2. Identify consequences and related systems for each
mode
3. Rate the severity of each effect
4. Identify potential root causes for each failure mode
5. Rate the Probability of Occurrence (O) of each root
cause
6. Identify process controls and indicators (e.g. brake
squeal)
7. Rate Detectability (D) of each mode/root cause
8. Calculate the Risk Priority Number (RPN) =
S*O*D and criticality = S*O
9. Develop recommended actions, assign
responsible persons, and take actions
– Give priority to high RPNs
– MUST look at severities rated a 10
10.Assign the predicted severity, occurrence, and
detection levels and compare RPNs

35 35 36 36
FMEA Inputs and Outputs An example-seat belt installation process

Inputs Outputs

C&E Matrix List of actions to prevent

Process Map causes or detect failure
Process History modes
Procedures
Knowledge FMEA History of actions taken
Experience

37 38

Example

Possible failure
Light does not turn on
modes? Light does not turn off

39 40
What if Analysis Examples of What-if Analysis Questions

• This technique involves asking a series of

questions beginning with what if as a
means of identifying hazards.
• The what-if analysis approach is useful
throughout the entire lifetime of a process
and is frequently used in conjunction with
the checklist approach. However, the
approach is very unstructured and
depends heavily on the experience of the
analysts to ask the correct questions.

41 42

Dow Fire and Explosion Index When should one perform an FEI?
• The Dow FEI is a ranking system that gives a
relative index to the risk of individual process
units due to potential fires and explosions. • Late in Phase III Engineering after:
• It serves as a guide for the selection of fire and – P&IDs have been completed,
explosion protection methods. – Equipment has been sized,
• It assists in determining the spacing between – A trial equipment layout has been done
adjacent process units within the ISBL.
• It is a guide for insurance agencies to set
insurance rates.
• It ranks individual process units where special
safety attention can be focused.

43 44
Who Usually Performs the FEI?
Generally a senior process engineer, who
is acquainted with the details of the
project, is assigned the task.
Occasionally, different groups tackle the
assignment and results are compared for
consensus building.
45
General Process Hazard
• Hazard due to unit operation in the unit
such as reaction, material handling, etc.
• The general Process Hazard Factors are
six different elements, playing a primary
role in the hazardous scenario like
explosions of fires. Those parameters are
quite common, and are applicable to
most process situation. Although it may
be not necessary to take all the penalties
they represents.
47
Material factor estimation
• The MF is the measure of the intrinsic
potential energy released by the
combustion, explosion or chemical
reaction of the substances restrained in
the equipment under study.
– Vapor pressure
– Flammable or explosive characteristics
46
• The six General process hazards factor
are:
– Exothermic Chemical Reaction(S)
– Endothermic processes.
– Material Handling and Transfer
– Enclosed or Indoor Process Units
– Access to the area
– Drainage and Spill Control
For each of this parameters, a different grade of
penalty must be chosen. The severity of the
penalty is as greater as the parameter is more
hazardous. To know the value of the penalty
look at the DOW FEI guide.
48
Special Process Hazard
• The special process hazard are factors
that contribute primarily to the probability
of a loss incident. There are twelve
factors, describing the major cause and
effect of the potential incident.
• Each factor have contributes with a
penalty range. The choice of the correct
value is related to the type and condition
of the substance, process design, and
grade of maintenance.
49
Special Hazards Factors Cont’d
Low temperature.
Quantity of flammable/unstable
material.
– Liquids or gases in process.
– Liquids or gases in storage.
– Combustible solids in storage.
Corrosion and erosion.
51
Special Process Hazards Factors
Toxic materials.
Sub-atmospheric pressure (<500 mmHg).
Operating in or near flammable range.
– Tank farm storage flammable liquids.
– Process upset or purge failure.
– Always in flammable range.
Dust explosion.
Pressure.
50
Special Hazards Factors Cont’d
• Leakage – joints and packing.
• Use of fired equipment.
• Hot oil heat exchanger system.
• Rotating equipment.
52
Process Unit Hazard Factor
• The process Unit Hazard Factor is the
product of the General Process Hazard
Factor and the Special Process Hazard
Factor. The Hazard Factors are
multiplied, instead that summed, because
generally there are a compounding effect
between them. The Process Unit Hazard
Factor is commonly present in the range
1 up to 8. If the final calculation gives a
Process Unit Factor greater than 8, use a
maximum of 8.
53
Ranking of Hazard
55
Determination of FEI
• Once that the Material Factor and The
Process Unit Hazard Factor have been
calculated, the Fire and Explosion Index can
be estimated. Fire & Explosion Index =
(Process Unit Factor) x (Material Factor)
• The Fire and Explosion Index is used for
estimating the damage would probably result
from an incident in a process plant. The FEI
estimates the harm caused by the potential
loss of control of the process. The direct and
indirect effect of a fire/Explosion increase
with the degree of hazard related to the FEI.
54
An Accident
• Event or activity that is:
– Unwanted
– Uncertain
– Uncontrollable
An accident in process facility caused by
process malfunction is termed as Process
Accident
56
What is an Accident? Accident Concept
• A sudden and unexpected event occurrence that
leads to undesired results: injury, loss of life,
damage to the system or the environment, or the What we see?
possibility of such injury or damage.
Good
What we measure/monitor
• The term ‘Accident’ has been used mainly as a
common denominator for the set of phenomena
that is of interest, which includes critical
accidents, incidents, and mishaps.

• “Near miss” situations must also be addressed -

events which did not result in injury or damage
but had the potential to do so. Bad
What we must Model/Predict
57 58

Accident Process Accident Process concept

• Initiation Safe (Normal) state

Comprehending how
accidents involve from Near Miss
the initiating events,
• Propagation to their propagating
effects, to the final Mishap

consequences is
• Termination paramount in Incident
designing safety in to COUSES
systems.
Accident

59 60
 Unsafe Act
Causes for Accident
Any act that deviates from a generally recognized safe way
or specified method of doing a job and increases the
• Accidents cannot be attributed to a single Potential for an accident, or the activities that contribute to the
cause, are the end result of a number of accident
failures or mistake, caused by occurrence Examples:
• Operating without work permit or inadequate work permit
of chain of errors. • Operating at unsafe speed
• Process accidents are mainly caused by • Poor maintenance or error due to maintenance
• Poor inspection
three causal factors • Rendering safety devices inoperative
• Unsafe Act • Using unsafe equipment, or using it unsafely
• Unsafe methods e.g. loading, carrying, mixing
• Unsafe Condition • Adopting unsafe position or posture
• Working on moving or dangerous equipment
• Management and organizational • Horseplay e.g. distracting, teasing, startling
failures • Failure to wear PPE
• Lack of concentration; fatigue or ill health
• Human Factors
61 62

Unsafe Condition Management and Organizational

failures
Any physical state which deviates from what is
acceptable, normal, or correct in terms of its Examples:
past production or potential future production of
personal injury and/or damage to property or • Poor Management Safety Policy &
systems; any physical state which results in a
reduction in the degree of safety. Decisions
Examples:
• Inadequate guarding • Inadequate safety program
• Unguarded machinery • Inadequate supervision and training
• Defective, rough, sharp, slippery, decayed, cracked
surfaces • Inadequate communication
• Unsafely designed equipment
• Poor housekeeping, congestion • Leadership failure
• Inadequate lighting, glare, reflections
• Inadequate ventilation, contaminated air • Inadequate management job knowledge
• Unsafe clothing or PPE and improper management behavior
• Unsafe processes
• Hot, humid or noisy environment

63 64
Unsafe Act/Unsafe condition/ Management
and organizational failure
Accident potential is
increased when these
three factors occur
simultaneously. Of
course, this is not to say
that one of factor alone
could not result in an
accident.
Accident Investigation and Accident
Prediction Model
• It is important to understand the causes of accidents in
complex systems and to develop preventive strategies
to mitigate the occurrence.
Management &
Organizational factor
• Accident models provide a conceptualization of the
characteristics of the accident, which typically show the
relation between the causes and effects.
Accident
Potential • Accident model explain why and how accidents occur,
Unsafe and are used as technique for risk assessment during
Unsafe
Condition system design and development.
Act

• Each accident models has its own characteristics as to

the types of ‘causal factors’ that it highlights.

65 66

Sequential accident models

Classification of Accident Models
• An accident model can be classified into different
ways, based on the specific approach endorsed.
• Different classifications are introduced by different
researches, and they are discussed in literature.
However, in here, Hollnagel (2004) classification is
discussed.
• Accident models classified into three different types:
Sequential, Epidemiological, and Systemic
Note: In addition to Hollnagel classification, there is more
classification available in literature. Laflamme (1990) classified
accident causation models into four different approaches:
decisional, sequential, energetic and organizational models. Lehto
and Salvendy (1991) made a distinction of accident causation
models into three groups: general models of the accident process,
models of human error and unsafe behavior, and models of human
injury mechanics. Kjellen (2000) describe five categories of
models: causal sequence, process, energy, logical tree, and
human information processing. Katsakiori (2009) classified the
accident models in to sequential, human information processing,
and systemic.
• The simplest types of accident models describe the
accident as the result of a sequence of events that
occur in a specific order.
• These types of models follows the hypothesis:
“The occurrence of injury invariably results from a
completed sequence of factors that last one of
these being the accident itself. The accident in
turn is invariably caused or permitted by the
unsafe act of a person and/or a mechanical or
physical hazard.”
• A sudden, unexpected event initiates a sequence of
consequences where the last one is the accident.
• One of the earliest sequential accident models is
the “Domino theory” proposed by Heinrich.

67 68
 Domino Theory
Domino Theory
Five factors in sequence leading to an
accident:
“Industrial Accident Prevention” 1. Ancestry and social environment. Negative
character traits that may lead people to
behave in an unsafe manner can be inherited
(ancestry) or acquired as a result of the social
environment.
2. Fault of person. Negative character traits,
whether inherited or acquired. It looks into why
people behave in an unsafe manner and why
Social Fault of the
hazardous conditions exist.
Unsafe Act
Environment Person or Accident Injury 3. Unsafe acts and mechanical or physical
and Ancestry (Carelessne Condition
ss) hazards. Unsafe acts committed by people
and mechanical or physical hazards.
Mistakes of Human 4. Accident. caused by an unsafe act, an unsafe
condition
5. Injury. Typical injuries resulting from accidents.
69 70

Domino Theory Sequential Accident Models cont…

• Two central points:
– Injuries are caused by preceding
factors
– By removing the unsafe act or
hazardous condition, the action of
these preceding factors is negated and
the accidents/injuries are prevented.
• Element 3 (unsafe act and/or mechanical or
physical hazard) is probably the easiest
factor to remove
• More examples for Sequential models
– ILCI model (or Loss causation model).
– Accident Evaluation and Barrier (AEB)
• Sequential models need, of course, not
to be limited to a single sequence of
events but may include a representation
of multiple sequences of events in the
form of hierarchies such as the
traditional tree models and networks
– Programme Evaluation and Review
Techniques or PERT
– Fault tree
– Petri networks

71 72
 Epidemiological accident models
• Epidemiological models describe an accident
analogues to the spreading of a disease, i.e. as the
outcome of a combination of factors, some manifest
and some latent, that happen to exist together in
space and time.
• The Epidemiological models can be seen as more
powerful ways of understanding accident and differ
from the sequential accident models on four main
points.
– Performance deviations: help to understand how
production system gradually deteriorates from normal
state into a state where an accident occurs
– Environmental conditions
– Barriers: prevent the unexpected consequences from
occurring, and which in a sense could stop the
development of accident at the last moment.
– Latent failures : present within the system well before the
onset of recognizable accident sequence
• Example : Swiss Cheese Model
73
Comment on Models
• The distinction between the three types of accident
models does not imply that one is better than others.
• Sequential models are simple and easy to represent
graphically, which facilitates communication of
results.
• It is unable to explain accident in more complex
situations.
• Epidemiological models provide a basis for
discussing the complexity of accident that
overcomes the limitation of sequential models.
• Sequential and epidemiological accident models
represent thinking of clear cause effect links.
• In the above models accidents are resultant
phenomena, thus consequences are predictable.
• Systemic model see accident as emergent
phenomena, as something that arises out of the
complex conditions. Accident predictability is difficult.
75
Systemic accident model
• Systemic accident models describe the
characteristics on the system level, rather than on
the level of specific cause-effect ‘mechanism’ or
even epidemiological factors.
• In systemic models, an accident occurs when
several causal factors (such as human, technical,
and environmental) exist coincidentally in a specific
time and space.
• Systemic models view accident as emergent
phenomena, which arise due to the complex
interactions between system components that may
lead to degradation of system performance, or result
in an accident.
• Systemic models have their roots in systems theory.
• Example: STAMP (Systems-Theoretic Accident
Model and Processes) model
74
Accident Causation and Process
Models
• Accident causation models help identify the source
of accident and ultimately reduce or eliminate the
accident
• Accident process models describe the accident
sequence and help to analyze less severe events
such as incidents, mishaps, and near miss.
• Accident models are helpful to model the accident
process to understand the factors that contribute to
the accident and the steps that can be taken to
avoid them.
• Accident models differ in many ways: their area of
application, their purpose, and focus.
76
Kletz model Kletz model Cont..
Developed By Kletz (1988)
• The model is based on the sequence of
decisions and actions that lead up to an
incident.
• Kletz does not directly use the accident
model, but utilize an accident causation
chain in which the accident is placed at the
top and the sequence of events leading to
it is developed beneath it.
• He assigns each event to one of three
layers:
(1) Immediate technical recommendations
(2) Avoiding the hazard
(3) Improving the management system
• In the chain diagram, the events assigned
to one of these layers may come at any
point and may be interleaved with events
assigned to the other two layers.

77 78

The Management Oversight and Risk

Tree (MORT)
MORT cont..
Developed by Johnson (1973)
• The MORT diagram is a logic tree with three main
branches:
– S-factors, the specific oversights and omission
– R-factors or assumed risks, which are risk known but
for some reason not controlled
– M-factors, which are general characteristics of the
management systems that contributed to mishaps.

• Through the MORT analysis, investigators identify

deficiencies in specific control factors and
management system factors.
• The method provides a large graphical checklist to
help investigate the facts and look for evidence.
• It permits a large number of problems to be
identified and prompts the investigator to look not
only for direct causes, but also for causal
contribution at the management and
organizational levels.
79 80
ILCI Loss causation model
Developed by Bird & Germain (International Loss Control
Institute) (1996)
• Modification of “Domino Theory”
• Early part of causal chain of domino model has been
replaced by management factors to evaluate how these
affect to likelihood of unsafe acts and conditions
• The analysis begins with the loss or harm.
• This form of feedback facilitates decision making to stop
accident reoccurrence at any level in the chain.
• A failure at any level in this model can result in the
progression to a loss.
81
STAMP Cont…
• A STAMP accident analysis is conducted
in two stages:
1. Development of the Hierarchical Control
Structure, which includes identification of the
interactions between the system components
and identification of the safety requirements
and constraints
2. Classification and Analysis of Flawed control
(Constraint Failures), which includes the
classification of causal factors followed by the
reasons for flawed control and dysfunctional
interactions.
• A STAMP accident analysis is basically
based on system theory.
• It has poor graphical representation.
83
Systems Theoretic Accident Model and
Process (STAMP)
Developed by Leveson (2004)
• In the STAMP approach, an accident in complex
systems do not simply occur due to independent
component failure, rather they occur when external
disturbances or dysfunctional interactions among
the system components are not adequately
handled by the control system
• Basic concept in STAMP is a constraint, rather than
an event
• Traditional accident models explain accident
causation in terms of a series of events, while
STAMP views accidents as the result of a lack of
constraints (control laws) imposed on the system
design and during operational deployment
• The process that causes accidents can be
understood in term of the flaws in the control loops
between system components during design,
development, manufacturing, and operations.
82
Swiss cheese model
Developed by Reason (1990)
• This model demonstrates how generic human and organizational
errors can be decomposed into logical, mutually exclusive
categories, each influencing next.
• Each slice of cheese presents a safety barrier or precaution relevant
to particular hazard.
• The holes in the cheese slices represent latent errors (human error,
equipment failure, etc.) waiting to happen.
84

Swiss Cheese Model Cont…
• The defensive barriers are like dynamic slices
against the accident and incidents, with the holes
constantly subjected to changes in size and
location.
• When the lines up, meaning that all the defenses
fail and a system’s latent vulnerabilities are
exposed, then the incident occur.
• A significant attribute of the Reason’s model is that
each of the contributing factors is seen as
necessary but not sufficient on its own to cause the
occurrence of an accident.
• This technique is currently being used in the many
industries, especially aviation industry to prevent
accident due to human error.
• Swiss Cheese Model representation for an accident
has been applied predominantly to occupational
accidents.
85
Daryl’s Occupational accident model
Cont...
87
Daryl’s Occupational accident model
Developed by Daryl Attwood, Faisal Khan, and Brian Veitch (2006)
• The model is a holistic and quantitative
using reliability techniques.
• It is capable of predicting occupational
accident frequency focused on offshore oil &
gas environment
• The model development has included the
identification of constituent factors and the
determination of their interrelationships.
• These factors include direct factors,
cooperate factors, and external factors.
• The influences of external elements on
corporate actions and corporate actions on
the direct accident process are also included
in a quantitative manner.
86
Daryl’s Occupational accident model
Cont...
• Using similarities between a physical
engineering system and a corporate safety
programe, the accident model is modified
into reliability network for quantitative
analysis.
• The direct layer elements (behavior,
capability, weather, safety design, PPE and
their subcomponents) are connected in a
reliability network.
• The reliability of the overall safety system is
calculated from these direct elements in
much the same way as would be done for a
physical network. The only departure from
formal system reliability calculation
methodology is the necessary inclusion of
relative strength factors.
88
 Daryl’s Occupational accident model
Cont...
• The model can be used to evaluate relative
probability of occupational accident under
various scenarios or during stages in asset’s
development cycle.
• The model predicts financial rewards and
penalties associated with changes in various
safety factors. Users can conveniently see
the effects of changes of safety elements,
offering them a practical means of deciding
where to spend their available capital.
89
HOFs model
Cont…
• The model demonstrates how root causes, trigger events,
incidents, accidents, and consequences are logically related,
therefore it provides the potential of exploring the correlation
between HoFs and severity consequences.
• BN is capable of providing graphical demonstration of inter-
relationships as well as computing numerical values of
occurrence likelihood for each failure event.
• Bayesian inference mechanism makes it possible to monitor
how a safety situation changes when information flow travel
forwards and backwards within the network, and also reduce
the uncertainty.
91
Ren’s Human and Organizational Factors
(HOFs) model
Developed By Ren,J. et al. (2008)
• This model represent the causal relationship of
offshore accidents due to human and organizational
factors.
• It is capable of accommodating modeling of multiple
risk factors considered in offshore operations and
have the ability to deal with different types of data
that may come from different resources.
• Reason's “Swiss cheese” model is used to form a
modeling framework, and Bayesian Network (BN) is
tailored to fit into the framework to construct a causal
relationship model.
• The proposed framework uses a five-level-structure
model to address latent failures within the causal
sequence of events. The five levels include Root
causes level, Trigger events level, Incidents level,
Accidents level, and Consequences level.
90
Kujath’s Conceptual offshore oil and gas
process accident model
Developed by Matt Kujath, Paul Amyotte, & Faisal Khan
(2010)
• The model is for offshore oil and gas processing
environment to prevent accident relate to
hydrocarbon release scenarios and any escalating
events that follow.
• The elements to prevent the hydrocarbon release
accident scenario are identified and used in
conceptual model to depict the accident progression.
• The proposed accident model elements are
represented as safety barriers designed to prevent
the accident scenario from developing.
• The accident model starts at reducing the risk of a
hydrocarbon release and applying successive safety
(prevention) barriers to minimize the escalation of
events.
92
conceptual offshore oil and gas process
accident model
Cont…
• The significant factor in each safety barrier is further
branched to highlight applicable sub elements.
• The model is intended to be a tool for highlighting
vulnerabilities of oil and gas processing operations and to
provide guidance on how to minimize their hazards.
• An accident has been described as one or more barriers
that have failed rather than causal factors.
• The model is able to provide qualitative description of
accident process.
93
Event tree analysis (ETA)
• Used to analyze event sequences following after
an initiating event.
• The event sequence is influenced by either
success or failure of numerous barriers or safety
functions/systems.
• Leads to a set of possible consequences.
• The event sequence is illustrated graphically
where each safety system is modeled for two
states, operation and failure.
• An Event tree analysis is primarily a proactive
risk analysis method used to identify possible
event sequences, but the event tree may also be
used to identify and illustrate event sequences
and to obtain a qualitative and quantitative
representation and assessment.
95
Fault tree analysis (FTA)
• Method for determining the causes of an accident
(or top event).
• The fault tree is a graphic model that displays the
various combinations of normal events by use of
logic gates, equipment failures, human errors, and
environmental factors that can result in an accident.
• The analysis starts with the top event (the
undesired event) which should be carefully defined
and then it proceeds backwards. The top event is
linked to preceding events and conditions (such as
technical factors, human actions) by two logic gates
(the ‘AND’ and ‘OR’ gate).
• A fault tree analysis may be qualitative,
quantitative, or both.
• The strengths of the fault tree, as a qualitative tool
are its ability to break down an accident into root
causes.
• FTA is the most widely used of the tree techniques. 94
Limitation of Existing Models
• In the process industry, major accidents such as
fires, explosions, toxic releases, are often initiated
by errors induced by process, mechanical, and
operational hazards.
• The traditional accident models were developed
mainly focusing on human, organizational, and
management factors
• Models focused on process hazards are scarce
• Models are mainly descriptive models, but not
predictive
• Existing process accident models are not often
effective in determining the ways in which one
could prevent accidents.
• Available models are not able to accommodate
modeling of multiple risk factors considered in
process systems in which interaction and
relationship of system elements are complex and
non-linear.
• The available accident models are not able to
make use of information on abnormal events or
accident precursors 96
Latest Approach to Model Accident
Process Process Accident Model
Developed by Samith, Khan and Paul (2010)

• The process accident model is proposed based on Management & Organizational Barrier (M&OB)
the following consideration and Kujath et al. (2010) Human Factor Barrier (HFB)
approach;
– Accidents are events resulting from a series of failures or Damage
errors; i.e. accidents cannot be described by using a single Release Dispersion Ignition Escalation Control &
cause. The causal relationship of the accident process is Normal Prevention Prevention Prevention Catastrophic
represented by causal chains or networks. operation Preventio Emergency Accident
– The accident sequential path can be blocked by applying a Barrier Barrier Barrier
suitable barrier. In doing so, the severity of undesired n Barrier management
(RPB) (DPB) (EPB) Barrier
consequences can be prevented, controlled, or mitigated. (IPB)
– Releases of material or energy and/or process upsets are (DC&EMB)
considered as initiating events.
– The performance (failure or success) of a safety function
determines the progression of the accident process; i.e. the Human Factor Barrier (HFB)
accident is described as one or more barriers that have failed.
– Management and organizational and human elements are Management & Organizational Barrier (M&OB)
influenced during all stages of the accident process.
Therefore, these two factors are considered as common
influencing factors.

97 98

Process Accident Model Cont… Process Accident Model Cont…

• The model uses a combination of event The qualitative description
and fault tree concepts to describe the of consequences related to
cause-consequence relationship.
• The model relies on process history, each stage of the accident
accident precursor information, and process associated with
accident causation modeling. failure of each safety barrier
• The model is able to capture the process in the accident chain is
operational behavior, and update the
accident likelihood using the Bayesian shown by an accident
updating mechanism. sequence event tree.
• The predictive abilities of the model,
along with risk estimation, help to
develop and prioritize inherently safer
design and operational strategies.
99 100
Accident Predictive Model Accident Predictive Model Cont..
• Accident prediction based on available information about • Updated average number of abnormal
accident precursor data is the most important aspect of
the current model. A predictive model is required to event (λ) is estimated by;
enhance existing safety strategies to prevent accidents
using the latest information.

• Bayesian prediction used to obtain the predictive

probability • The predictive model is approximated to
Poisson process, with the parameter (λP)
• The predictive probability of observing abnormal event for . Thus, the predictive probability
next time interval for given data is estimated by;
distribution is:

101 102

Barrier thinking

Barrier-based approach

103 104
 What are barriers?

• A barrier (sometimes also called a control) can be any

measure that acts against some undesirable force or
intention, in order to maintain a desired state.
• Barriers can be hardware systems, design features,
work practices etc.
• All barriers are not created equal. Some are better
and/or more reliable than others.

Bowtie XP Methodology manual

105 106

Assessment / Analysis Tools You May See…..

What is the objective of these analyses?

• Safe Design of Workplace

• HAZID
• Eliminate hazards
• HAZOP
• Minimize likelihood / severity of potential incidents
• What-If
• Effective Controls (Barriers)
• Checklist • Engineering Controls
• FMEA - Failure Mode and • Passive – burst discs, containment berms, fixed guard, etc
Effects Analysis • Active – sensors, automated valves, light curtains etc
• LOPA – Layer of Protection • Administrative Controls
Analysis • Policies, safe work practices (some written), training
• Signage
• Bow Tie Analysis
• Personal Protective Equipment

107 108
 Controls – important considerations Who should be involved?

• All controls have administrative elements

The more diverse it is, the better it is…
• Gas sensors need calibration and maintenance
• Warning alarms require human response
• Workers need to wear correct PPE at right time • Maintenance
• Often controls are part of a control system • Operators
• Detect, decide and act • Technical personnel
• e.g. gas sensor ó computer ó warning lights & sirens ó • Suppliers
worker action • OH&S
• Controls are never perfect. They can: • Process engineers
• be inadequate, fail, be absent

109 110

Thank you!
What is the Bow Tie model?

Start
Prevention Mitigation
here
Questions?

Ming Yang, PhD, P.Eng.

Assistant Professor of Safety and Security Science
Safety and Security Science Section,
Faculty of Technology, Policy, and Management,
TU Delft, the Netherlands
111 Email: m.yang-1@tudelft.nl 112
 Risk assessment Outline
techniques- part 2:
Quantitative Risk • Brief overview of quantitative risk
assessment
Assessment: a practical
• Approaches and tools for:
perspective – Hazard Identification
Lecture 3 of SPM 9448 – Probability assessment
– Consequence assessment
– Risk estimation and evaluation
Dr. Ming Yang, Assistant Professor of Safety and Security Science • Use of QRA – case studies
Safety and Security Science Section
May 3rd 2021
Email: m.yang-1@tudelft.nl
1 2

What is QRA
Gains vs. Loss
Gain
• Systematic methodology to assess risks
Option 1 Option 2
€5000 Toss a coin
associated any installation
If head, €10000 – Taking into consideration all forms of hazards
– Uses design information and historical data to
Loss estimate frequency of failure
Option 1 Option 2 – Uses modelling software to assess consequence
Toss a coin
-€5000
If head, -€10000 • Where/when is QRA needed
– CIMAH 1989 – part of CIMAH safety report
– EQA 1985 – a section under EIA
How to translate this into risk management?
– Directive 96/82 (Seveso II Directive)

3 4
 Risk = Severity x Likelihood Risk = Expected loss

• Extent of Damage • Likelihood of event

• Fatality • Based of failure frequency of
Risk= Probability ☓
• Injuries process components Consequence
• Losses

• Analysis based on design and • Analysis based on

modeling equations manufacturer’s and historical
data

5 6

Risk perspective
Events/Scenarios S, Consequences C, Probabilities P

Proabability-based Knowledge dimension Surprises

historial data

Rsik = F (S(C,P))

Probabilities, historial Knowledge,

data, risk matrics surprises

7 8
The risk concept
How to represent the risk here?
Uncertainty
Knowledge,
data,
information

Events and Risk description S(C, P, K)

Activity consequences
C: specific consequences
Values at stake P: measured uncertainty
Q: Knowledge that C and P
are based on.

9 10

Methodology
Introduction to System Safety Analysis
Hazard Identification

Consequence
Frequency Analysis Analysis

Risk Estimation and

Evaluation

Risk Management
11
12 12
 Hazard Identification Checklist

• Purpose: to identify plausible hazard A checklist is a list of questions about

conditions plant organization, operation,
• Methods maintenance and other areas of concern
– Check-list, Preliminary Hazard Review, to verify that various requirements have
HAZID, HAZOP etc. been fulfilled and nothing is neglected or
– Unstructured brainstorming? overlooked.

What types of hazards are present?

Where are they located?

13 14

HAZOP

• HAZOP is a simple structured

methodology for hazard identification and
• What task are you about to perform?
assessment, PI&D's, PFD, material flow
• What tools and equipment will be used during the processes? diagrams, and operating manuals are
• What mitigation or elimination or prevention steps will be taken into consideration to
handle each hazard as the task is executed? examined to identify causes and
consequences for all possible deviations
from normal operation that could arise.

15 16
Principles of HAZOP HAZOP DISPLAY
Concept
•Systems work well when operating under design conditions.
•Problems arise when deviations from design conditions occur.

Basis
•a word model, a process flow sheet (PFD) or a piping and
instrumentation diagram (P&ID)

Method
•use guide words to question every part of process to discover what
deviations from the intention of design can occur and what are their
causes and consequences may be.

17 18

HAZOP Manager Version 7.0 Failure Mode Effect Analysis (FMEA)

It is an examination of individual
component such as pumps, vessels,
valves, etc. to identify the likely failures
which may have undesired effects on
system operation

https://www.lihoutech.com/
19 20
The FMEA Form FMEA Example

Possible failure
modes?

Identify failure modes Identify causes of the Prioritize Determine and

and their effects failure modes assess actions
and controls
21 22

FMEA software

Light does not turn on

Light does not turn off

23
https://www.softexpert.com/produto/fmea/ 24
 Probability Assessment Fault Tree Analysis

• Sometimes referred to as Hazard

Analysis
• Purpose: To estimate the likelihood for a
hazard scenario to occur
• Methods
– Fault-Tree Analysis
– Event-Tree Analysis
– Bow-Tie
– Bayesian Network

25 26

Inductive and Deductive Modeling Inductive and Deductive Modeling

are the Two Basic Types of Modeling are the Two Basic Types of Modeling

Gas
leakage Gas
Explosion leakage
Explosion

http://cliparto.com/image/3033157-rusted-valve-of-outdoor-pipeline/

Valve corrosion Valve corrosion

27 27 28 28
 Fault Tree Analysis: a Systematic
Basic Fault Tree Structure
Deductive Process

• An undesired event is defined

• The event is resolved into its immediate causes

• This resolution of events continues until basic

causes are identified

• A logical diagram called a fault tree is constructed

showing the logical event relationships

29 29 30 30

Example: redundant fire pumps

Why FTA is carried out
No water from
fire pump system
• To exhaustively identify the causes of a failure
TCP
• To identify weaknesses in a system
Valve No water from • To assess a proposed design for its reliability or
blocked the two pumps safety
or failed
to open G1 • To identify effects of human errors
• To prioritize contributors to failure
No water from No water from
pump 1 pump 2 • To identify effective upgrades to a system
• To quantify the failure probability and contributors
G2 G3
• To optimize tests and maintenances
Failure of Failure of Failure of Failure of
pump 1 engine pump 2 engine
31 31 32 32
http://www.ntnu.no/ross/srt/slides/fta.pdf
FTA of the vehicle headlamp FTA of the vehicle headlamp

No light

No power Lamp Switch

failure failure

No light Battery
failure
Contact
failure

33 33 34 34

FTA of flow from tank FTA of flow from tank

35 35 36 36
Basic Fault Tree Structure The Four Necessary Steps to
Begin a Fault Tree
1. Define the undesired event to be analyzed
(the focus of the FTA)
2. Define the boundary of the system
(the scope of the FTA)
3. Define the basic causal events to be
considered (the resolution of the FTA)
4. Define the initial state of the system

37 37 38 38

Basic Events of a Fault Tree Basic Gates of a Fault Tree

39 39 40 40
 (not E)= (1 – E): The event that “E does not occur.”
(A & B) = ( A Ç B) : The event that “both A and B occur - intersection”
(A or B)= ( A È B) : The event that “either A or B or both occur - union”

C = AÈ B C = A+ B C is A union B
D = AÇ B D = A´ B D is A intersection B

41 41 42 42

Simple Battery Powered Circuit (BPC) Specifications for the BPC FT

• Undesired top event: Motor does not start when

switch is closed
Connector A
• Boundary of the FT: The circuit containing the

MOTOR https://en.wikipedia.org/wiki/Electric_motor motor, battery, and switch

• Resolution of the FT: The basic components in
Connector B
the circuit excluding the wiring
• Initial State of System: Switch open, normal
operating conditions
Top event: motor does not run when switch is pressed

43 43 44 44
 Start of BPC FT (1) Continuation of the BPC FT (2)
No power
Motor does supply
not run

Connector A OR
Connector A
OR
A
Connector B Connector B
Battery No Switch
is dead connection malfunction
Motor No power
failed supply

45 45 46 46

Continuation of the BPC FT (3) BPC FT

Motor does
not run

Connector A
OR

No Switch
Connector A malfunction
connection Motor Connector B
No power
failed supply

Connector B OR OR
OR

Battery No Switch
is dead connection malfunction

Connector Connector Insufficient OR OR

Switch is
A B force is
broken
detached detached applied
Connector Connector Switch is Insufficient
A detached B detached broken force is
applied

47 47 48 48
 Important definitions for FTA Important definitions for FTA

• Cut Set: A cut set is combinations of basic events; if all • Path Set: A path set is a collection of basic events; if none of
these basic events occur the top event is guaranteed to the events in the sets occur, the top event is guaranteed not
occur. to occur.

• Minimal Cut Set: A minimal cut set is one with no • Minimal Path Set: A minimal path set is a path set such that
unnecessary basic event is removed from the set, the if any basic event is removed from the set, the remaining
remaining events collectively are no longer a cut set. events collectively are no longer a path set.

49 50

Steps in Fault Tree Analysis Fault Tree Development

1) Fault Tree Development

2) Minimum cut set finding

3) Probabilistic analysis using basic failure data

4) Importance factor estimation

51 52