Process Safety | Process Safety Management | PSM | Gaurav Singh Rajput

1 | 2015
Process Safety Management

2 |
What is Process Safety
Process Safety is
 The proactive identification, analysis, and
evaluation of the releases of hazardous
substances and process accidents.
 It applies to the management of hazards
associated with the chemical and physical
properties of the substances handled in our
oil, gas and energy activities.
 It aims to:
 Minimize the risk of a major accident event
MAE
 Ensure that the necessary mitigation and
emergency preparedness mechanisms are
in place

3 |
Likelihood of occurrence
Tolerable
Risk
Intolerable
Risk Occupational Safety

Process Safety

4 |
What Process Safety is about
Preventing
MAJOR
ACCIDENTS

5 |
What is a Major Accident & Major Accident Hazard?
 Major Accident (realisation)
 This is an accidental event which has major or severe consequences for
people or environment. The definitions of ‘major’ and ‘severe’
consequences in this context, are provided in the risk matrix.
 Major Accident Hazard (potential)
 Any substance or energy which if not contained could seriously harm
people or the environment, either directly or by initiating events which could
lead to a major accident.
Major Accidents exclude:
- Occupational health and personal safety hazards
- Business critical hazard severity categories
 Major Accidents are defined by their consequences

6 |
Definition of Major Accident
Consequence People Environment
5 Severe
1 fatality of public
>1 fatality of workforce
> 6 people of workforce and/or public hospitalised
Serious long term environmental
damage. Significant impact on highly
valued or sensitive species, habitat
or ecosystem
4 Major
1 fatality of workforce
> 3 people on-site hospitalised
1 person of public hospitalised
1 person of workforce with onset/signs of severe irreversible
health effect
>1 person of public with reversible health effect
Very severe, persistent
environmental damage extending
over large area. Long term
impairment of ecosystem function
3 Moderate
1 person of workforce >2 days lost
1 person of workforce with onset/signs of moderate irreversible
health effect
1 person of public with moderate reversible mid-term health effect
Serious mid-term environmental
impacts
2 Minor
1 person of workforce 1 or 2 days off work
1 person of workforce with moderate reversible mid-term health
effect
1 person of public with minor reversible short term health effect
Moderate reversible environmental
damage extends beyond site
boundary
1 Slight
1 person of workforce injured, able to continue work but first aid
needed
1 person of workforce with minor reversible short term health effect
Slight reversible on-site
environmental damage

7 |
Summary of Process Hazards

9 |
20” bypass piping fabricated on-site from
shop stock. This pipe ruptured and released
Cyclohexane which exploded.
On June 1, 1974 the Nypro Co. site at Flixborough, England was severely damaged by a
large explosion. Twenty-eight workers were killed and a further 36 suffered injuries. It is
recognized that the number of casualties would have been more if the incident had
occurred on a weekday, as the main office block was not occupied.
Cyclohexane Release & Explosion – 28 fatalities
Flixborough, England – June 1, 1974

10 |
On the night of December 2-3, 1984, a sudden release of about 30 metric tons of methyl isocyanate
(MIC) occurred at the Union Carbide pesticide plant at Bhopal, India. The accident was a result of poor
safety management practices, poor early warning systems, and the lack of community preparedness.
The accident led to the death of over 2,800 people (other estimates put the immediate death toll as
high as 8000) living in the vicinity and caused respiratory damage and eye damage to over 20,000
others. At least 200,000 people fled Bhopal during the week after the accident. Estimates of the
damage vary widely between $350 million to as high as $3 billion.
Methyl Isocyanate Tank Rupture and Release
Bhopal, India – Dec. 2-3, 1984
Photo Source: Indian state government of Madhya Pradesh
Source: United Nations Environment Programme

11 |
On the day the disaster occurred, the day shift maintenance crew was working on the condensate
pumps which compressed gas. One of the pumps was removed for routine maintenance and the
condensate pipe was temporarily sealed with a flat metal disk. Because the work could not be
completed before the next shift change-over, the metal disc was left in place as the day shift went off
duty. The shift coming on duty was unaware of this. Later in the evening, when the other condensate
pump stopped working, the pump under maintenance was started up. Gas leaked out at high pressure,
ignited and exploded.
Gas Release & Explosion – 167 fatalities
Piper Alpha, North Sea – July 6, 1988

12 |
On March 23, 2005, during the startup of an isomerisation unit, the associated raffinate splitter tower
was overfilled and overheated. A substantial volume of hydrocarbon liquid and vapour were forced into
an adjacent blowdown stack, rapidly exceeding its capacity. Ignition of the resulting vapour cloud
caused an explosion that extended to nearby temporary trailers and resulting in 15 deaths, more than
170 injuries, and significant economic losses.
Condensate Release & Explosion – 15 fatalities
BP Texas City Refinery, Texas– March 23, 2005

13 |
Deepwater Horizon oil spill
20 April – 15 July 2010, Gulf of Mexico, US
Oil Spill (up to 4.9 mln barrels), 11 people died, 17 injured

14 |
Fukushima Daiichi
11 March 2011, Fukushima 1 Nuclear Power Plant, Japan
Release of radioactive materials, 37 injured

15 |
When will the next Major Accident occur?

16 |
PROCESS SAFETY
MANAGEMEMENT

17 |
What must we focus on?
Process
Safety
Operating
Integrity
 Operate within operating envelope
▪Alarm management
▪Process control and procedures
▪Incident investigation and close-out
▪Competencies and Capabilities
Maintenance
Integrity
▪ Asset Integrity Management Plan
▪ SCE inspection, testing & maintenance
▪ Deviation analysis and close-out
Design
Integrity
▪ Design reviews: ALARP; engineering
codes; standards
▪ SCE Safety Critical Elements (and
performance standards)
▪ MOC Management of Change
(with technical authorities)
▪ Robust Assurance
(WSE - Written Schemes of
Examination)

18 |
PSM Elements
 Process Safety Information
 Process Hazard Analysis
 Operating Procedures
 Employee Participation
 Training
 Contractors
 Pre-Startup Safety Review
OSHA PSM Elements (14)
 Mechanical Integrity
 Hot Work Permit
 Management of Change
 Incident Investigation
 Emergency Planning and
 Compliance Audits
 Trade Secrets

19 |
PSM Elements
 Process safety culture
 Compliance with standards
 Process safety competence
 Workforce involvement
 Stakeholder outreach
 Process knowledge management
 Hazard identification and risk
analysis
 Operating procedures
 Safe work practices
 Asset integrity and reliability
CCPS Risk-Based Process Safety Elements (20)
 Contractor management
 Training and performance
 Management of change
 Operational readiness
 Conduct of operations
 Emergency management
 Incident investigation
 Measurement and metrics
 Auditing
 Management review and
continuous improvement

20 |
PROCESS SAFETY
ENGINEERING

23 |
Safety Life Cycle & Risk Assessment

24 |
Safety Life Cycle & Risk Assessment

25 |
Risk Assessment steps & toolkits

26 |
What should we do about it?
 Hierarchy of control for Process Safety
 Inherent Safety – reduce the hazard
 Prevention measures – keep it in the pipe
 Control measures – minimise size and duration of
hazardous event
 Mitigation – protect people, the environment and assets
 Layers of defence
 Risk Control systems

27 |
Hierarchy of control for Process Safety

28 |
Inherent Safety
1. Substitute - Replace material with a less hazardous
substance.
2. Minimize/Intensify - Use smaller quantities of dangerous
substances.
3. Moderate/attenuate – Change the conditions to reduce
hazard severity in the event of accidental release.
4. Simplify – Strive to eliminate unnecessary complexity
which increase the potential for incorrect operation,
particularly in the event of abnormal operating conditions.

29 |
Bow Tie – Defence in Depth

31 |
Key risk control systems classification

32 |
SAFETY CRITICAL ELEMENTS
MANAGEMENT

33 |
What is a Safety Critical Element?
 Safety Critical Element – any part of the facilities, the failure of which could
cause or contribute substantially to a major accident, or the purpose of
which is to limit the effects of a major accident
 So, there are two distinct types of SCE
Prevent: Those, the failure
of which could cause a
major accident, and
Mitigate: Those required to
intervene passively or actively
to limit the effects of a major
accident

34 |
Management systems, people & processes
SCEs are hardware-only
But:
Management systems, people, processes, are
important parts of the Integrity assurance process used
to manage the hardware barriers/SCE

35 |
Safety Critical Activities
 Are management systems, procedures, people/competence safety critical?
 Yes, but as safety critical activities, not SCEs
 SCEs = hardware (& associated software)
 How are safety critical activities dealt with?
 They are inherent to the SCE assurance process
 Examples of safety critical activities/tasks
 Permit to work system
 Management of change
 Risk assessment
 Competency training
 Quality assurance
 Operating envelopes
 Defeats register

36 |
How SCEs fit into hazards management
 Management of major accident consequences is based on a hierarchy
 Industry has evolved models to support/demonstrate this
 The Integrity Barrier or “Swiss Cheese” diagram is one
Hierarchy of Risk Reduction
Prevention Systems to control the primary initiating events
Detection Systems to detect the primary safeguards have
failed
Control Systems to prevent the event from escalating
and bring plant to a safe state
Mitigation Systems to minimize the effects of an event
Emergency Response
& Lifesaving
Systems to allow you to safely muster and
evacuate

37 |
How SCEs fit to hazards management ‘barriers’ concept
Inspection, maintenance and testing are activities to prevent barrier degradation.
GAS

38 |
Barrier Concept for Hazards Management
Escalating
Consequences
STRUCTURAL INTEGRITY
- Drilling systems
- Structural supports for
safety critical equipment
- Lifting equipment in
wellhead /HC process areas
- WHP jacket & foundations
- Vessel hull , mooring &
ballasting systems
IGNITION CONTROL
- Haz area HVAC
- Non-haz area HVAC
- Certified electrical
equipment & instruments
- Inert gas blanketing
- Earth bonding
- Fuel gas purge system
- Ignition control eqpt
- Flare tip ignition
system
PROTECTION SYSTEMS
- Deluge system
- Fire & expl protection
- Firewater main & pump
- Gas, foam & spray fire
extinguishers
- Corrosion protection e .g.
sand filters & chemical
injection
- Passive fire protection
- Navigation aids & collision
avoidance
EMERGENCY RESPONSE
- Temp refuge /muster
- Escape/evac routes
- Escape lighting
- Emergency comms
- UPS
- Helicopter facilities
- Emergency power
- Hazardous & non-
hazardous open drains
PROCESS CONTAINMENT
- Pressure vessels
- Heat exchangers
- Rotating equipment
- Tanks
- Pipelines /piping
- Relief system
- Well containment
- Gas/oil fired heaters
- Gas tight floors /walls
- Tanker loading systems
- Wireline equipment
- Oily water control
DETECTION SYSTEMS
- Fire detection
- Gas detection
- H2S detection
- Corrosion detection
SHUTDOWN SYSTEMS
- ESD system
- Depressurisation syst
- HIPPS
- Well isolation
- Pipeline isolation
valves
- Process ESDV
- SSIVs
- Well control eqpt
LIFESAVING
- Personal survival
equipment
- Rescue facilities
- TEMPSC /lifeboats
- Tertiary escape
systems
Prevention
Detection Control &
Mitigation Emergency
Response
Lifesaving
Safe
Operation

39 |
What are the benefits?
 Achieve & sustain acceptable level of major accident management
 Focus & prioritise resources on the aspects of systems and
equipment that manage major accidents
 Not how many, but how you manage them
 Ensure this is achieved by
 Defining the critical functions, and
 Aligning inspection and maintenance with these functions

40 |
How to identify SCEs
System Level
List of systems and
equipment to reduce
risk (plant barriers)
No
No
No
No
Could
failure of this
element cause a
MAE?
Is the
purpose of this
element to prevent
a MAE?
Could
failure of this
element contribute
substantially to a
MAE?
Is the
purpose of this
element to limit
the effects of a
MAE?
Yes
Yes
Yes
Yes
SCE Screening
This item is a
SAFETY CRITICAL
ELEMENT
This item is not
a Safety Critical
Element
Major
accident hazard
identification
Tag Level

41 |
Performance Standard – Key requirements
 Performance Standards (PSs) are parameters that are measured or set so that the
suitability and effectiveness of SCEs can be assured and verified.
 Performance criteria:
 SCE integrity assurance activities
 Independent Verification Body (IVB) activities
Functionality
 The intended purpose
and fundamental
design performance
requirements of the
SCE (relative to
major accidents)
Reliability &
Availability
 The probability that
the system will work
on demand and be
available when
required
Survivability
 The ability of the
SCE to survive
loadings from major
accidents it is
intended to manage
Dependency
 Identification of other SCEs
the performance of which
the SCE is dependent on

42 |
Generic Performance Standard Structure
November 15
Presentation title

43 |
WHY DO IT?
What happens when the SCE integrity assurance
process is either not in place or not implemented
effectively…

45 |
SCE Identification Practical
NGL piping manual
isolating valves
Sales gas booster
compressor
Glycol storage tank
Diesel oil storage day tank
Crude oil export pump
Why
SCE? –
Yes/No
System or Equipment Prevents or
Mitigates?

46 |
Prevents or
Mitigates?
HVAC system
Main power
generation/distribution
Electrical equipment in
classified hazardous
areas
Pressure transmitter
instrument
Why
SCE? –
Yes/No
System or Equipment

47 |
Instrument air system
Flare System
Pump lubricating oil
system
Compressor seal oil
system
Why
SCE? –
Yes/No
Mitigates?

48 |
Permit to Work
system
Firewater ring-main
isolation valve
Closed drain
system
Oil Wellhead
Why
SCE? –
Yes/No
Mitigates?

53 |
PROCESS SAFETY EVENTS
&
PSPI

54 |
Performance Monitoring System

55 |
Type of indicators
 Quantitative
 Numbers recorded on scale and tracked over time
 Ensure statistically valid interpretation
 Most relevant to regularly occurring activities
 Qualitative
 Descriptions typically inspection and audit observations
 Can be quantified using ratings and ladder assessments
(comparative definition of bad to good)
 Objective
 Independent of assessor’s personal judgement
 Subjective
 Influenced by those measuring

57 |
Example leading & lagging indicators

58 |
Example leading & lagging indicators

61 |
Terminology
loss of
primary
containment
LOPC
An unplanned or uncontrolled release of any material from a
tank, vessel, pipe, truck, rail car etc., including non-toxic and non-
flammable materials (e.g. steam, hot condensate, nitrogen,
compressed CO2 or compressed air).
An unplanned or uncontrolled release of any material from a
process or an undesired event or condition that, under slightly
different circumstances, could have resulted in a release of a
material.
Process
safety event
PSE
Challenge to
safety system
CTSS
A demand on a safety system designed to prevent a LOPC or to
mitigate the consequences of a LOPC.

62 |
Safety Critical Barriers
GAS

63 |
PSPI & Barriers
©
2011
OGP
Guidance
Report
456

64 |
Process Safety Performance Indicators
Tier 1
LOPC Events of
Greater
Consequence
Tier 2
LOPC Events of lesser
consequence
Tier 3
Challenges to Safety Systems
Tier 4
Operating Discipline & Management System
Performance Indicators
incidents
E.g.
• Hi-Hi level
alarm
activated.
• Defect below
minimum wall
thickness
E.g.
• Relief valve
fails bench
test.
• Loss of
experience in
operations
team.

65 |
Process Safety Events:
Accidents, Incidents, Near Miss, etc.
 A Process Safety Event is:
 The actual or potential loss of
control or containment of
hazardous materials (flammable,
toxic, corrosive, etc.)
 Failure or substandard
performance of one or more
barriers resulting in the potential
or actual operation of the highest
safety barrier (e.g. opening of
safety valve to flare)
 The presence of hazardous
material in systems which are
not designed to contain it
Incidents
Demands on
Safety System
Development of incident
scenario prevented by a
planed barrier
Near Miss
Just luck that no
accidental consequences
occurred
Accident
Harm to humans or
environment, damage of
equipment
all LOPC events
incl. LOPC to secondary
containment
PS related
production loss
e.g. due unavailability
of barriers or
equipment

66 |
PSPI types of indicators
Tier 1
LOPC* events with
greater consequence
 LOPC exceeding threshold
 human harm due LOPC
 asset damage after fire / explosion due LOPC
not yet all LOPC without environment
consequences registered
Tier 2
LOPC events with
lesser consequence
 LOPC exceeding threshold
 human harm due LOPC
 asset damage after fire / explosion due LOPC
not yet all LOPC without environment
consequences registered
Tier 3
Challenge to safety
system
 small fires / explosions
 minor LOPC events
 primary containment inspection outside limits
 demands on safety system
 safe operating limits excursion
 critical operational deviation
many of these events are not
registered; some are in other systems
(e.g. shift logs, computerized
maintenance systems)
Tier 4
Operating Discipline &
Management System
Performance
focusing on:
 Management of Change (MoC) events
 Process hazard and risk analyses (PHA)
 Action follow up
 Inspection of safety critical systems
 PS audits
 PS related training
 Pre-startup safety review (PSSR), etc.
 PTW failures
find the right leading indicators to
improve your (lagging) PSE
performance

68 |
Decision Logic Tree for Tier 1 & 2
An employee, contractor or subcontractor
“days away from work” injury and/or fatality;
or A hospital admission and/or fatality of a
third-party
An unplanned or uncontrolled release of any
material, including non-toxic and non-
flammable materials (e.g., steam, hot
condensate, nitrogen, compressed CO2, or
compressed air) from a process that results
in one or more of the consequences listed
below:
An officially declared community evacuation or
community shelter-in-place
A fire or explosion resulting in greater than or
equal to $25,000 of direct cost to the
Company
A pressure relief device (PRD ) discharge to
Atmosphere whether directly or via a
downstream destructive device that results in
one or more of the following four
consequences:
liquid carryover; or
discharge to a potentially unsafe location; or
an on-site shelter-in-place; or
public protective measures (e.g., road
closure);
and a PRD discharge quantity greater than the
threshold quantities Table 1
A release of material greater than the
threshold quantities described in Table 1 in
any one-hour period
A fire or explosion resulting in greater than or
equal to $2,500 of direct cost to the Company
An employee, contractor, or subcontractor
recordable injury
A pressure relief device (PRD) discharge to
atmosphere whether directly or via a
downstream destructive device that results in
one or more of the following four
consequences:

liquid carryover; or
discharge to a potentially unsafe location; or
an on-site shelter-in-place; or
public protective measures (e.g., road
closure);
and a PRD discharge quantity greater than the
threshold quantities Table 2
A release of material greater than the
threshold quantities described in Table 2 in
any one-hour period
A Company may choose to record a Tier 3
other LO PC
Not a Tier 1 or
Tier 2 PSE
Tier 1 PSE
Tier 2 PSE
No
No
No
No
No
No
No
No
No
No
Yes
Yes
Yes

69 |
Tier 3 Consequences
 Safe operating limit excursions
 Primary containment inspection outside limits
 Demands on safety systems
 Critical operational deviation
 LOPC event below Tier 1 & 2 threshold
A Tier 3 PSE typically represents a challenge to the barrier system that progressed
along the path to harm, but is stopped short of a Tier 1 or Tier 2 LOPC consequence.
Indicators at this level provide an additional opportunity to identify and correct
weaknesses within the barrier system.

70 |
Safe Operating Limit Excursion – Tier 3
The process has an excursion
beyond the normal high or low alarm
limits.
A single initiating event may result in
multiple SOL excursions (e.g. site-wide
failure of a utility) and each excursion
should be counted as a separate Tier 3
PSE.
A process condition that hovers near
the SOL value may result in multiple
excursions. These excursions should
be counted as a single Tier 3 PSE.
Abbreviations
NEL – Never Exceed Limit.
RV – Relief Valve
PAH – Pressure Alarm High

71 |
Primary containment inspection outside acceptable
limits – Tier 3
This is a test or inspection where the
result is outside the acceptance criteria
and triggers some form of remedial action
(such as replacement in kind, repair,
modification, increased inspection/ testing
or de-rating of the equipment).
Examples include:
 A penetrating corrosion defect beyond
the corrosion allowance of a pipe.
 Subsidence of a pressure vessel support
outside acceptable limits.
 Excessive vibration of a small bore
instrument tapping on a larger diameter
process pipe.
 Missing flange bolts on a process
pipework joint.

72 |
Demands on safety systems - Tier 3
Safety Systems are ones which prevent a LOPC
or detect, control or mitigate the effects of an
LOPC.
Demand means they are activated by a valid
signal from the process. The system does not
have to activate.
Where multiple devices constitute one system
then activation of that system counts as one PSE.
 Where a vessel has a number of relief
valves to provide suitable flow, activation of
one or more of these valves constitutes one
PSE as they represent a system.
 Activation of a Safety Instrumented System
 Activation of Mechanical Shutdown System
The count of Demands on Safety Systems is typically segregated by system type (e.g. SIS,
PRD, and Mechanical Trip).

73 |
Critical operational deviation – Tier 3
This represents operational activity outside
good operating practice and/ or non
compliance with company Procedures.
 Operating without adequate
measurement of critical process
parameters.
 Operating with inoperable safety
systems.
 Operating with uncontrolled
modifications / repairs to the process
plant.

74 |
Tier 4: Operating Discipline & MS Performance
Tier 4 indicators typically represent performance of individual components of
the barrier system and are comprised of operating discipline and
management system performance.
Tier 4 indicators are indicative of process safety system weaknesses that
may contribute to future Tier 1 or Tier 2 PSEs. In that sense, Tier 4
indicators may identify opportunities for both learning and systems
improvement.
Examples include:

Process Safety Action Item Closure

Training completed on schedule

Safety Critical Equipment Inspection

Management of Change (MoC) Compliance

Completion of Emergency Response Drills

75 |
EXERCISE
PSE CATEGORISATION

76 |
Has a person been injured by a release of hazardous substances?
Event Class Comment
A blow out of a gas well occurred during cement plug. An
operator was hit by mud and gas and needed hospital treatment.
Tier 1
Tier 1 due to the fact of hospital treatment; additionally the
release amount may also have resulted in a Tier 1 event
While stealing a piece of pipework the gas released from that
pipe ignited and the thefts suffered severe burns.
Tier 1
Even though the reason for the injuries is a malicious act it
is counted.
LPG from leaking pipework ignited and blasted the retail service
station causing injuries and damage of the building. Tier 1
Tier 1 event due to the injuries and the asset damage. This
event will not be included in external reporting since the
retail station is not operated by OMV.
An operator slipped and fell while responding to a small spill of
liquid with a flash point < 23 °C spill resulting in a days away
from work injury.
Tier 1
The operator was responding to a LOPC
A scaffold builder experiences a days away from work injury
after falling from a scaffold ladder while evacuating from a LOPC
on nearby equipment.
Tier 1
An operator walks past a steam trap that discharges to an
unsafe location. The steam trap releases and the operator’s
ankle is burned by the steam, resulting in a days away from
work injury.
Tier 1
Even though the LOPC was steam (vs hydrocarbon or
chemical), the physical state of the material was such that it
caused a day away from work injury and it was an
uncontrolled release (i.e. unsafe location). Nontoxic and
non-flammable materials are within the scope of this
recommended practice.
A contractor enters a vessel and dies because nitrogen
inadvertently leaked into the enclosure.
Tier 1
Fatality associated with an unplanned or uncontrolled
LOPC
A maintenance contractor opens a process valve and gets
sprayed with less than the Tier 1 or Tier 2 quantity of sulfuric
acid resulting in a severe burn and days away from work injury.
Tier 1
Unplanned or uncontrolled LOPC that resulted in a days
away from work injury. If this incident had resulted in a
recordable injury, it would be a Tier 2 PSE.
A PRD release of sour gas less than the Tier 1 threshold
quantity is routed to a flare which exposes two personnel to toxic
SO2/SO3 vapors resulting in a LWDI.
Tier 1
Multiple Tier 1 consequences: Human and unsafe PRD
release
Classification of PS Events
1
2
3
4
5
6
7
8
9

77 |
Has a person been injured by a release of hazardous substances?
Event Class Comment
There is a 100 kg spill of liquid with a flash point < 23 °C (73 °F)
that ignites and results in damages to other equipment, a toxic gas
release above the reporting threshold, along with three days away
from work injuries and one fatality.
Tier 1
This is a Tier 1 PSE. The site would record a single event with
multiple consequences (e.g., one fatality, three day away from
work injuries, fire, and threshold quantity of liquid with a flash
point < 23 °C and toxic gas).
During routine tour an operator suffered burns on his foot by
leaking condensate from a steam tracing which required medical
treatment.
Tier 2
Tier 2 due to the need of medical treatment. The release of hot
condensate itself would not be a PSE.
A short circuit occurred in switchgear panel and caused burns of a
contractor requiring medical treatment
Tier 2
Following industry recommendations we consider electrical
incidents in internal PSE reporting.
An operator walks through a process unit and slips and falls to the
ground and suffers a days away from work injury. The slip/fall is
due to weather conditions, “chronic” oily floors and slippery shoes.
no PSE
Personal safety “slip/trip/fall” incidents that are not directly
associated with evacuating from or responding to a LOPC are
specifically excluded from PSE reporting.
An operator slipped and fell on a spill several hours after the
incident had concluded. This would not be a reportable PSE.
no PSE
Personal safety events that are not directly associated with
onsite response to a LOPC are excluded. Slips/trip/falls after
the LOPC has concluded (such as “after-the-fact” clean-up
and remediation) is not directly associated with onsite
response.
A vessel has been intentionally purged with nitrogen. A contractor
bypasses safety controls, enters the enclosure and dies. no PSE
This is not a PSE because there was no unplanned or
uncontrolled LOPC, but it would be recorded on the
company’s injury and illness log.
An operator disconnected a steam hose which was still under
pressure and suffered light burns.
no PSE
The injury required only first aid, and the steam is no counted
as LOPC of hazardous substance.
A maintenance technician is turning a bolt on a process flange with
a wrench. Due to improper body positioning, the wrench slips and
hits the employee in the mouth, requiring dental surgery and two
days off work.
no PSE
No unplanned or uncontrolled LOPC involved with the injury
An operator takes a sample. On the way he falls, the sample
container breaks and he suffers injury of the exposure to the
product.
no PSE
LOPC is from a piece of ancillary equipment not connected to
a process is not considered as PSE
An employee suffered burns by a spill of hot coffee. no PSE Office incidents are not PS related
While cleaning a joint screw a piece of frozen mud broke off and hit
the operator causing injury.
no PSE
This is not a loss of primary containment.
10
11
12
13
14
15
16
17
18
19
20

78 |
Has a fire or explosion occurred by a release of a hazardous substance?
Event Class Comment
Hot vacuum residue was released from a left open drainage, self-
ignited and damaged a pump. Tier 1
The immediate damage caused by the fire was above 25.000€
An electrical fire impacts the operation of the process resulting in an
acute release of 1500kg of light crude. Tier 1
This is a Tier 1 PSE since the LOPC exceeds the 1000 kg
reporting threshold for light crude.
A pump lube oil system fire from a leak causes damage greater than
€25,000, but does not create a LOPC greater than the threshold
quantity or cause a fatality or serious injury.
Tier 1
A forklift truck delivering materials inside a process unit knocks off a
bleeder valve leading to the release of (HC) condensate and a
subsequent vapor cloud explosion with asset damage greater than
€25,000.
Tier 1
A bearing failure of a turbine causes high vibration and eventually
leads to damage of the turbine > €100.000. Tier 1
Following industry recommendation we consider unplanned
release of mechanical energy under PS in internal reporting.
There is a loss of burner flame in a fired heater resulting in a fuel rich
environment and subsequent explosion in the fire box with greater
than €25,000 in damages to the internals of the heater. There was
no release outside of the fire box.
Tier 1
This would be a Tier 1 PSE since after the flameout the
continuing flow of fuel gas is now an uncontrolled release. The
intent is for combustion of the fuel gas at the burner and not for
fuel gas to be contained in the fire box.
There is a tube rupture in a fired heater causing a fire (contained in the
heater) resulting in greater than €25,000 in damages to the heater
internals (beyond that of replacing the failed tube).
Tier 1
The tube failure is a loss of primary containment of the process
fluid and combined with the additional damages greater than
€25,000 makes this a Tier 1 PSE.
A third-party truck loaded with a flammable product is traveling on
Company premises and experiences a leak and subsequent fire and
property damages of €75,000 (direct costs). Tier 1
The event will not be included in external reporting since truck
incidents are excluded except when they are connected to the
process for the purposes of feedstock or product transfer or
being used for temporary onsite storage.
A steam injection well fails with an explosion resulting in release of 10t
of fluids, a mixture of hydrocarbons and water. The direct cost
replacing and repairing damaged equipment was estimated over
€300.000 and a worker was injured, needing medical treatment.
Tier 1
Unplanned release causing fire and resulting in over €25.000
direct costs. The injury would result into Tier 2 but the higher
consequence counts.
The release of a hot steam from safety valve ignited wooden planks of
scaffolding and damaged the scaffolding.
Tier 2
The immediate damage was higher than 2.500€ but lower than
25.000€
Hydrocarbon fumes migrate into the QA/QC laboratory located within
the facility and results in a fire with €5000 damage. The source of
the hydrocarbon fumes is the oily water sewer system.
Tier 2
This incident is a Tier 2 PSE since the LOPC was from the
process and resulted in a Tier 2 consequence (a fire which
results in a direct cost greater than €2500).
21
22
23
24
25
26
27
28
29
30
31

79 |
Has a fire or explosion occurred by a release of a hazardous substance?
Event Class Comment
A pump seal fails and the resultant loss of containment catches on
fire. The fire is put out quickly with no personal injuries. However, the
fire resulted in the need to repair some damaged instrumentation and
replace insulation. The cost of the repairs, replacement, cleanup and
emergency response totaled €20.000.
Tier 2
Only the costs for repair and replacement of the equipment
damaged by the fire are to be considered. The cost for the repair
of the equipment which led to the fire must not be considered.
A vacuum truck outfitted with a carbon canister on the vent is loading
a spill of hydrocarbons. The carbon canister catches fire which
escalates to the point of creating more than €10,000 in damage to the
vacuum truck.
Tier 2
This is a Tier 2 PSE since the original spill of hydrocarbons
constitutes the LOPC and the response to the LOPC results in
one of the Tier 2 consequences.
Product from a small flange leakage dropped on a hot steam pipe
and started smoldering Tier 3
Negligible damage from a fire involving LOPC
There is a tube rupture in a fired heater. The operator detects the
tube cracking with only a small flame from the tube and subsequently
shuts down the heater with no resultant damage from the tube flame.
Tier 3
The LOPC did not result in any of the defined Tier 1 or 2
consequences. However, it was a fire resulting from an
unplanned LOPC.
During a hot work the sparkles ignited the vapor of an atmospheric
slop inlet. The fire damaged insulation material. no PSE
The fire does not involve an unplanned, uncontrolled LOPC.
(see above) If the fire threatened the installation it may be
reported as Tier 3 Critical Operational Deviation
A vacuum truck caught fire while standing in the hangar for repair. no PSE Fire in offices, shops, warehouses, etc. are not related to PS
A scaffold board is placed near a high pressure steam pipe and
subsequently begins to burn, but is quickly extinguished with no
further damage. The investigation finds that the board had been
contaminated by some oil, but there is no indication of an oil leak in
the area.
no PSE
no unplanned or uncontrolled LOPC
if the burning scaffolding threatens the process installation and
there is an increased risk of LOPC the event should be reported
under Tier 3 Critical operational deviation (COD)
An internal deflagration in a vessel causes equipment damage >
€25,000, but there was no loss of containment.
no Tier 1 or
2 PSE

Tier 3 COD
Does not meet the definition of a Tier 1 or Tier 2 PSE because
there was no LOPC involved.
The deflagration had critical potential for a LOPC event and will
thus reported under Tier 3 Critical operational deviation (COD)
An electrical fire, loss of electricity, or any other loss of utility may
occur that causes a plant shutdown and possibly incidental
equipment damage greater than $25,000 (e.g. damage to equipment
due to inadequate shutdown).
no Tier 1 or
2 PSE

Tier 3 CTSS
Does not meet the definition of a Tier 1 or Tier 2 PSE because
there was no LOPC involved.
The event needs to be reported under Tier 3 Challenge to Safety
System (CTSS)
There is a boiler fire at the Main Office complex, and direct cost
damages totaled €75,000.
no PSE
Fire in offices, shops, warehouses, etc. are not related to PS
32
33
34
35
36
37
38
39
40
41

80 |
Was there an unplanned release of hazardous substances?
Event Class Comment
A gas pipe broke and ~300m3 natural gas with 10% H2S was released
Tier 1
For mixtures the highest category counts. From given data
~45kg H2S have been released. The amount of natural gas
would classify as a Tier 2 event.
Ten bbl of gasoline (1400 kg) leak from piping onto concrete and the
gasoline doesn't reach soil or water. Site personnel estimate that the
leak occurred within one hour.
Tier 1
LOPC of 7 bbl (1000 kg) or more of liquid with a flash point < 23
°C in any one-hour period.
If the spill had been less than 1000kg, but equal to or greater
than 100kg, it would be a Tier 2 PSE.
A faulty tank gauge results in the overfilling of a product tank
containing liquid with a flash point < 23 °C. Approximately 50 bbl (7000
kg) of liquid overflows into the tank’s diked area. This incident is a Tier
1 PSE since it is a
Tier 1
Release of 1000kg or more within any one-hour period,
regardless of secondary containment.
An operator is draining water off a flammable crude oil tank with a flash
point of 60 °C or less into a drainage system designed for that
purpose. The operator leaves the site and forgets to close the valve.
Twenty bbl of crude oil are released into the drainage system within an
hour.
Tier 1
Release of crude oil is unplanned or uncontrolled and it is
greater than the release criteria of 14 bbl. If the drainage system
goes to an API separator and the oil is recovered (secondary
containment), this would still be a Tier 1 event because the
crude oil was released from primary containment.
A process vessel low level cutout fails to close a valve allowing 550kg
of a flammable gas to a floating roof tank resulting in a minor damage
to the tank roof.
Tier 1
Unplanned release above the Tier 1 threshold.
An operator discovers an approximate 10 bbl liquid spill of aromatic
solvent (e.g. benzene, toluene) near a process exchanger that was not
there during his last inspection round two hours earlier.
Tier 1
Since the actual release duration is unknown, a best estimate
should be used to determine if the TQ rate has been exceeded
(it is preferred to err on the side of inclusion rather than
exclusion). This incident is a Tier 1 PSE because the solvents
involved are Packing Group II materials and the threshold
quantity of 7 bbl is exceeded if the time period is estimated to be
less than one hour.
A leak on a high pressure hydrochloric acid line results in a spill of
860kg of hydrochloric acid. Flash calculations indicate that greater than
100kg of hydrogen chloride would be released as a vapor.
Tier 1 The 860kg release of hydrochloric acid would not a reportable
Tier 1 PSE since this liquid is categorized as a “Packing Group
II” corrosive liquid with a 1000kg reporting threshold. However,
since the liquid flashed or was sprayed out as an aerosol,
producing more than 100kg of hydrogen chloride, the event is be
a reportable Tier 1 PSE due to exceeding the 100kg or more of
toxic chemical within 1 hour.
A pipe fitting in a specialty chemicals plant fails, releasing 1800kg of a
mixture of 30% formaldehyde, 45% methanol, and 25% water in less
than one hour.
Calculations show that 450kg formaldehyde and 850kg methanol is
released.
Tier 1 This mixture is not classified by the UN Dangerous Goods/U.S.
DOT protocols; therefore, the threshold quantity mixture
calculation is applied. The pure component reporting threshold
of formaldehyde is 2000kg and methanol is 1000kg. For the
current release formaldehyde is 27% of the Tier 1 threshold and
methanol corresponds 85% of the Tier 1 threshold. In total 112%
of Tier 1 is achieved
42
43
44
45
46
47
48
49

81 |
Event Class Comment
A pipeline leaks and releases 900kg of flammable vapor above ground
within one hour; however, the release occurred in a remote location
outside the facility fence.
Tier 1
Remoteness is not a consideration and it exceeds a Tier 1
threshold quantity. For R&M operated pipelines the PSE will not
be included in external reporting (see Chapter ‎
IV).
A pipeline leaks and releases 900kg of flammable vapor above ground
within 1 hour. A public road bisects the main facility and its marine
docks. This pipeline originates in the facility and goes to the docks.
The leak site happens to be off the site’s property in the short segment
of piping that runs over the public road.
Tier 1
Although the leak technically occurs off-site, this is a Tier 1 PSE
since the facility owns and operates the entire segment of
pipeline.
A DOT covered pipeline that is owned, operated, and maintained by
Company A crosses through Company B’s property. The DOT covered
line has a 700kg release within an hour from primary containment of
flammable gas and causes a fire resulting in greater than €25,000
damage to Company A’s equipment.
Tier 1
This is not a PSE for Company B since the pipeline is not
owned, operated or maintained by Company B. This would be a
transportation incident for Company A.
A third-party barge is being pushed by a tug and hits the Company
dock. A barge compartment is breached and releases 50 bbl of diesel
to the water.
Tier 1
The event is not included in external reporting since the barge
was not connected to the process for the purpose of feedstock
or product transfer.
A third-party truck/trailer on Company Premises has a spill of gasoline
greater than 7 bbl in less than an hour while loading. Tier 1
The incident is included in external reporting since the truck was
connected to the process for the purpose of feedstock or product
transfer.
A pipe containing CO2 and 10,000 vppm H2S (1 % by volume) leaks
and 7000 kg of the gas is released within an hour. Calculations show
that the release involved about 55 kg of H2S (TIH Zone B chemical).
The release is a Tier 1 PSE because it exceeded the threshold
quantity.
Tier 1
If the H2S concentration is 50 vppm, then the calculated release
quantity would be 0.3 kg of H2S and would be counted as Tier 3.
A drilling subsurface blow-out comes to surface (along the casing path
to the surface) resulting in release of over 10t of flammable gas to
atmosphere
Tier 1
During and extended well test at slug of liquid extinguished the flare
flame resulting in a release of combusted natural gas as 250.000 SCF
per hour until the flare was reignited 10 min later. Tier 1
Uncontrolled release because the flare failed to operate as
designed after the flame out. The released amount is above
500kg within one hour.
While drilling a well, a shallow gas pocket was stuck, causing a loss of
well control. Mud, cuttings, and 100 barrels of oil wer released to the
environment and over 64.000kg of gas were discharged to
atmosphere.
Tier 1
50
51
52
53
54
55
56
57
58

82 |
Event Class Comment
A bleeder valve is left open after a plant turnaround. On start-up, an
estimated 15 bbl of fuel oil, a liquid with a flashpoint above 60 °C, is
released at 38 °C (below its flashpoint) onto the ground within an hour
and into the plant’s drainage system before the bleeder is found and
closed. This is a Tier 2 PSE.
Tier 2
Unplanned or uncontrolled release
If the release temperature would be above the flashpoint; thus, it
would be a Tier 1 PSE
An operator opens a quality control sample point to collect a routine
sample of product and material splashes on him. The operator runs to
a safety shower leaving the sample point open and a Tier 2 threshold
quantity is released.
Tier 2
Unplanned or uncontrolled release
A Company railcar derails and spills more than 7 bbl of gasoline while
in transit. Tier 2
The incident is not included in external reporting since it is not
connected to the process for the purpose of feedstock or product
transfer.
During loading a truck was overfilled and 150l heating oil spilled on the
paving. Tier 2
Unplanned release of a category 7 substance (see Table 2)
regardless whether the release is mitigated by secondary
containment.
A valve leak occurred in a gas turbine acoustic enclosure. The quantity
of gas released was 40kg. Tier 2
The quantity released exceeds the threshold quantity for an
indoor release of flammable gases.
While troubleshooting a higher-than-expected natural gas flow rate,
operating personnel find an open block valve on the natural gas line
releasing to an elevated vent location. Upon further investigation, it is
determined that a total of 1 million lb of natural gas was relieved at a
steady rate over a 6 month period.
Tier 2
This is not a Tier 1 PSE as the release rate (~100 kg per hour)
did not exceed the threshold quantity of 500 kg or more within
one hour); however, it is a Tier 2 PSE because it did exceed the
threshold of 50 kg or more within 1 hour.
An underground pipeline operated by the facility leaks and releases
450kg of diesel (flash point > 60 °C) at a temperature below its flash
point within the facility over a period of three days (6.5kg/hr).
Tier 2
The spill results in contaminated soil that is subsequently
remediated. This is a Tier 2 PSE since the leak rate was greater
than the Tier 2 threshold quantity.
A Company operated Marine Transport Vessel that had just
disconnected from the process has an onboard 10 bbl spill of material
with a flash point > 60 °C released at a temperature below its flash
point.
Tier 2
The event will not be included in external reporting since Marine
Transport Vessel incidents are specifically excluded, except
when the vessel is connected to the process for the purposes of
feedstock or product transfer.
A third-party survey boat is pulling a tube screen for seismic survey
and a shark bites into the tube releasing 7 bbl of hydraulic fluid into the
water.
Tier 2
The event will not be included in external reporting because
exploration activities are not in the scope.
59
60
61
62
63
64
65
66
67

83 |
Event Class Comment
100kg of diesel spills within an enclosed area during a period of 30min
while transferring fuel to a drilling platform while in-hole. Tier 2
The spill exceeds the indoor threshold and occurred during
transfer of fuel to a MODU (e.g., jack-up or drill ship).
An underground gasoil pipe was found leaking over several months.
Soil was contaminated and the loss was calculated 10l per hour. Tier 3
Here the amount released in any one-hour period is below the
Tier 2 threshold even though the total loss is higher.
A rupture of a flow line created a spill of 1000 l saltwater (oil fraction
negligible) Tier 3
Unplanned release of saltwater shall be recorded as Tier 3 PSE
if the exceeded 100l.
There is a 10 bbl spill of gasoline that steadily leaks from piping onto
soil over a two week time period. Simple calculations show the spill
rate was approximately 0.03 bbl per hour.
Tier 3
This is not a Tier 1 or Tier 2 PSE since the spill event did not
exceed the threshold quantity in any one-hour period. A
Company may choose to count this as a Tier 3 other LOPC
event.
Infrared scans identified that the separator floatation treater was
leaking 10.000 SCFD (standard cubic feet per day) from an agitator
seal. The separator continued to operate for 10 days until the treater
was taken out of service and its seals replaced
Tier 3
unplanned release below the thresholds for Tier 1 and 2 in any
one hour period
After collecting a load from an adjacent unit, a vacuum truck is parked
at the wastewater treatment facility awaiting operator approval to
discharge. While waiting the vacuum truck malfunctions and vents a
small amount of process material to the atmosphere.
Tier 3
This event will not be reported externally since vacuum truck
operations are excluded unless loading, discharging, or using
the truck’s transfer pump.
A low pressure steam pipe broke in winter and freezing condensate
caused icing of the pathway no PSE
Steam is considered as LOPC of hazardous substance unless
there is injury caused by the release.
An operator purposely drains 20 bbl of material with a flash point > 60
°C (140 °F) at a temperature below its flash point into an oily water
collection system within one hour as part of a vessel cleaning
operation.
no PSE
The drainage is planned and controlled and the collection
system is designed for such service, this is not a reportable Tier
1 or 2 PSE.
Routine monitoring of waste water indicates increased load of H2S but
below maximum allowable tolerance. no PSE
Emission within the allowable permits are not PSE
68
69
70
71
72
73
74
75
76

84 |
Was there a release of a pressure relief device to atmosphere?
Event Class Comment
There is a unit upset and the PRD fails to open, resulting in
overpressure of the equipment and a 10-minute release of 900kg of
butane from a leaking flange before it can be blocked in.
Tier 1
A relief valve operates and vents 250kg of a flammable gas directly to
atmosphere with a small liquid carry over estimated at 10kg
hydrocarbons
Tier 1
The total mass exceeded the thresholds and there was a small
liquid carryover
The flare system is not functioning properly due to inactive pilots on the
flare tip. During this time, a vapor load is sent to the flare due to an
overpressure in a process unit.
Tier 1
The volume of the vapor through the PRD is greater than the
Tier 1 threshold and it results in the formation of a flammable
mixture at grade to be considered as unsafe release.
A PRD activates resulting a substantial release exceeding Tier 1
thresholds on an offshore platform causing precautionary down-
manning or platform abandonment.
Tier 1
This is equivalent to an onshore situation resulting in an onsite
shelter in place.
100 bbl of naphtha liquid are inadvertently routed to the flare system
through a PRD. The flare knockout drum contains most of the release;
however, there is minimal naphtha rainout from the flare.
Tier 1
This is a Tier 1 PSE since the volume released from the PRD to
a downstream destructive device does exceed the threshold
quantity in Table 1 and resulted in one of the four listed
consequences (i.e. liquid carryover).
During a routine procedure of bleeding off of casing pressure the well
operators accidentally fully opened the valves. The bleeding off release
was estimated higher than 500kg.
Tier 2
Unplanned release of a category 5 substance (see Table 2)
There is a unit upset and the PRD opens to an atmospheric vent that
has been designed for that scenario, resulting in a release of 150 of
propane to the atmosphere requiring on-site shelter in place.
Tier 2
This is a Tier 2 PSE because it both exceeded the threshold
quantity and resulted in one of the defined negative
consequences.
A process upset caused a low pressure safety valve to open to
atmosphere no PSE
blow off is on a safe location, steam not considered as
hazardous substance unless nobody is injured
A sour gas vessel has a PRD that was identified in a recent PHA to be
undersized. In the process of making a transfer, the vessel
overpressures. A release of 30kg sour gas (TIH Zone B material)
occurs through this PRD to a safe location over a period of 25 minutes. no PSE
This would not be a Tier 1 or Tier 2, regardless of the HAZOP
finding, so long as it did not result in a liquid carryover, on-site
shelter-in-place, public protective measure or other indication of
discharge to an unsafe location. It is not counted as a Tier 1
LOPC since the system the overpressure opening is included in
normal operations design (although it is not a recommended
design).
77
78
79
80
81
82
83
84
85

85 |
Was there a need of community evacuation or shelter in place due to the release of
hazardous substances?
Event Class Comment
A leakage of a gas system which contains up to 10% H2S requires
evacuation of neighbors. Tier 1
Unplanned release of a category 2 substance requiring
evacuation
A PRD discharges to a srubber that vents to atmosphere. The
scrubber is overwhelmed by a flow rate greater the its design resulting
in a discharge that is detected by fence-line monitoring system and a
publich shelter in place order is issued
Tier 1
The release quantity is estimated less than the Tier 1 threshold.
However, the need for shelter in place classifies to Tier 1 PSE
A small quantity of very odorous material enters a cooling water
system via tube leak. The material is dispersed into the atmosphere at
the cooling tower. An elementary school teacher decides not to
conduct recess outside due to a noticeable odor even though officials
deemed no shelter-in-place was necessary.
no PSE
This is not a Tier 1 or Tier 2 PSE because of no official declared
shelter in place.
Less than 0.5kg of Hydrogen Sulphide gas is released while unloading
a truck at a refinery. The release is detected by a local analyzer and
triggers a unit response alarm. An off-duty police officer living in a
nearby home advises his neighbors to evacuate because “an alarm
like that means there’s a problem at the refinery.”
no Tier 1
PSE  Tier
3 LOPC
This is not an officially declared evacuation or shelter-in-place
because in this situation the officer is acting as a private citizen
suggesting a precautionary measure; therefore this is not a Tier
1 or Tier 2 PSE.
Evacuation because of bomb threat or other crime act
no PSE
Robbery, assault, crime acts (if not associated with hazardous
substance) are not PS related.
86
87
88
89
90

86 |
Have the safe operations limit of a process installation exceeded?
Event Class Comment
A sealing of the pump was damaged after the pump pressure
increased due to a blocked valve downstream of the pump Tier 3
The shut off head of the pump is obviously higher than the
design pressure of the sealing
A nozzle rated 16bar was accidentally installed at a 60bar pipeline. It
was found out during testing. No release created. Tier 3
The 60bar is well above the safe operating limit of the nozzle.
Overfilling of a fuel tank but not creating a spill.
Tier 3
In the overhead section of a process installation product stared to
freeze because of very cold winter. Tier 3
A faulty pump bearing was identified by a temperature high alarm. The
system was shut down to avoid further damage to pump and process. Tier 3
If the operation could have been continued with a spare pump it
will not be counted as PSE.
While drilling a well there was a loss of hydraulic overbalance resulted
in a well kick. The standard procedure to reestablish the well resulted
in a planned venting of the kick through the rig's choke and kill system
and de-gasser.
Tier 3
The release is planned and does not count under LOPC PSE.
The event counts under demand of safety system.
The car wash needs to be stopped because of lack of cleaning
substance. no PSE
Not relevant for safe process.
Have been inspection or testing results of primary containment found outside
acceptable limits?
Event Class Comment
Routine inspection of fuel tank yield critical degradation of the wall
thickness. Tier 3
A moving truck squeezes the fuel hose which suffers cracks.
Tier 3
During routine testing of a flow line a leaking flange has been identified
Tier 3
The leak is considered as fugitive emission and does not count
under LOPC
Parts of the metal cover of control cabinet loosened.
no PSE
Not relevant for safe process.
91
92
93
94
95
96
97
98
99
100
101

87 |
Was there an unplanned shutdown of a process installation or of its subsystems?
Event Class Comment
A technical failure of the LNG compressor causes the unit to shut-
down. Tier 3
Customer forgot the fuel hose in the car after filling and drove away.
The hose broke and the dispenser shut down automatically. Tier 3
T3 Challenge to safety system: demands on safety systems
designed to prevent or mitigate a LOPC event.
A propane tank over-pressures through a PRD to the flare system. The
pilots on the flare system are not working properly, and the flare does
not combust the vapors. The event transpires over a period of 45
minutes. The volume of propane release was estimated to be 600kg
and the release dissipated into the atmosphere above grade and
above any working platforms.
Tier 3
Even though the PRD release exceeded the Tier 1 threshold
quantity, this is not a Tier 1 PSE since the discharge was routed
to a downstream destructive device with no consequence listed
under Tier 1 PRD.
An upset causes a PRD to open and release fuel gas to the facility
flare system. The flare system works properly and combusts the vapor
release which came from the PRD.
Tier 3
This is not a Tier 1 or Tier 2 PSE since the PRD release was
routed to a downstream destructive device that functioned as
intended (i.e. did not cause one of the four listed
consequences).
A short circuit stopped power supply of the station. no PSE The shut-down is not cause for safety reasons.
A faulty flame detector triggered fire alarm. Firefighting checked the
situation and confirmed faulty alarm. no PSE
No shut-down of the system.
Was there an event within the process area which has no immediate PS consequence
but had critical potential for a PS event?
Event Class Comment
On a hot, dry summer day bushes close to a well site caught fire.
Firefighting services could prevent flash over to the installation. Tier 3
The fire threatened the installation and had thus the potential for
a severe process accident.
While refueling a customer car caught fire. Tier 3 The fire threatened the retail station.
A sewer pit exploded due to electrostatic ignition of the hydro-carbons
contained in the waste water. The sewer cover flew several meters
and damaged windows.
Tier 3
The explosion does not involve an unplanned, uncontrolled
LOPC. Acc. definition Tier 1 & 2 explosions and fires need to
result from LOPC.
A theft was stealing cables from the cathodic protection system. Tier 3
A truck damaged the support structure of a pipe rack. Tier 3
An internal leakage of a water cooler was identified by increased HC in
backflow cooling water. The unit had to shut down for repair. Tier 3
Marginal release. The unmanaged leak could have ended in
more severe consequences.
A car crashed into the shop window. not PS No risk to end up in a PS event.
102
103
104
105
106
107
111
108
109
110
112
113
114

88 |
Does the finding or hazard indicate an increased likelihood of a PS event?
Event Class Comment
Earthing cables found loosened / degraded / missing during inspection. Tier 4
Critical operating parameters changed without proper management of
change (e.g. increased H2S content) Tier 4
Slippery / icy paving. not PS Not relevant for PS
Are Process Safety relevant barriers missing or failing?
Event Class Comment
PS related docs not up to date (e.g. emergency plan for LOPC,
explosion protection documentation) Tier 4
Design data for equipment not available. Tier 4
A subcontractor entered the site using the access card of his
colleague. not PS
Event Class Comment
Missing emergency response devices (e.g. firefighting, oil spill,
emergency numbers)
Tier 4
A safety instrumented function is bypassed without appropriate
compensation measures and communication
Tier 4
A safety valve did not pop at the set pressure at the test bench.
Tier 4
Missing first-aid box not PS First-aid box and PPE have only limited PS relevancy.
Is there a deficiency of a management procedure related to PS
115
116
118
119
121
122
120
123
124
117

89 |
INTRODUCTION TO
OFFSHORE SAFETY CASE

90 |
 The Offshore regime is
based around the Safety
Case Regulations (2005)
which requires operators to
have a safety case for fixed
and mobile installations
accepted by the Health and
Safety Executive (for UK
operators)
 The safety cases need to be
maintained and submitted to
the HSE at various times
throughout the life cycle of
the installation.
Offshore regulatory regime

91 |
The contents of a safety case are detailed in the Safety Case
Regulations (2005) and should include:
 Description of installation (with drawings)
 Location plan of installation
 Operational parameters
 Maximum number of persons on installation
 Well control arrangements
 Description of pipelines including contents, dimensions and layout

92 |
 Description of compliance with PFEER regulations which include
description of risk assessments and the performance standards
for safety critical elements.
 Arrangements for protection against toxic gas
 Measures or arrangements for protection from hazards of explosion,
heat, smoke, toxic gas or fumes including provision for temporary
refuge.
 Specification for design of installation/plant and description of
suitability of safety critical elements.

93 |
HAZARD
A situation which poses a
threat to life, health,
property or environment
RISK
The probability that an
hazard will cause a given
damage under given
circumstances
Hazard and Risk
High Risk
Low Risk

95 |
Risk Assessment – General Tolerability Criteria

96 |
Risk Assessment – Individual Risk

97 |
Safety Case – Hazard Identification
The Safety Case has to consider the hazards that can occur in the
field, from both external and internal origin:
Internal
 Loss of Containment:
• Fire, Explosion
• Gas and Smoke Dispersion
 Process Hazards (HAZOP Review)
 Workplace hazards
 Transportation hazards (Helicopter)
External
 Marine Hazard (impacts)
 Dropped Objects

98 |
Safety Case – Study Structure
QRA
Performance Standards
HAZID
Escape, Evacuation and Rescue Analysis
Fire & Explosion Analysis
Gas & Smoke Dispersion Analysis
Emergency Systems Survivability Analysis
Marine Hazard Analysis
Dropped Object Study
SIL Analysis
MAE  SCEs
HAZOP

99 |
Safety Case Activities
As part of the Safety Case the following studies have to be developed.
 HAZOP Review
 Safety Integrity Level (SIL) Review
 Marine Hazard Analysis
 Dropped Object Study
 Fire and Explosion Analysis
 Gas and Smoke Dispersion Analysis
 Emergency Systems Survivability Analysis (ESSA)
 Escape, Evacuation and Rescue (EER) Study
 Performance Standards & Verification Scheme for SCE
 QRA Report
 HSE Management System Review Report
 Operational Safety Case

100 |
Safety Case – Engineering studies – Marine Hazards
Purpose:
to assess quantitatively the incidental collision frequencies between ships
passing in the vicinity of the field facilities, shuttle tankers visiting the field,
supply vessels and fishing vessels in the area.
Collision Scenarios:
 Passing vessels (commercial, passenger, recreational boat) powered
and drifting;
 Shuttle tankers;
 Supply vessels (powered and drifting);
 Fishing ships.
The parameters considered to assess the impact frequency are:
 Ship breakdown frequency;
 Probability of human error;
 Emergency response.

101 |

102 |
Damage:
Ships with tonnage higher than 5000 DWT are considered to cause major
damage to the impacted installation
Results
Total frequency of collision
Frequency of collision causing major damage

103 |
DWT > 5000
DWT>15000
DWT > 1500
DWT <1500

104 |
It is recommended that the supply vessel
approaches the platform away from the risers and to
create a limitation zone around the risers.
• Exclusion area of 7.1 km around the facilities;
• Signalisation and inscription on the maritime maps
of the field facilities;
• Marine radar system;
• Navigational aid systems on the platforms;
• Installation of an AIS (Automatic Identification System);
• Installation of a Radar anti-collision;
• Fog horn installed on each platform;
• Visual signals;
• Presence of supply vessel warning vessels entering the exclusion area;
• Supply vessel are forbidden to approach the facilities in case of bad weather;
• Shuttle tankers approach assisted by tug boat and only during the day.

105 |
Safety Case – Engineering studies– Dropped Objects
Purpose:
To evaluate quantitatively the dropped objects hit frequency on decks,
jackets and on oil and gas sealines.
The analysis covers the operation, drilling and work-over working
phases performed on the platforms and the storage barge.
Scenario:
 dropped objects from monorails impacting on main deck;
 dropped objects from cranes impacting on main deck;
 dropped objects from cranes impacting on the jacket structure;
 dropped objects from cranes impacting on the sealines.
The parameters considered to assess the impact frequency are:
• Drop frequency (from statistical data);
• Excursion in water.

106 |
Calculation technique (examples)
Assess the impact energies
Safety Case – Engineering studies– Dropped Objects

107 |
Safety Case –EER Analysis
Purpose:
Objective of the Escape, Evacuation and Rescue (EER) study is to
assess if successful evacuation from the manned facilities of the field
can be achieved.
Steps:
The EER study is a qualitative assessment of the performance of the
EER systems in response to the major accident events, which may or
may not require personnel to evacuate the platform in an emergency.
The analysis could be done by means of an “EER HAZOP”

108 |
Safety Case –Fire & Gas explosion

109 |
The analysis of the fire and explosion risks is performed in accordance
with the following steps:
 Identification of Credible Fire and Explosion Scenarios; (example)
• Release diameter for Minor release: 7mm (1/4”);
• Release diameter for Significant release: 25mm (1”);
• Release diameter for Major release: 100mm (4”).
 Evaluation of Random Rupture Frequencies;
• Each identified section has been analysed in order to evaluate the
expected rate of failure
 Assessment of Consequences of Fire and Explosion Scenarios.

110 |
 Frequency result
 Consequences result
• Pool fire
• Explosion
Release
diameter
Initial event
frequency
Frequency consequences [event/year]
[mm] [event/year] Jet Fire Explosion Flash-Fire Dispersion
7 5.90E-05 5.66E-08 0 2.36E-09 5.89E-05
25 8.86E-05 5.41E-07 0 2.98E-08 8.80E-05
100 2.95E-05 7.38E-07 1.33E-08 1.19E-07 2.86E-05
Location Equipment
Hole
diameter
Pool
diameter
Distance to Heat Radiation
[m]
[mm] [m]
37.5
kW/m2
12.5
kW/m2
5
kW/m2
- -
7 3 3.5 5.4 7.8
25
6 5 11 15.6
100
Location Equipment
Hole
diameter
Explosive
mass
Peak Overpressure distance
[m]
[mm] [Kg] 0.5bar 0.35bar 0.1bar
- -
7 0 - - -
25 0 - - -
100 17 122 126 147

111 |
All the numerical results of the engineering safety studies have to be
summarized in a Quantified Risk Assessment report, to demonstrate if the
Company Risk tolerability criteria are met.
Targets
 IRPA (Individual Risk Per Annum)
 PLL (Potential Loss of Life)
 TRIF (Temporary Refuge Impairment Frequency)
The above values are calculated for the groups of people in the facilities:
• Group 1: personnel in the living quarter / offices most of the time;
• Group 2: personnel in the control rooms (or other technical rooms)
most of the time;
• Group 3: personnel in the process areas (maintenance, etc.).
Safety Case –QRA

112 |
The QRA SUMS all the risks deriving from each of the hazards assessed
individually in the Engineering Safety Studies.
In formula:
 


n
i
i
i
i
Group p
v
f
IRPA
Frequency of one of the hazards assessed
in the safety studies
“Vulnerability”. The probability that an individual will die
due to the consequence associated to the hazard
Probability that an individual will
be present in the location,
at the moment of an accident
All the hazards identified
Safety Case –QRA

113 |
The calculation of risk requires an high number of calculations to be
done:
Safety Case –QRA

114 |
Total IRPA
P1 IRPA
P2 IRPA
P3 IRPA
Safety Case –QRA

115 |
Potential Loss of Life: PLL
Safety Case –QRA

Process Safety | Process Safety Management | PSM | Gaurav Singh Rajput

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Process Safety | Process Safety Management | PSM | Gaurav Singh Rajput

Similar to Process Safety | Process Safety Management | PSM | Gaurav Singh Rajput (20)

More from Gaurav Singh Rajput

More from Gaurav Singh Rajput (20)

Recently uploaded

Recently uploaded (20)

Process Safety | Process Safety Management | PSM | Gaurav Singh Rajput