2. Confidential
Table of Content
February 5, 2023
2
MBT Tank Overfill - briefing by Technologist
AI – PSM
Barrier Thinking
SCE & Performance Standard
Safety Critical Position & Safety Critical Activity
Common Failures
Swiss Cheese Model
Conclusion
Quiz
Group activity
5. Confidential
AIPSM Structure : 4 main aspects
Our Assets are safe and we know it.
Design
Integrity
Technical
Integrity
Operating
Integrity
Integrity
Leadership
Maintain the
hardware barriers
Design and build so
that AI-PS risks are
ALARP
Work within the
operational
envelopes
Design HSE Case
Design & Engineering
Practices
Ops. HSE Case
Processes and
Procedures
Assessment & assurance processes
Integrity Leadership engagement
Learning From Incidents
Competency assurance programme
6. Confidential
6
Requirements Handled by Workstream
HSE Case
#1 Identify and document PS hazards
#2 Manage risks to ALARP
#3 Manage competencies in HSSE Critical Positions
#6 Supervision of HSE Critical Activities (Identify)
#12 Process Safety Reviews (PSRs)
Maintenance and Integrity Execution (MIE)
#15 Technical Integrity of HSSE Critical Equipment
#16 Maintain HSSE Critical Equipment
Operating Integrity (OI)
#7 SoF (restart of Existing Asset)
#13 Work in Classified Areas
#14 Operate within Operational Limits
#17 Permit to Work
Well Integrity
All requirements covered via Well Integrity Management Manual (WIMM)
Projects and Engineering Integrity (PEI)
#7 SoF – Start-up of New Assets / Modes
#8 Technical Integrity in Design / Construction
#9 Use of DEM 1s
#10 PSBR Requirements
#11 Documentation for HSSE Critical Equipment
Management of Change
Integrity Leadership
#22 Demonstrate Leadership in PS
Requirements Handled by Workstream
#4 Fitness to Work by employer
#5 Contract Holders role in HSSE
#6 Supervision of HSE Critical Activities (Execute)
#18 Single Point Accountability for PS
#18 Annual Review of PS Risks to the Business
#20 Annual Review of PS risks to the Asset
#21 Risks Managed to ALARP
OUR ASSETS
ARE SAFE
AND
WE KNOW IT
Vision / Goal
Integrity
Leadership
Technical
Integrity
Design
Integrity
Operating
Integrity
Workstreams and 22 AIPSM Manual Requirement
8. Confidential 8
Footer: Title may be placed here or disclaimer if required. May sit up to two lines in depth.
Because we want to prevent scenes like this ...
Design
Integrity
Technical
Integrity
Operating
Integrity
Integrity
Leadership
Design
Integrity
Technical
Integrity
Operating
Integrity
Integrity
Leadership
Why are we focusing on Asset Integrity Process Safety?
9. Confidential
Process Safety vs Personal Safety
What are the differences between Personal
Safety and Process Safety?
Which one is more critical?
10. Confidential
Personal vs. Process Safety
05 February 2023 10
Personal and Process Safety describe two different types of risk
that can lead to injury and/or fatality.
PERSONAL SAFETY
INCIDENTS
PROCESS SAFETY INCIDENTS
Typically workplace accidents
(slips/trips/falls)
Typically major release of flammable or
toxic material from process facilities.
Typically unsafe work behaviors or
unsafe working environment
Typically failure in engineering or human
controls/recovery
Typically low impact (personnel, asset) Typically high impact (people, asset)
High probability Low probability
Can be Deadly Can be Deadly
14. Confidential
Objectives
Understanding Risk.
Learn about the steps of Risk Assessment
Barrier thinking.
Learn what barriers are, how to support and maintain
them, as well as what will weaken or remove them.
Threat Line and Bow Tie Analysis.
Learn how critical equipment barriers, critical human
barriers, and critical activities link together to provide
an effective barrier against threats.
Swiss Cheese Model of Risk Analysis.
Learn how multiple barriers are used to separate
people form harm.
18. Confidential
Asset Integrity – Process Safety
AI-PS is about preventing process safety incidents resulting from the
unintentional release of energy or hazardous substances.
Keeping It In The Pipe
(Control)
Dealing With Releases
(Recovery)
19. Confidential
Bow Tie
A pictorial presentation of how a hazard can be
hypothetically released and further developed into a number
of consequences.
05 February 2023 19
20. Confidential
The Concept
For risk to exist, four elements must be present:
Hazard
Threats
Top Event
Consequence
Threat release scenario are called ‘Initiating events’.
05 February 2023 20
21. Confidential
Threats
Threats : a possible cause that will potentially release
a hazard and produce an incident.
Identifying threats is an essential step in the prevention
and mitigation of incidents.
Eg : Consider
a. the loss of a hydrocarbon (hazard) containment due to the corrosion of a
pipe,
b. the brittle fracture of a pipe
c. a tank overfill.
These are three different threats.
The barriers to be implemented to prevent the release of the hazard will
be significantly different for these three threats.
A high level alarm may be essential to prevent tank overfills, but will not
in any case help address corrosion.
Barriers are thus, often only valid for the threat being considered.
05 February 2023 21
23. Confidential
What are Barriers ?
Measures to prevent threats from releasing a hazard or
measures to limit the consequences arising from the top
event.
Barriers need to be put in place to control risks, through
the HEMP process. Within our business processes and
activities, there are tasks which maintain these barriers.
24. Confidential
Barrier Expectations
05 February 2023 24
To work, a barrier in itself must be able to:
Stop the threat from releasing the top event
Mitigate or reduce the consequences after the top event
Effective, Independent, Auditable
26. Confidential
Barrier Types
Equipment barriers (hardware)
– eg, a pressure relief valve
Human barriers (human interventions)
– eg, following a procedure
Combination of both
– eg, a high level alarm & the operator responding
27. Confidential
Equipment Barriers
Equipment Barriers
– equipment/hardware/software/assets that are
intended to prevent or reduce the harm from a hazard
Examples : High level alarm + Operator Action for a tank, a
bund wall, a relief valve, an electrical grounding wire)
14
28. Confidential
Equipment Barriers in our business…
High pressure trip system
Tank high level alarm systems + Operator Action
Automatic valve shutdown systems
Pressure relief valves
Fire & Gas Detection System
Fire deluge system
Corrosion injection system
Open hazardous drains
Control valves to control flow or pressure
Fences
Signs
26
29. Confidential
Human Barriers
Human Barriers – a person performing an action that
prevents or reduces the harm from a hazard.
Example: A person checking to make sure there is enough
room in a tank prior to receipt.
Note : a people barrier is not a barrier unless the person is
performing some action! A manual is not a barrier because it
does nothing by itself!)
16
30. Confidential
Human Barriers in Our Business
• Operator de-pressurising an equipment using a procedure
• Operator following a tank inventory procedure before filing tank
• Responding to a tank high level alarm
• Completing a Permit to Work
• Taking corrective action in abnormal situation
• Closing manifold valves after a tank receipt
• Communicating with third party prior to pipeline or vessel receipt
to tankage
• Shift change documentation and communication
• An operator following an emergency response containment
procedure
• Site guard checking credentials before allowing entrance to site
if there is no action being performed there is no barrier (a manual itself is not a barrier)!
28
32. Confidential
Control Barrier (2)
Controls Barriers
Examples :
Design: Guards, shields, threat elimination, or automatic process
shutdown
Operations: The people and equipment that allow you to operate
within the operation envelope, or operations intervention activities.
Management System Processes /Control
(Eg, MOC or Technical Integrity Management)
Management System Processes are not barriers
Critical Business Processes in HSE MS
Are supporting Activities /Processes to a design/operations barrier
on the bowtie. Following these processes can be a barrier.
05 February 2023 32
33. Confidential
Recovery Barrier (1)
05 February 2023 33
Barriers that limit or mitigate the consequences arising
from the top event are called Recovery Barriers.
They sit between the top event and the possible
consequences.
34. Confidential
Recovery Barrier (2)
Recovery Barrier
Examples :
Design: Spill containment, dikes, automatic water spray, or ignition
control
Operations: Operations intervention, rescue team response.
Management System Processes / Control (Eg, Emergency Response
Mgt)
Management System Processes are not barriers
Critical Business Processes in HSE MS
Are supporting Activities /Processes to a design/operations barrier
on the bowtie. Following these processes can be a barrier.
05 February 2023 34
36. Confidential
Barrier Effectiveness (1)
Effective – The barrier prevents the consequence when it
functions as designed (ie, big enough, fast enough, strong
enough).
An effective barrier shall have the following three elements:
I. A detector- detects the condition that requires action
II. A logic solver- decides action is to be taken
III. An actuator – action taken to address the condition
5 February, 2023 36
38. Confidential
Barrier Independency
Independent
Independent of the initiating event (threat) and the
components if any other barrier already validated for the
same condition.
The barrier can not be considered independent from one
another if there is a common cause failure.
Example of dependence:
Threat: Instrument air failure, all barriers that need
instrument air are dependent and thus not valid.
5 February, 2023 38
39. Confidential
Barrier Auditability
Auditable - The barrier can be evaluated to assure that it
can operate correctly when it is called upon.
A critical activity shall be available to maintain the
barrier.
This links to accountability, responsibility & competence
assurance .
The barrier shall reduce the risks by a factor at least 10,
the Probability of Failure on Demand (PFD) is maintained
at no greater than10 %.
This link to requirements for maintenance & inspection in
maintenance system (like SAP). 5 February, 2023 39
43. Confidential
Safety Critical Element SCE (1)
SCE : An item of equipment or structure whose failure could
lead to the release of a Major Hazard or whose purpose is
to prevent or limit the consequences of a major incident,
excluding business loss.
Performance standard (PS) : A statement, which can be
expressed in qualitative or quantitative terms, of the
functional performance required of a system or item of
equipment, and which is used as the basis for managing the
risk from the Major Hazards.
05 February 2023 43
44. Confidential
Safety Critical Element SCE (2)
SCE Features
Reliable / Robust : SIL, Redundancy
Availability : Spares stock, stringent assurance requirements
(PMs, CMs) more frequent maintenance
Standardization : Inter changeability
SCE Management tools
CMMS - for managing the tasks and results recording.
Total Reliability (TR) Measures dashboard - for performance
indicator reporting and trending.
Facilities Status Reporting (FSR) tool - for status reporting and
deviation management.
05 February 2023 44
45. Confidential
Performance Standard
05 February 2023 45
Describes the minimum performance criteria for a Safety
Critical Element
is used as the basis for verification throughout the lifecycle of
the facility
is a statement, which can be expressed in qualitative or
quantitative terms, of the performance required of a system,
item of equipment, person or procedure
used as the basis for managing the Hazard according to the
HSSE Case (e.g. planning, measuring, control or audit through the
lifecycle of the installation).
Each SCE has a Performance Standard
The Technical Authorities shall own Performance Standards
46. Confidential
Safety Critical Positions
An HSSE Critical Position is :
a position that can impact significantly on the execution
of HSSE Critical Activities at the operational level or
management level,
or at both levels, because the position has
responsibility for performing Level 1 or Level 2 HSSE
Critical Tasks or a combination of Level 1 and Level 2
HSSE Critical Tasks, as documented in the Business
Unit HSE-MS or HSE Cases.
05 February 2023 46
47. Confidential
Safety Critical Activities
05 February 2023 47
HSSE critical activity :activity that can impact significantly on the
control of the hazards & risks. Necessary to provide or maintain
barriers and recovery measures to assure that HSSE risk
objectives are continuously met.
An HSSE critical task : action required for the execution of an
HSSE critical activity.
Critical activities maintain
barriers to keep them from
deteriorating.
48. Confidential
HSSE critical tasks are divided into two types :
Level 1 : Tasks are ones where a mistake can directly
cause an accident. Operational tasks required for the
execution of HSSE Critical Activities, where actions (or
inactions) taken while performing such tasks could lead
directly to a significant incident. associated with the Control
or Recovery elements of HEMP.
Level 2 : Tasks where a mistake can make an accident
more likely. Tasks required for the execution of HSSE
Critical Activities, where action (or inaction) while
performing such tasks could lead indirectly to a significant
incident.
05 February 2023 48
49. Confidential
Examples
Level 1 : HSSE Critical Tasks performed by plant operators,
technicians, vehicle drivers, aircraft pilots, ship’s captains,
emergency response, and recovery from emergency.
Level 2 : Normally supervisory-related, such as identifying
/assessing staffing requirements to implement processes,
and the Control and Recovery elements of HEMP. Refer to
the appropriate HSE-MS and HSE Cases to identify these
tasks.
Competence requirements for these tasks have to be
defined in the Job Competence Profiles. These will be
loaded into the Shell People competence system.
05 February 2023 49
51. Confidential
Bow-tie link to Critical Activities, Process & Equipment
Each barrier has to be assigned to a critical activity to ensure it
will work when the situation needs it.
P:5B A:5C
Unrefined
Hydrocarbon
Material
selection
of piping
LOPC
Internal
corrosion
(piping)
Fire
Chemica
l
injection
system
Emergency
Response
Design & operation
in compliance with
DEP
Critical Process
(RBI)
Critical Eq – Piping
Critical activity –
carry out the
maintenance
Chemical Injection
program
Critical Process
(Operation)
Critical Eq – injection
skid
Critical activity –
monitoring injection
rate, chemical
consumption
Emergency
Response
Critical Process
(ER)
Critical Eq – F&G
detectors, fire
fighting equipment
Critical activity –
PIP review, training
for response team
52. Confidential
Some Common Failures
Where we usually go wrong?
Poor line of sight,
Assignment to incompetent / inappropriate workforce
Susceptibility : Maintenance overrides/bypass, malfunction,
overdue PMs/CMs, obsolescence, Spare and availability,
destruction in incidences, use under excessive/beyond
design/operating envelopes
delegation without considerations (sit ins, turnovers,
resignations, manpower, vacations substitutes, etc)
05 February 2023 52
53. Confidential
Swiss Cheese Model
If the holes in the barrier walls
(holes in the slices of Swiss
cheese) line up, and the hazard
“escapes”, an incident may occur.
This is why we have multiple
barriers and why we maintain the
barriers.
Swiss Cheese has holes; barriers can have “holes” or deficiencies
19
54. Confidential
Swiss Cheese Model
“Barrier thinking” includes
addressing small holes at each
level. This keeps a series of small
holes from lining up and leading to
an incident.
20
The “Swiss Cheese Model” is a visual way to think about making sure
barrier holes are prevented
55. Confidential
Conclusion
Barrier thinking is a way of thinking that helps us:
Identify hazards
Put appropriate controls in place to prevent and contain
incidents
Ask what hazards we face and what controls can be initiated.
Encourage mind-sets that will:
Make sure effective barriers are in place.
Ask the right questions to put safety first.
Check effective barriers are in place.
Don’t assume it will be OK (based on previous experience)
05 February 2023 55
56. Confidential
Recap
What are barriers ?
Types of barriers
When are SCEs compromised :
How do we assure the SCEs are healthy :
Common Failures : Where we usually go wrong?
Ask yourself : What role do you play ?
05 February 2023 56
Critical Equipment Barrier, Critical Human Barrier, or combination of
both
Measures to prevent threats from releasing a hazard or measures to limit
the consequences arising from the top event
Maintenance overrides/bypass, malfunction, overdue PMs/CMs, obsolescence,
SPIRs unavailability, destruction in incidences, use under excessive/beyond
design/operating envelopes
PM/CM : Assigning the task to a competent person – SCE positions (Level 1 /
2 )
Line of sight, delegation without considerations (sit ins, turnovers,
resignations, manpower, vacations substitutes, etc)
59. Confidential
Question 1
What is Process Safety? (Choose the correct answer.)
a. Process Safety involves things that happen only
outside the boundary of the plant.
b. Process Safety includes things that happen at
home
c. Process Safety is about protecting you, your co-
worker, the plant and the community
d. Process Safety is mostly about protecting the
individual
60. Confidential
Question 2
What is Personal Safety? (Choose the correct answer)
a. Personal Safety involves things that happen only
outside the boundary of the plant
b. Personal Safety includes things that happen at home
c. Personal Safety is about protecting you, your co-
worker, the plant and the community
d. Personal Safety is mostly about protecting the
individual
61. Confidential
Question 3
Which of these activities is predominantly related to Process
Safety? Select all correct answer.
a. Putting on a safety harness
b. Conducting operator rounds
c. Responding to alarms
d. Selecting appropriate PPE
e. Selecting proper gasket
f. Following Emergency procedures
g. Function test of a shutdown device
h. Proper foot placement
i. Wearing a seatbelt
62. Confidential
Question 4
What is the purpose of Understanding Risk?
a. To protect the individual against slips, trips, and
falls
b. To distinguish between critical equipment and
human barriers
c. To provide a structured approach to managing
hazards in the workplace
d. To establish healthy and safety procedures
63. Confidential
Question 5
What is the proper order of the components for
Understanding Risk?
a. Assess, Recover, Control, Identify
b. Control, Recover, Assess, Identify
c. Identify, Assess, Control, Recover
d. Recover, Assess, Identify, Control
64. Confidential
Question 6
Which of the following accurately describes a barrier?
a. Process safety barriers prevent hazards from being
released or minimize the effect
b. Barriers never have weaknesses
c. Process safety barriers make my job more dangerous
d. A barrier often causes fire or explosion
65. Confidential
Question 7
There are two main types of barriers :
Critical _____ Barriers and Critical Human Barriers
a. Process
b. Equipment
c. Hazard
66. Confidential
Question 8
The Swiss Cheese model demonstrates how holes or
weaknesses in barriers line up to allow undesirable
events to occur
a. True
b. False
68. Confidential
Question 10
Preventing Abnormal Situations includes :
(Please select all appropriate answers)
a. Reporting or fixing small things before they become
bigger
b. Listening to your intuitions, sights, sounds and smells
c. Proactively communicating
d. Constant vigilance
69. Confidential
Question 11
The Bow Tie model is a tool used to analyse how we
manage hazards and potential consequences.
a. True
b. False
70. Confidential
Question 12
When multiple threat lines for a hazard are shown, they
appear in the shape of a ____
a. Brick wall
b. Swiss Cheese
c. Bow Tie
d. Triangle
72. Confidential
Barrier Exercise: “LINE OF FIRE” : Mobile Heavy
Equipment
What happened?
Worker run over by truck and injured, leads to fatality.
The Injured Party (IP) was walking on a road in sand quarry adjacent
to the accommodation site.
The IP stopped in the middle of the road behind a truck with his back to
it.
At the same time the truck started to reverse in preparation for sand
loading and knocked over and crushed the IP under its wheels.
The medics were on site immediately to apply first aid but were unable
to save the IP’s life.
05 February 2023 72
73. Confidential
Why did it happen ? (1)
Underlying causes :
Unclear accountability for managing (sand storage) site
access and sand loading activities.
Failures in applying safe worksite practices like
segregation of pedestrians and heavy goods vehicles
on project sites.
Allowing lower standards for visitors into the field area,
for the purpose of goods
05 February 2023 73
74. Confidential
Why did it happen ? (2)
Immediate causes
IP neither saw nor heard the project truck reversing.
The truck had a faulty reversing alarm; the driver had not
completed defensive driver training (which includes the
requirement to check behind/under the vehicle before
reversing).
On the day of the incident there were significantly more heavy
transport activities in the quarry than normally and therefore
higher noise levels.
Pedestrians and vehicles used the same road at the same time
(no segregation).
05 February 2023 74
75. Confidential
Barrier Exercise: “LINE OF FIRE”
“LINE OF FIRE” situation : Mobile Heavy Equipment
Review the incident below
Which hardware barriers are missing?
Which human barriers are missing?
Which process barriers are missing?
Class divide into 3 groups, each take one question. 5 mins for
discussion
05 February 2023 75
76. Confidential
HARDWARE Barrier failures
Barrier : Site Planning & Design Layout
No formal risk assessment was performed, which would have revealed
that the sand storage area was occasionally used heavily, as on the day
of the incident.
Barrier: Equipment
The truck was fitted with an automatic reversing alarm but this was not
working.
Having delivered goods to site, the truck was requested to do an extra
job. The normal and compliant sand truck was broken, hence the request.
Barrier: Equipment Monitoring Systems
A system such as Collision Avoidance Devices, was not present.
Barrier: Physical Barriers
Physical Barriers such as Exclusion Zones, Boundary Markers, Hard
and/or Soft Barriers or Berms were not present at the time of the incident.
05 February 2023 76
77. Confidential
HUMAN Barrier failures
Barrier : Hazard awareness
Not all involved were aware of the hazards behind the vehicle and no
checks were done before reversing.
Barrier: Following Procedures/Rules
The driver was also delivering goods to a contractor working at another
site. On that site he had been instructed to use the horn when reversing.
Local requirements were not known.
Barrier: Supervision
The nominated construction contractor supervisor was not seen on the
site, even on a day of heavy use.
While each site in the large area has an owner there is no overall owner
who takes accountability for coordinating and planning across the various
sites.
05 February 2023 77
78. Confidential
CRITICAL PROCESS Barrier failure
Barrier: Training & Competency
The driver had not passed the required defensive driving training,
he was on waiting list for training in September.
Barrier: Contractor Management
There was no contract holder review/audit or enforcement of
supervision on site.
Barrier: Company Standards – & Operating Procedures
The truck was allowed on to the site after inspection, on a
temporary visitor pass.
Failure to ensure that heavy machinery operating at construction
worksites met company standards. While there was a traffic flow
plan for the sand storage site and this was in the working
instructions, there were no signs at the site showing the planned
traffic flow or any other warnings, e.g.: no signs barring pedestrian
access or parking. 05 February 2023 78
81. Confidential
Team Activity: Identifying Barriers
Some of the barriers include:
pressure reliefs
pressure indicators
level transmitters
low level trip
site glasses
piping and valves
temperature and pressure gauges
inspection points
fire detection system
coupling guard
vibration measuring points
breaker
start/stop switch
asset integrity
various maintenance/inspection tasks
As you can see, there
are a lot of barriers out
there protecting us!
24