Trends in Industrial Safety

Bhopal Gas Tragedy and its Effects on Process Safety

International Conference on the 20th Anniversary of the
Bhopal Gas Tragedy

Indian Institute of Technology, Kanpur, India

December 1 to 3, 2004

C.M. Pietersen MSc.

TNO Safety Solutions Consultants BV
General manager

Aspects of industrial Safety

Technical Safety:

• Hazard Identification and SIL Classification according to IEC 61508

• Qualitative Risk Evaluation e.g. by using Risk Graphs or- Matrices
• Quantitative Risk Analysis as also required by authorities (Location Specific
Risk and Group Risk)

Organisational Safety:

• Organisational factors associated with Safety

• Measuring effectiveness from audits en accident analysis studies
• The Tripod method for determining the Basic risk factors of an organization

Safety Culture:

• Safety Culture Maturity assessment

• Behaviour Safety Programs

1
Safety Management has Evolved

Behavioural
Assurance
Safety Performance

SMS - HSE -MS

Management focus

Human error / factor

Equipment

1960 1970 1980 1990 2000

Technical Safety

• Hazard Identification and SIL Classification

according to IEC 61508/ 61511
• Qualitative Risk Evaluation e.g. by using Risk
Graphs or- Matrices
• Quantitative Risk Analysis as also required by
authorities (Location Specific Risk and Group Risk)

2
HAZOP

Objective:

To identify and evaluate the unwanted causes and consequences

of foreseeable deviations in the process. This in a structured, and
systematic way.

How:

By a multi- disciplinary team in brainstorm sessions

Check acceptability of the risks involved
If necessary, formulate recommendations for improvement.

Alle leidingen rond vat zijn nodes

3
 Scenario: Overfilling LPG sphere

Scenario from the HAZOP:

> Overfilling and overpressure LPG sphere

Fit for Purpose Safety: When is risk acceptable?

> Determine the Loss of Containment (LOC) scenario
> Evaluate the consequences and frequency of the LOC scenario
> Determine the required risk reduction
> Deteremine the way to implement the risk reduction (e.g
overfill protection system)

Example: Mexico City disaster 1984 (500 victims)

Mexico City LPG depot

4
Consequences of overfilling

IEC 61508/ 61511 Standards

Risk evaluation in relation tot Safety

Instrumeneted systems

SIL Classification/-verification

5
 Bow-tie model:
‘Barriers’

PREVENT
C
MITIGATE O
N
H S
A E
Z Q
A INCIDENT U
R E
D N
S C
E
S

BEHAVIOUR
ORGANISATION
ENGINEERING

Equipment Under Control (EUC)

EUC Process BPCS

Alarm & Monitoring panels

Logic Solver Final

Sensor
Element

Safety Instrumented System (SIS)

6
 Risk Reduction
ACTUAL TOLERABLE INTERMEDIATE INITIAL RISK
REMAINING RISK RISK RISK

Risk with the

Risk with the Risk without the
addition of other
addition of other addition of any
risk reduction
risk reduction Protective
facilities and features
facilities
IPF function

INCREASING
RISK
NECESSARY MINIMUM
RISK REDUCTION

ACTUAL RISK REDUCTION

Partial risk
Partial risk covered by other
covered by
risk reduction facilities
SIS

Total risk reduction 15/01/96

The risk graph for safety

W3 W2 W1
C1
a - -

P1
1 a -
F1
P2
2 1 a
C2
P1
2 1 a
F2
P2
3 2 1

F1
3 2 1
C3
F2
4 3 2

C4
na 4 3

7
 Complete SIS

SIS = from Pipe to Pipe

Safety
Process Pipe
Process Pipe
Functions
Trip
Fail Safe Vent
Amplifier Air
s Output
TR

TR Safety Interlocks Fail Safe Vent

Output Air

TR
solenoid

Logic Solver

Sensors Final Elements

TYPICAL SIL 2 Type A

Process Pipe
FO
Process

from
DCS .PV

.EV

.T Type A SFF<60%
LOGIC SOLVER
SAFETY Type A SFF<60% FO
SIL 2
.T
SAFETY Type A SFF<60%
XPV

XEV
Type A SFF<60%

Acceptable,
If fail to danger of control valve is not part of the scenario.
Final
Sensors
Elements
Typical SIL 2A_1.0

8
Technical Safety

Quantified Risk Analysis (QRA)

Location Specific Risk

Group Risk

Location Specific Risk

9
 Group- or Societal Risk

TNO Colored Books

>Yellow Book: Physical Effects of releases

>Greene Book: Damages to people from the effects

>Purple Book: QRA parameters and data

>Red Book: Failure frequencies and probabilities

10
 QRA scheme

Plant data

Generic failure Derive failure cases

rate data

Calculate frequencies Calculate consequences

Calculate risks Meteorological

data

Population
Assess risks Ignition data
data

Pressure vessels Failure frequencies

(purple book)

Installation G1 G2 G3
Instantanious Instantanious Continuous
10 min Ø 10 mm
Pressure 5 x 10-7 5 x 10-7 1 x 10-5
vessel
Process 5 x 10-6 5 x 10-6 1 x 10-4
vessel
Reactor 5 x 10-6 5 x 10-6 1 x 10-4

11
 Organisational Safety

• Organisational factors associated with Safety

• Measuring effectiveness from audits en accident
analysis studies
• The Tripod method for determining the Basic risk
factors of an organization

Why is ‘good performance’ not enough?

performance Non-measurable
issues, alertness,
imagination,
flexibility, expecting
C
the unexpected

Culture
Measurable
requirements
B

HSE A
MS
compliance
HSE MS HSE MS
“in place” “fully implemented”

12
 SAFETY BY COMMAND

Organisational Factors Associated with a

Safety Culture

Senior management commitment

Management style
Visible management
Good communication between all levels of employee
[management action]
A balance of health and safety and production goals
[management prioritisation]

13
HSE management

Permit to Contract/
Work System Contractor
JSA/JHA Management
Techniques
Workplans Hazardous Situation
HSE Self Unsafe Act reporting
Appraisal
Situational
Awareness Diagnostic
Surveys
Site Visits
Violation
Survey
HSE Standards
& Procedures
Trends/
benchmarking
Competency
Programmes
Incident Investigation
(Tripod Beta)
HSE Assurance
letter Incident Reporting
Audits
Reviews

Safety Culture

chronic unease
GENERATIVE safety seen as a profit centre
new ideas are welcomed

resources are available to fix things before an accident

PROACTIVE management is open but still obsessed with statistics
procedures are “owned” by the workforce

we cracked it!
CALCULATIVE lots and lots of audits
HSE advisers chasing statistics

we are serious, but why don’t they do what they’re told?

REACTIVE endless discussions to re-classify accidents
Safety is high on the agenda after an accident

the lawyers said it was OK

PATHOLOGICAL
of course we have accidents, it’s a dangerous business
sack the idiot who had the accident

14
 Why Behavioral safety

Safety Improvement tomorrow

Human Behavior

Systems/ Equipment/
Methods Hardware/

Ten elements of Safety Culture Maturity ®

Visible management commitment

Safety communication
Productivity versus safety
Learning organisation
Participation in safety
Health & safety resources
Risk-taking behavior
Trust between management and frontline staff
Industrial relations and job satisfaction
Safety training

15
 What is behavior safety?

A programme, which becomes a habit, involving…

> Analysis of behavior and other causes of accidents
> Management (and later workforce) focusing on behaving
safely to avoid injury
> Observation, intervention, feedback and reinforcement

Some examples:
STOP DuPont
Behavior safety programs

What is behavior safety?

Results to Analyses of
3 steering observations 5
team to SHE cie SHE committee/
Data gathering MT team
and creating
score carts
4
Steering team: shop
floor & staff personell

Observations ABC analyses

results and action
2 implementation
Observation of
behaviors and
feedback

11
Identify at risk
behaviors and define
safe behavior

16
 Safety culture maturity model
Continually
re improving
l tu Level 5
y cu
a fe t
gs Cooperating Develop
i n consistency
ov Level 4
pr and fight
Im complacency
Involving Engage all staff to
develop cooperation
Level 3 and commitment to
improving safety
Managing cy
Level 2 Realise the importance en
of frontline staff and s ist
develop personal on
Emerging responsibility ngc
Develop s i
Level 1 ea
management
ncr
commitment I

Accident analysis

“Missed Opportunities”

Trevor Kletz: (4/12/2000, Singapore):

We find only a single cause (often last one in chain)
We find only the immediate causes
We list human error in a too general way
We list causes we can do little about
We do not share our lessons
We forget the lessons

17
 Learning from incidents

Six steps for effective learning from

incidents

www.safety-sc.com

Necessary steps

1. Detection of a SHE incident

2. Reporting of the incident
3. (Tripod) analysis of the incident
4. Establishing of the learning effects
5. Implementation of the learning effects
6. Checking the effectiveness of the implementation

18
Step 4: Establishing learning effects

INTENTIONS ACTIONS CONSEQUENCES

Management Supervisors Operational staff

RESOURCES 1
e.g. time, money,
DRIVERS people, materials
WORKING
standards, ENVIRONMENT
policies incidents
METHODS
e.g. planning,
coordination, control
3 2

1: Single-loop learning
2: Double-loop learning
3: Triple-loop learning

Learning loops

• Single-loop learning affects the way operational goals are achieved:

- Without changing the goals, methods or resources.
- It can be described as doing the same things better. It is visible
in modifications of a task protocol, working instructions or
procedures.
• Double-loop learning affects norms and organizational targets:
- It can be described as doing things in a better way. Such
changes are visible as changes in resources and methods used.
• Triple-loop learning affects the drivers (policies and values) of an
organization on a high level.
- It can be described as doing other things.

19
Learning on various organizational levels

Learning from
incidents

Corporate SHE&M
Learning
from Learning
incidents From
incidents

BG 1 or regional Group
Learning from
BG 2 or regional Group incidents
From
Site Site incidents
A B

Site X Site Y

Learning on various organizational levels

• Learning can take place on several levels (see figure):
a. on site level;
b. on regional, BU / BG level, i.e. for groups of plants/sites that have
similar activities and use similar technologies;
c. on corporate level, i.e. for the whole or for several BG’s.
• Site level: over the shifts, the learning process varies, depending on:

1. quality of information given (see communication)

2. support given by the (SHE-)manager
3. involvement felt (“can it happen to me?”)

• Other levels: effective learning become more complex. On higher

organizational levels, learning can only take place based on selected issues
that are shared by a larger number of units within the organization and
that are controlled by a higher organizational level

20
 Tripod accident investigation

Measure fore effectiveness of Safety Management

Measure for vulnerability for Human Factor problems
Management of Human Factor Problems
Control the Controllable

Tripod Basic Risk Factors (BRFs)

The Prevention BRFs
> Design (DE)
> Tools & Equipment (TE)
> Maintenance (MM)
> Housekeeping (HK)
> Error Enforcing Conditions (EC)
> Procedures (PR)
> Training (TR)
> Communication (CO)
> Incompatible Goals (IG)
> Organisation (OR)
The Mitigation BRF
> Defences (DF)

21
 Tripod Condition Survey
'State of
High 100
the art'
Company 1
Company 2
75 Best 25%
Measure of
control
Mean score for
50
Industrial sector

25 Worst 25%

Low 0 Disastrous
DE TE MM HK EC PR TR CO IG OR DF

BRF

Bow-tie model

PREVENT
C
MITIGATE
O
N
H S
A E
Z Q
INCIDENT
A U
R E
D N
S C
E
S

BEHAVIOUR
ORGANISATION
ENGINEERING

22
HET diagram as part of the Bow-tie

Event/
Hazard Consequence Target
Control Defence

Acitive
Active failure
failure

Precondition Precondition

Latent Failure Latent Failure

Closing Remarks

>Technical Safety is ‘ only’ starting point

>Technical safety is undermined by Human Factors as a

result of the Safety Culture and the related behavior.

>A mature HSE system includes Organizational and Safety

Culture aspects

>Constant feedback from detailed accident analysis studies

is required.

23