Occupational health and safety management - industrial plants: safety engineering

K.Wood

1. INTRODUCTION

Safety engineering can be defined as all those engineering activities, beginning with conceptual design,
which contribute to the safety of an operating plant. These activities include positive measures
specifically intended to promote safety; the assessment of accident risks; and the monitoring of safety-
related systems and procedures Responsibility for such activities may rest in several different
organizations but the final responsibility for the safety of an operating plant must lie with the owner (UK
Act 1974).‘

In recent years much effort has been devoted to safety engineering, in several different industries.
Principles and methods to limit and evaluate the probability of accidents and the severity of their
consequences have been developed tn engineering management: in structural thermal hydraulic,
electrical and control engineering ; and in safety and risk analysis. Methods used in a particular industry
are often applicable to the safety engineering of any complex industrial plant. either new or operating,
which is potentially hazardous and may be subject to statutory regulations.

1.1.The incentive for safety and reliability

The basic criteria of merit for any plant are:

(i) economy of operation;

(ii) safety:

(iii) availability.

These criteria are themselves interdependent and the relationship between safety, availability.
reliability, and quality is shown in Figure l3.l. Safety criteria and an availability target can be set in the
plant specification. Corresponding reliability targets are assigned to the various plant systems, with due
recognition of the difficulties and costs of achieving the targets. System design leads to the specification
of corresponding quality requirements for equipments and components.
The engineering methods described in this chapter are primarily intended to improve safety and
reliability. Their application will add directly both to capital and to operating costs but will also result in
cost benefits, and an economic case can be made for their use as follows.

The extra cost of safety-related engineering activities comes from two sources:

(i) additional effort in design, construction, and operation;

(ii) superimposed control activities.

Savings which can be expected from improved control of design, manufacture. and construction are:

(i) reduction in scrap. modification. and repair:

(ii) reduction in programme delays.

Benefits which can be expected during plant operation are:

(i) reduction in forced outages for modification and repair;

(ii) reduction in unplanned maintenance:

(iii) reduction in accident risk.

2. DESIGN FOR SAFETY

When an Operator is planning to build a potentially hazardous plant, his first and most important task is
to select a suitably qualified design organization The desagners should have experience on plants of
similar complexity and Should

observe engineering principles specifically intended to promote safety and reliability (Wells e1 (IL. 1977).

Ideally. a plant should be designed to be inherently safe and to fail safe. Dangerous processes should be
avoided whenever possible. When the costs of alternative processes are being compared, the more
dangerous process should be suitably penalized ifextra expenditure is required to achieve an adequate
degree of overall plant safety.

2.1 Plant design criteria

The plant design criteria are defined in or derived from the overall plant specification. They include
items which are relevant to safety such as extreme envirom mental conditions and possible external
hazards. Design criteria must be defined for natural phenomena such as storms, floods, and
earthquakes; and for hazards such as aircraft crashes, accidents involving service vehicles .or
neighbouring plants, and sabotage.

Appropriate engineering standards are selected and a safety check list (Wells er al., 1977) may be
compiled for use in design. Safe limits must be assigned to all operating parameters. Safety criteria
define the limits of acceptability of accident consequences (Section 4.1) and a plant availability target
may be set (Wood, 1973). Corresponding reliability targets are derived for process, service, protection,
and safety systems.

1. Function 9. inspection

2. Criteria 10. Test

3. Concept 11. Operation

4. Design 12. Maintenance

5. Performance 13. interface requirements 6. Safety 14. Equipment list

7. Reliability 15. Drawing and diagram list 8. Installation 16. References

Figure l3.4 System description

2.2 System design

Plant design and documentation are conveniently organized on a systems basis. System descriptions.
Figure l3.4. are key documents which provide the basis for design control and for other engineering
documentation. Subjects included in the system descriptions which are relevant to safety are discussed
in later sections of this paper.

The required contributions to overall plant performance from the individual systems are determined
and listed in Section 2 of the system descriptions. These consist of performance requirements and
environmental conditions for all the expected steadysstate, transient. and fault conditions ofthe plant.

in designing a process system. the first step is to prepare a flow diagram. This shows the flow of
materials through the system and the processes to which they are subjected. The next step is to develop
a process diagram which shows the process equipment required with appropriate piping connections.
Calculations are then made to size the equipment and piping for the specified performance.

Special safety systems are provided to limit the consequences of potential accidents. These always
include a fire protection system. Arrangements may also be made to operate process and service
systems in emergency modes to deal with accident conditions. Defence-in-depth is achieved by
employing diverse and redundant protection and safety systems. Vital systems are defined as those
Systems which are essential for the safe and reliable-operation of the plant. These receive special
attention in design and in safety and reliability analysis.

2.3 Design methods

Design data and methods must be chosen so as to minimize the probability and magnitude of errors and
uncertainties. Whenever possible, proven data and methods, and national or international codes and
standards are used. Extra care must be taken in any extrapolation beyond previous experience. If new
data and correlations have to be developed from an experimental programme, the experiments must be
carefully specified and all reasonable steps taken to verify results and validate their application to
design.

it is good practice to check all calculations by approximate methods and to compare results with any
obtained previously from similar calculations. Important calculations should be repeated independently
using different methods if possible.

When new methods are introduced they must be subjected to a formal review procedure. if computer
programs are documented in accordance with the ANSI guidelines (ANSl, 1974) users can readily check
the range of application. The user is protected against inadvertent use of the program outside its range
of validity by internal program cheeks giving clearly understood error messages. Program files are
protected against unauthorized modification and all modifications are carefully controlled. recorded.
and tested. The version number and date of last modification are printed with the results and there is
clear identification of each version with an associated set of documentation. Benchmark runs are
performed for each new version, and program archives maintained so that old versions can be inspected
and rerun if required.

2.4 Plant arrangement

Plants are normally designed to allow inspection, test. and maintenance activities to be carried out on a
continuous basis without interrupting normal operation. Access is allowed for the inspection and
replacement of consumable and short-life items. isolation, segregation. and structural protection are
employed to prevent failure propagation as discussed below. Optimum arrangements of equipments,
piping, and controls can be selected with the help of plant models so that require~ ments for operating
and maintenance personnel to occupy hazardous areas are minimized.

2.5 Failure modes and effects

Plant failure may be initiated by the natural phenomena or hazards mentioned previously or by

(i) loss of main services

 (ii) failure of any vital plant component. pipe, or cable;

(iii) ignition of flammable substances;

(iv) excessive deviation from normal operating conditions;

(v) Imaloperation.

2.6 Instrumentation and control

The system design engineers specify acceptable limits on operating parameters which are consistent
with the plant design criteria, for all anticipated plant condio lions. instrumentation is designed to
enable the operators to monitor the plant condition and make the correct decisions. Automatic control
and protection are employed as necessary to keep the operating parameters within their specified limits
under normal and fault conditions.

instrument signals are used for the following purposes: indication continuously or on demand,
recording continuously or intermittently, control, alarm, protection, computer input. A single sensor
may provide the signal for several purposes. if adequate isolation can be arranged to prevent interacting
faults; or several separate sensors may be used to monitor an important parameter, using diverse
physical principles if possible. lt is preferable. and sometimes mandatory. to have independent systems
for control and protection.

3 ORGANIZATION AND CONTROL OF DESIGN

Figure l3.5 shows a design engineering organization consisting of three groups. The design group is the
largest, responsible for producing engineering contract documents such as equipment specifications and
construction drawings.

project engineering group plans and coordinates engineering activities and produces system
descriptions; and commissioning, operating, and maintenance procedures. The systems analysis group
provides design support including reliability and safety assessments as described later.

Design control is the quality control of design. it is achieved by the preparation and implementation of
appropriate written procedures for design and design control. Formal design control should be
employed in original design and also for plant modifications or extensions.

Quality control of manufacture is usually performed by personnel who are not directly responsible for
production. Similar independence is achieved in design by employing a separate project engineering
group. The project engineers supervise interface. change and document control and project design
review.
3.1. Design review

Design reviews are critical examinations to ensure that design documents such as drawings. calculations.
analyses. specilications. and reports are correct. Work

1. Are design criteria fully specified and satisfied for

(a ) Performance?

(b )Environmental conditions?

2. Are conceptual design and optimization studies complete?

3. Are development and proving tests complete?

4. Have all design calculations been completed, verified, and filed?

5. Have all drawings been completed, checked, and filed?

6. Have specifications for equipments and components been completed and approved? .

7.Has material selection been completed and checked?

8. Have the following design aspects been checked and approved?

(a)Operation “

(b) Reliability

(c) Safety

(d) installation

(e) inspection and test

(f) Maintenance

9. Have the following interfaces been checked and approved?

(a) Mechanical services .

(b)Electrical services

(c) instrumentation

(d) Structural support

(e) Layout coordination

10. Have acceptance criteria been defined for

(a) inspection?

(b) Test?

3.2 interface control

Formal control of interfaces between systems. disciplines, and contracts is required. System design and
interface control are facilitated by the definition of systems on a disciplinary basis.

System design must he compatible with the supplies and demands of interfacing systems. Section 13 of
the system description (Figure l3.4) lists interface requirements. These are satisfied in the designs of the
interfacing systems, detailed in drawings, specifications, and other documents. For major interfaces,
special interface drawings can be used to define the structural, fluid, electrical, and instrument
interfaces. Design reviews include checks that new data and requirements can be accommodated in
an’overall plant design which remains fully compatible. New design and changes to existing‘design must
be consistent with the design already approved and reported. lf proposed design changes affect
conditions at systems interfaces. the total consequences are evaluated, including the effects on cost.
programme. safety, and reliability, before the changes are accepted.

3.3 Change control

Design changes become necessary when the plant owner modifies his specification. and as difficulties
are encountered or errors revealed in design, manufacture, and construction. As soon as the first
approved design documents are released a formal change control system is introduced. The object of
change control is to ensure that the total consequences of a proposed change in design or procedure
are evaluated, particularly the interface effects, before the change is authorized.

The individual who discovers a deviation from accepted engineering practice or approved design at any
stage of a project, reports his finding within his own organization. A deviation report is prepared with
proposals for corrective action. The engineers responsible for change control assess the consequences
of the deviation and if these are acceptable a concession note is granted, but if plant changes are
required a rectification order is issued. lfthe deviation is due to faulty manufacture or construction, the
rectification order calls for the necessary replacement or rework; but if the cause is more fundamental,
formal design changes are included. Design changes are amendments to existing documents which will
be incorporated in future revisions. When the need for a design change is recognized but time is
required to develop a satisfactory solution, a hold notice may be issued to stop work in affected areas.
3.4 Document control

A document control system is required to ensure that all documents are clearly identified and
distributed to known locations; that new documents and revisions are processed and distributed
efficiently; that the usepf preliminary documents is suitably restricted;~and that obsolete and
superseded documents are promptly removed from wdikareas. The status of all preliminary design
documents must be clearly stamped in bold letters to ensure that they will not be used for unauthorized
purposes. From the moment that a document achieves official status and is approved for project release
it is subject to a strict control procedure. Approved original documents are stored in secure files,
protected against tire and other hazards. They are only removed from the files for revision or copying
under controlled conditions. An approved distribution list is drawn up for each document and only the
necessary number of copies is made. Recipients are required to sign a receipt and return it to the
document control office. This office keeps records of all revisions and ensures that superseded
documents are withdrawn or destroyed.

4 SAFETY ASSESSMENT

Activities specifically associated with safety are described below. Sophisticated computer methods have
been developed for accident and risk analysis. When unacceptable results are obtained. design
improvements must be made to alleviate the predicted condition.

4.1 Safety criteria

Plan failure may be initiated by any of the events listed in Sections 2.l and 2.5. Appropriate measures are
taken to minimize the probability of failure, but when failures do occur the consequences may present
hazards to the plant operators and the general public through fire, explosion, exposure to harmful
substances or radiation. missiles generated by disintegration of rotating equipment, or other structural
failures. These hazards are identified by the process and plant design engineers; a limit of acceptability is
assigned to each hazard and the plant designed accordingly. The acceptability of a particular accident is
expressed as the maximum tolerable frequency of occurrence, lO"'/year or the minimum interval
between occurrences, 10" years.

4.2 Faults and accidents

When all practical steps have been taken to eliminate failure modes and restrict failure propagation, the
remaining modes are further examined. A fault is defined as the failure of any plant component to
perform its specified duty. Systems are designed to fail-safe and automatic protection is provided to
prevent damage to interfacting systems. Fault analysis is performed to verify that operating parameters
remain within safe limits for all predicted fault conditions. Visible and audible alarms are used to warn of
fault conditions. If the plant has an on-line computer the origin and nature of the fault may be
determined automatically and printed out.

4.3 Accident risks

An accident risk is defined as the probability of an accident occurring with specified consequences. In
hazardous industrial plants, we are particularly concerned with accident risks of low probability but with
potentially serious con sequences. it is convenient to express a risk as the frequency at which an event is
ex peeled to occur.

4.4 Safety reports

Information specifically related to safety should be assembled into a plant safety report to facilitate
safety assessment. If the plant requires an operating licence from the public authorities, a safety report
will be an essential part of the licence application. Preliminary safety reports provide vital evidence for
project decisionmaking at the planning stage and at other periods during design and construction
(Gibson. 1976). The scope of a safety report will vary according to its purpose, but it is likely to contain
sections on design criteria including environmental data and operating limits. safety philOSOphy and
criteria, and fault. accident, and risk analysis.

5 RELIABILITY

Qualitative failure studies are carried out during the early stages of design (Section 2.5) but these are
superseded by quantitative reliability assessments. Reliability targets are set for process, service,
protection, and safety systems so as to achieve the specified plant availability (Long and Cleveland, I978)
and limit accident risks to an acceptable level. The engineering methods described in this paper
contribute to Operating reliability as well as safety.

5.1 Data and analysis

Reliability technology (Kapur and Lamberson, 1977; Green and Bourne, I977) has now become an
integral part of system design. Several organizations in Europe and the US collect and analyse data from
component endurance tests and planteperating experience (Ablitt e! a/., I973; Lapides, I976). The
quality of plant-operating data is often unsatisfactory but improved methods of collection are being
developed. In the US, electric utilities provide details of safety’related failures in nuclear power plants
for analysis by the Nuclear Plant Reliability Data System (NPRDS); this is probably the source of the best
failure data for high quality mechanical components available at present.
When failure data are collected from a variety of sources, they will be widely distributed due to both
random and systematic effects. Important systematic factors are component design margins in
particular applications, planned maintenance (Section 8.1), and quality assurance (Section 6).

5.2 Redundancy and complexity

When a fault results in the loss of a vital system, the plant must be shut down as safely as possible. If the
design is such that the fault only causes a reduction in system performance, operating flexibility and
safety are improved. The number of g faults necessitating a plant shutdown or presenting a major risk to
security can be reduced by replacing vital systems. sub-systems or components by half-capacity i or
third-capacity sub-units. If redundantsub-units are added, the plant can coni tinue to operate safely at
full output after failure of a sub-unit. When there is a , ‘ danger that similar systems or sub-systems may
be subject to common mode a failure. security can be increased by employing diversity. System's
performing a similar function are then designed on the basis of diverse physical principles. Simplicity in
design leads to inherent reliability. and redundancy does introduce a new unreliability factor since the
number of components, interconnections, and interfaces is increased. Redundancy should therefore be
provided at the lowest effective functional level to minimize the added complexity. The degree of
redundancy for the required reliability can then be determined.

5.3 Human reliability

Human reliability is an important factor at all stages in a plant project. It is maximized by appropriate
selection and training of personnel. Quality assurance (Section 6) is employed to limit the number of
errors throughout a project. However, there may be many opportunities to correct an error in design,
manufacture, or construction. But in Operation and maintenance errors can quickly lead to an
emergency situation.

6 QUALITY ASSURANCE

Formal quality assurance (QA) is a management system which employs appropriate engineering
methods to limit errors and uncertainties to an acceptable
level. The safety and reliability of an industrial plant are therefore improved by the application of formal
QA (Wood, 1978). The relationship between safety, availability, reliability, and quality

To be fully effective, QA must be comprehensive and cover all engineering activities including design,
procurement, manufacture, construction, commissioning, Operation, and maintenance. Formal QA
responds to specified criteria or standards and is fully documented. It consists essentially of the
following steps, for all quality-related activities:

(i) preparation of written procedures;

(ii) verification that the procedures are properly implemented and effective;

(iii) production of records.

6.1. QA programmes

if a plant presents a potential hazard to the general public, the government may msrst on a formal QA
programme as part of its safety regulations. Alternatively, the owner may decide voluntarily to apply a
QA programme. He then includes this requirement in his enquiry specification for the prime contract.
Structures, systems, and components in which quality is vital to safety or availability are identified in the
reliability analysis as Q-items for inclusion in the plant QA programme. The scope of a comprehensive
QA programme is described in a British Standard (BS, l980). Although this standard has been prepared
for nuclear power plants, it could be used as a guide for any complex industrial plant which is potentially
hazardous.

6.2 Quality system appraisal and audit

One of the most important functions of QA is its contribution to the selection of suitably qualified
contractors and suppliers. A standard procedure may be used for the appraisal of a potential
contractor’s quality system. The appraisal usually consists of a review of the contractor’s quality manual
followed by a visit to his premises'to check the degree of compliance with the manual. An appraisal is
necessary if a contractor has not performed similar work for his client or been successfully appraised,
within the previous few months.

6.3 QA organization

A plant contractor working to formal QA programmes should have a QA department which is separate
from his engineering and construction departments, but may also employ designated quality engineers
in these departments. Functions of the central QA department are as follows:
 (i) to prepare and maintain the company quality manual;

(ii) to prepare and supervise project QA programmes;

(iii) to appraise and audit suppliers and sub-contractors;

(iv) to audit engineering and construction department activities.

7 SAFETY IN OPERATION

It was emphasized at the beginning of Section 2 that the designer of a potentially hazardous plant must
be suitably qualified. This requirement applies even more strongly to the operator. who should have
extensive experience in the running of complex and hazardous plants. A suitably experienced operator
will be able to assemble a team of proven competence to operate his plant and will also have the
necessary breadth of technical support within his organization.

The plant designers should continue to play an important role throughout commissioning and in early
operation, because of their detailed knowledge of the design and its interfaces. During this period the
formal change control is transferred from'the‘designers’ to the operators’ organization.

7.1 Plant completion and takeover

The owner’s takeover procedure is‘described in his prime contract. He may decide to take the plant over
piecemeal or system by system, or as a complete plant at the end of commissioning. At takeovers
control of the plant passes from the contractor to the owner. Steps in plant completion and takeover are
illustrated

7.2 Plant document library

The plant owner begins to assemble a document library, at the start of a project. At plant takeover, the
library contains the most important design, procurement. construction. and commissioning documents.
These form a link between designers and operators and provid ‘ an information base for subsequent

activities throughout the life of the plant. By careful reference to comprehensive project
documentation, necessary plant changes can be made after the design team has been dispersed without
infringing design criteria or introducing, harmful interface effects. Operating and maintenance records
are added to the library, as they are produced.
7.3 Operating procedures and instructions

When the owner takes over his plant from the prime contractor for the start of commercial operation,
he expects that each plant item is working within its design limits. The object of the operating and
maintenance procedures is to preserve this condition throughout the life Ofthe plant.

7.4 Emergency operation

The plant designers also prepare emergency procedures for all faults and accidents which are
considered possible. Objects ol the procedures are:

(i) rapid detection and diagnosis 5f the accident condition;

(ii) warning to plant Operators and emergency organizations of the accident condition;

(iii) adjustment of plant controls to limit the consequences of the accident;

(iv) use Of safety systems to bring the accident under control.

7.5 Plant monitoring

Important operating parameters are continuously displayed in the central control room. Other operating
conditions are displayed periodically or on operator demand. Control room personnel check conditions
and adjust controls according to their operating instructions. Other operators make checks and
adjustments at local control stations, with suitable communication to the central control room.

8 MAlNTENANCE AND AUDIT

The safety and availability of an operating plant are highly dependent on the maintenance programme.
Economic optimization ofthe maintenance programme is achieved when the total operating cost per
unit of output is a minimum and incremental expenditure on maintenance is just balanced by the value
ofincreased production. But in a potentially hazardous plant it may be necessary to improve the
reliability of safety-related systems beyond the economically desirable level. This requires the overhaul
or replacement of vital equipments before their failure probabilities begin to rise due to wear-out.

8.1. Maintenance procedures .

Maintenance procedures are prepared by the plant designers, based on suppliers’ recommendations,
available failure data. and system reliability analyses. For each system, optimum intervals are
determined for inspection, testing, servicing, overhaul, and replacement (Jorgenson e1 (11., I967;
Jardine, I973). Spares inventories are compiled, and reordering information is assembled to ensure that
replacements will be of the required quality.

8.2 Repair and modification

Whenever a breakdown occurs or incipient failure is suspected, an investigation into the cause is carried
out. If necessary, and particularly during early operation, the operators will seek assistance from the
plant designer and equipment suppliers.

The main object of an investigation into an equipment failure is to classify the failure as due to a
deficiency in one or more of the following areas: specification, design. manufacture, installation,
inspection and test. maintenance, interfacing, and operation. It must also be determined whether
interfacing equipment has been damaged by the failure.

8.3 Technical audit

An operating plant which is potentially hazardous should be subjected to com« prehensive technical
audit at intervals of about five years. This is already a UK regulatory requirement for offshore
installations (UKSl, 1974). The object of the audit is to identify deliciences in the plant condition, and to
prepose improvements which will increase safety and availability. A plant improvement programme
should then be initiated, which usually includes both modifications to hardware and changes to
operating and administrative procedures. The Chemical Industries Association has published a
comprehensive guide to safety audits for chemical plants (ClSHC. I975). The following discussion is based
on the work of Harding and Wood (1977).

The condition and operation of the plant must be judged against specified criteria. Basic audit criteria
are: approved plant documentation, good industry practice. and design and safety criteria for new
plants. The plant documentation, Figure l3.13, provides the main basis for the audit. Formal change
control is

9 CONCLUSIONS

inherent plant safety can be maximized by following appmpriate principles and methods in design.
construction. and operation. These methods include the application of formal quality assurance at all
stages of a project. Data and techniques are now available for quantifying accident risks in probabilistic
terms, and for optimizing the reliability of vital plant systems. Expenditure on engineering methods and
redundant safetywelated equipments can be justified on economic
grounds but additional safeguards may be required to satisfy statutory regulations.