590 likes | 613 Views
IRISK: DEVELOPMENT OF AN INTEGRATED TECHNICAL AND MANAGEMENT RISK METHODOLOGY FOR CHEMICAL INSTALLATIONS. O. N. Aneziris. 27 May 2004. SLOVAKIA. PRISM SEMINAR. DEVELOPMENT OF AN INTEGRATED TECHNICAL AND. MANAGEMENT RISK CONTROL AND MONITORING.
E N D
IRISK: DEVELOPMENT OF AN INTEGRATED TECHNICAL AND MANAGEMENT RISK METHODOLOGY FOR CHEMICAL INSTALLATIONS O. N. Aneziris 27 May 2004 SLOVAKIA PRISM SEMINAR
DEVELOPMENT OF AN INTEGRATED TECHNICAL AND MANAGEMENT RISK CONTROL AND MONITORING METHODOLOGY FOR MANAGING AND QUANTIFYING ON-SITE AND OFF-SITE RISKS EC Contract No: ENVA-CT96-0243 I-RISK Ministry of Social Affairs and Employment (SZW), The Netherlands (Coordinator) Four Elements Ltd, UK (Secretariat) Health and Safety Executive, UK Ministry of Environment (VROM), The Netherlands NCSR Demokritos, Greece National Institute for Health and Environment (RIVM), The Netherlands Norsk Hydro, Norway Safety Science Group, Delft University of Technology, The Netherlands SAVE Consulting Scientists, The Netherlands
OUTLINE • Introduction • Technical model • Management model • Modification of Loss Of Containment frequency, according to the Safety Management System • Case studies
MANAGEMENT MODEL TECHNICAL MODELPARAMETERS(λ, μ,T, fM, TM,QM1) I-RISK
HAZARD IDENTIFICATION MODELLING OF ACCIDENTS ACCIDENT SEQUENCES PLANT DAMAGE STATES CONSEQUENCE ASSESSMNET FREQUENCY ESTIMATION RISK INTEGRATION
TECHNICAL MODEL • MASTER LOGIC DIAGRAM • EVENT TREE - FAULT TREE ANALYSIS • CONSEQUENCE ANALYSIS • RISK INTEGRATION
MASTER LOGIC DIAGRAM (MLD) • MLD FORMS THE BASIS OF THE TECHNICAL MODEL • MLD IS NOT A FAULT TREE • MLD PROVIDES THE STARTING POINT FOR DEVELOPING PLANT-SPECIFIC MODELS • MLD IDENTIFIES INITIATING EVENTS
STRUCTURAL FAILURE LOSS OF BOUNDARY CONTAINMENT BYPASS OVERPRESSURE CORROSION CONTAINMENT OPENED CONTAINMENT OPENS VIBRATION HIGH TEMPERATURE UNDERPRESSURE EXTERNAL LOADING ERROSION INTERNAL PRESSURE INCREASE EXTRA LOADS ROLL OVER LOW TEMPERATURE NATURAL PHENOMENA SUPPORTS FAIL PRESSURE SHOCH IN HOSE EXCESS TEMPERATURE LOW LEVEL EXCESS HEAT HIGH WINDS SNOW, ICE COOLING MALFUNCTION DIRECT PRESSURE INCREASE FROM GAS OVRFILLING SEISMIC FLOODING INTERNAL EXTERNAL CHEMICAL INCOMPATIBLE MATERIAL RUN AWAY REACTION COMBUSTION MASTER LOGIC DIAGRAM FOR LOSS OF CONTAINMENT LOSS OF CONTAINMENT
EVENT TREE - FAULT TREE EVENTS • A) INITIATING EVENTS (fi, λ, fHi) • B) COMPONENT - BASIC EVENTS • PERIODICALLY TESTED STANDBY COMPONENT • NONTESTED • REPAIRABLE ON LINE COMPONENT • NON REPAIRABLE • C) HUMAN ACTIONS
AVERAGE UNAVAILABILITY FOR DIFFERENT TYPES OF COMPONENTS PERIODICALLY TESTED COMPONENTS i) Unavailability owing to hardware failure between tests l:failure rate T: mean time between tests ιι) Unavailability owing to repair of detected failures λ: failure rate TR: duration of the repair T: mean time between tests ιιi)Unavailability owing to routine maintenance fM: frequency of maintenance TM: duration of the maintenance ιv)Unavailability owing to maintenance QM1: prob. of commiting an error QM2: prob. of not detecting an error
PARAMETERS OF TECHNICAL MODEL • fi FREQUENCY OF INITIATING EVENTS • λs FAILURE RATE IN STANDBY MODE • T PERIOD OF TESTING • TR DURATION OF REPAIR • QM1 ERROR IN TEST AND REPAIR • QM2 FAILURE TO DETECT PREVIOUS ERROR • fM FREQUENCY OF ROUTINE MAINTENANCE • TM DURATION (MEAN) OF ROUTINE MAINTENANCE • λO FAILURE RATE OF ON-LINE COMPONENTS • μ REPAIR RATE OF ON-LINE COMPONENT • QO1 PROBABILITY OF NOT PERFORMING ACTION • QO2 PROB. OF NOT DETECTING/ RECOVERING ERROR
FREQUENCY OF LOSS OF CONTAINMENT fLOC=g(b) b=u(q) b: vector of basic events q: vector of technical parameters
10 ln fl 0 ln fu MODIFICATION OF THE FREQUENCY OF LOC ACCORDING TO THE SMS ln fj=ln fl + (ln fu-ln fl) mj/10 fj modified value of the jth technical parameter fl lower value of each parameter, for the instal- lation with the poorest SMS in the industry fl upper value of each parameter, for the instal- lation with the best SMS in the industry mj modification factor of the jth technical parameter
MANAGEMENT MODEL • “Major hazard” safety management • systematic control and monitoring of the possible failure events (as modelled in the Technical Model) leading to Loss Of Containment of hazardous substances • Integrated management system model • major hazard management is usually part of an integrated SHE system • Management system model structure • Control and Monitoring (feedback and learning) cycles • 8 management subsystems: “Delivery systems” • delivering criteria and resources for control of major hazards • Primary business processes considered: • Operations; Inspection, Testing and Maintenance; Emergencies
POLICY, ORGANISATION AND STRUCTURE FEEDBACK & LEARNING LOOP (management review) MAJOR HAZARD RISK CONTROL & MONITORING SYSTEM (RCMS) DESIGN/MODIFICATION INSPECTION/TEST, including maintenance concept MAINTENANCE OPERATIONS including emergency 8 Delivery Systems per primary business function FEEDBACK & LEARNING LOOPS DESIGN & MODIFICATIONS INSPECTION/TEST MAINTENANCE OPERATIONS & EMERGENCY ACTIVITIES & TASKS Outputs to Technical Model PRIMARY BUSINESS ACTIVITIES OVERALL STRUCTURE OF MANAGEMENT MODEL
DELIVERY SYSTEMS • Availability of personnel • Commitment and motivation to carry out the work safely • Internal communication and coordination of people • Competence of personnel • Resolution of conflicting pressures antagonistic to safety • Plant Interface • Plans and procedures • Delivery of correct spares for repairs
DELIVERY SYSTEMS - Personnel Competence:the knowledge, skills and abilities in the form of first-line and/or back-up personnel who have been selected and trained for the safe execution of the critical primary business functions and activities in the organisation. This system covers the selection and training function of the company, which delivers competent staff for overall manpower planning. Availability:allocating the necessary time (or numbers) of competent people to the safety-critical primary business tasks, which have to be carried out. This factor emphasises time-criticality, i.e. people available at the moment (or within the time frame) when the tasks should be carried out. This delivery system singles out the manpower planning aspects, which can include the planning of work of contractors during major shutdowns and the availability of staff for repair work on critical equipment outside normal work hours, including coverage for absence and holidays. Commitment:the incentives and motivation, which personnel have to carry out their tasks and activities, with suitable care and alertness, and according to the appropriate safety criteria and procedures specified for the activities by the organisation. This delivery system is fairly closely related to the conflict resolution system, in that it deals with the incentives of individuals carrying out the primary business activities not to choose other criteria above safety, such as ease of working, time saving, social approval, etc. Organisational aspects of conflicts are dealt with there and, more personal aspects, such as violation of procedures here.
DELIVERY SYSTEMS - Hardware Interface:The ergonomics of all aspects of the plant, which are used/operated by operations, inspection or maintenance. This covers design and layout of control rooms and manually operated equipment, location and design of inspection and test facilities, the maintenance-friendliness of equipment and the ergonomics of the tools used to maintain it. This delivery system covers both the appropriateness of the interface for the activity and the user-friendliness needed to carry out the activities. Spares:These are the equipment and spares, which are installed during maintenance. This delivery system covers both the correctness of the spares for their use (like with like), and the availability of spares when and where needed to carry out the activities.
DELIVERY SYSTEMS - Organizational Internal communication and coordination:Internal communications are communications which occur implicitly, or explicitly within any primary business activity, i.e. within one task or activity linking to a parameter of the technical model, in order to ensure that the tasks are coordinated and carried out according to the relevant criteria. Conflict resolution: The mechanisms (such as supervision, monitoring, procedures, learning, group discussion) by which potential and actual conflicts between safety and other criteria (such as productivity) in the allocation and use of personnel, hardware and other resources are recognised, avoided or resolved if they occur. This delivery system is closely related to the one concerned with commitment, which covers the issues of violations within tasks at an individual level. The conflict resolution system covers the organisational mechanisms for resolving conflicts across tasks, between people at operational level and at management level. Procedures, Output goals and Plans: Rules and procedures are specific performance criteria which specify in detail, usually in written form, a formalised “normative” behaviour or method for carrying out an activity (checklist, task list, action steps, plan, instruction manual, fault-finding heuristic, form to be completed, etc.). Output goals are performance measures for an activity which specify what the result of the activity should be, but not how the results should be achieved. They are objectives, goals or outputs (e.g. accident/incident targets or trends, exposure of risk levels, ALARA, “safe”, numbers of activities carried out, etc.). It is also convenient to regard definitions and criteria for choosing one course of action over another as output criteria. Plans refer to explicit planning of activities in time, either how frequently tasks should be done, or when and by whom they will be done within a particular time period (month, shutdown period, etc.). They include the maintenance regime, maintenance scheduling (including shutdown planning) and testing and inspection activities, which need to link to the parameters of maintenance frequency, test interval and time for maintenance and repair.
MANAGEMENT TASKS • Deliver the appropriate control or resource to the appropriate primary business activity at the appropriate time • Learn and improve on that delivery process over time These tasks are modelled as processes (boxes) linked by inputs, outputs and influences (arrows) in loops
Management tasks • Overall management & Organization (1) • Company Risk Control & Monitoring System (2) (RCMS) • Evaluate and Propose Chances in RCMS (12) • Company System for managing and Monitoring System (3) • Control System (Use Delivery System to control tasks) (4) • Evaluate and propose changing delivery system (10) • Record and analyze performance of delivery system (9) • Evaluate and propose changing use of the delivery system (11) • Correct on-line performance (8)
Quality of management evaluated by AUDIT SYSTEM CLIMATE WITHIN WHICH THE SITE OPERATES MANAGEMENT TASKS MODEL 1 Overall management & organisation policy/system + adapt to system climate INTEGRATED (PROBABLY) MANAGEMENT SYSTEM, COMMON TO ALL LOOPS 12 Evaluate & propose changing overall management &/or RCS system/policy 2 Company Risk Control and Monitoring System Analyse risks + design the control and monitoring system + adapt to system climate 3 Company system for managing and monitoring delivery system + adapt to system climate 3 MANAGEMENT SUB-SYSTEMS Monitoring system 11 Evaluate & propose changing delivery system Control 4system Use delivery system to control tasks 10 Evaluate and propose changing the way the delivery system is used 9 Record and analyse performance, deviations, incidents etc. 8 Correct on line performance of tasks Performance (8 delivery systems x number of common mode management subsystems) INTERFACE & TECHNICAL MODEL Technical model parameters from Base Events table 7 Weighted delivery system x parameters matrix 6 Calibration models for converting performance score to failure data Modified value of task performance per base event per parameter Modified values of base event parameters
MANAGEMENT MODEL OUTPUT from Process 12 becomes INPUT for Process 1 KEY Output from one box becomes input for processing by the next Influences from one box which can change the processing quality of the other Data collected from equipment, tasks, and other sources MANAGEMENT PROCESSES INFLUENCES from one Process can change the quality of another. This change takes time: TIME MODEL An INPUT to a Process is the OUTPUT of a previous one. The quality on 0-10 scale: result of CALCULATION MODEL application The current QUALITY of each MANAGEMENT PROCESS is assessed in an AUDIT on a 0-10 scale 1 Overall management & organisation policy/system + adapt to system climate INTEGRATED (PROBABLY) MANAGEMENT SYSTEM, COMMON TO ALL DELIVERY SYSTEMS 12 Evaluate & propose changing overall management &/or RCM system 2 Company Risk Control and Monitoring System Analyse risks + design the control and monitoring system + adapt to system climate
3 Company system for managing and monitoring delivery system + adapt to system climate MANAGEMENT SUB-SYSTEMS for each DELIVERY SYSTEM 3 Monitoring system 11 Evaluate & propose changing delivery system Control System 4 Use delivery system to control tasks 10 Evaluate and propose changing the way the delivery system is used AUDIT the ‘BOXES’ Assess process quality for each of the 8 Delivery Systems 9 Record and analyse performance, deviations, incidents etc. 8 Corrections to on line performance of tasks at the workface Data collected from equipment, tasks, and other sources (not delivery specific) Quality on 0-10 scale of 8 Delivery System outputs determined from CALCULATION MODEL Quality of “Procedures” is function of • audited quality of 8 (AUDIT) • calculated quality of input from 4 • weightings of their relative effects on output quality 7 Weighted Delivery System x Parameters Matrix
INTERFACE & TECHNICAL MODEL Technical model parameters from Base Events table 7 Weighted delivery system x parameters matrix 6 Calibration models for converting performance score to failure data Modified value of task performance per base event per parameter Modified values of base event parameters SYSTEM CLIMATE WITHIN WHICH THE SITE OPERATES MANAGEMENT TASKS MODEL 1 Overall management & organisation policy/system + adapt to system climate INTEGRATED (PROBABLY) MANAGEMENT SYSTEM, COMMON TO ALL LOOPS 12 Evaluate & propose changing overall management &/or RCS system/policy 2 Company Risk Control and Monitoring System Analyse risks + design the control and monitoring system + adapt to system climate 3 Company system for managing and monitoring delivery system + adapt to system climate 3 MANAGEMENT SUB-SYSTEMS Monitoring system 11 Evaluate & propose changing delivery system Control 4system Use delivery system to control tasks 10 Evaluate and propose changing the way the delivery system is used 9 Record and analyse performance, deviations, incidents etc. 8 Correct on line performance of tasks Performance (8 delivery systems x number of common mode management subsystems)
Audit Objectives • Integrated assessment • Major hazards as focus for articulation of management system • Modification at technical parameter • Sensitivity analysis for significantcorrosion factors in management system • Use a microcosm to study the wholemajor hazard management system
Audit Procedure • Preparation: • Construct technical model: completeness of scenarios • Group basic & initiating events into clusters with same management • Link initiating events to management system: expert judgement • Map company SMS onto I RISK model: who to interview / tailoring • Conduct: • Auditor expertise: process + management + benchmarking of industry • Focus on scenarios • Prompt lists and recording forms • Verification across interviews and with checks in practice
Audit Evaluation Assessment per box: Scale of 1-10 compared to industry average: anchoring, baseline Interrater reliability:refinery, av.0.74, range 0.1-0.8 ammonia, av 0.73,range 0.49-0.96 Discussion or blind re-rating: av. 0.85 Relative weighting of delivery systems per task/parameter
MODELING OF THE SAFETY MANAGEMENT SYSTEM yi =fi(xi,y1,…,yj,…yI) yi outputof box i fi function of box i xi stateof box i yj (j i) input of box i yi =kiixi+(1-kii)Σcijyj y=Kx+(I-K)Cy y=[I-(I-K)C]-1Kx
MODIFICATION OF THE FREQUENCY OF LOC ACCORDING TO THE SMS 8 mj=Σy8iwij i =1 mj modification factor of the jth technical parameter y8i output of the ith delivery system (box 8) wij weighting factor assessing the relative importance of the ith management delivery system on the influence of the jth technical parameter j index running over the basic events of the kth group
DYNAMIC MODELING =Ax+By (1) A=[aij] influence of state of box j on rate of change of state of box i B=[bij] influence of output of box j on rate of change of state of box i y=[I-(I-K)C]-1Kx(2) (1),(2)=[A+B[I-(I-K)C] -1K]x
DYNAMIC MODELING i=[Σaijxj+Σbijyj]fi(xi) fi(xi): state specific resistance =F(x)[A+B[I-(I-K)C] -1K]x
LOSS OF REFRIGERATION (STORAGE) FLARE SAFETY VALVES EVENT TREE (1) (2) (3) 8 EVENT TREES 17 FAULT TREES128 BASIC EVENTS
IMPORTANCE ANALYSIS fLOC=g(b) b=u(q) q=w(q*) q*=My8=MHx IMPORTANCE MEASURE : fLOC : frequency of Loss of Containment b : vector of basic events q : vector of technical parameters x : vector of state of manegerial tasks
QUALITY OF DELIVERY SYSTEMS VERSUS TIME
FREQUENCY OF FAILURE OF LOC VERSUS TIME
LPG H2O T6656 H2O T6655 NAOH NAOH T6654 MEA MEA LPG CASE STUDY: LPG SCRUBBER
DIRECT CAUSES OF LOC • TOWER FAILURE FROM OVERPRESSURE CAUSED BY HEAT FLUX FROM EXTERNAL SOURCE • TOWER FAILURE FROM OVERPRESSURE, OWING TO OVERFILLING • TOWER FAILURE OWING TO AGING • TOWER FAILURE OWING TO FREEZING • EXTRA LOADS OWING TO A ROAD ACCIDENT
INITIATING EVENTS • EXTERNAL FIRE • HIGH INLET OF MEA OWING TO VALVE FAILURE • NO OUTLET OF MEA • HIGH INLET OF CAUSTIC • NO OUTLET OF CAUSTIC • HIGH INLET OF WATER OWING TO VALVE FAILURE • NO OUTLET OF WATER • HIGH INLET OF LPG • NO OUTLET OF LPG • OPERATING CONDITIONS OFF SPECIFICATIONS
SAFETY SYSTEMS • PRESSURE DETECTION SYSTEM • FIRE SUPPRESSION SYSTEM • PRESSURE SAFETY VALVES • LOW LEVEL PROTECTION SYSTEM IN TOWERS T6654, T6655, T6656 • HIGH LEVEL PROTECTION SYSTEM IN TOWER T6654, T6655, T6656 • TOWER INTEGRITY