By Conrad Ellison, ABB Consulting
Managing process safety is never ending and requires constant attention. It’s necessary for those in leadership positions to review routinely what constitutes best practice in order to ensure that they are doing everything possible to prevent a major accident from occurring. Here, ABB Consulting’s Conrad Ellison, makes a case for the ‘Deep Dive Audit’ approach and explains how identifying the flaws that can lead to a major hazard, helps to prevent them.
Following the Buncefield court case five years ago, the Health and Safety Executive (HSE) issued a report stating that: “Good process safety management does not happen by chance – it requires constant active engagement. Safety management systems at COMAH sites should specifically focus on major hazard risks and ensure that appropriate process safety indicators are used and maintained.”
This highlights that it’s essential for organisations to look carefully at their process safety management to see if they are focusing on major accident scenarios and if more could be done.
A Process Safety Management system (PSM) provides a framework of high level procedures, in order to maintain safe operations and healthy protective systems. Generally speaking, it’s expected that a PSM audit showing year-on-year improvement is good news. However, this is not the whole story and it could be an indication that performance has reached a plateau, and a serious incident could happen at any time. It is essential therefore for operators to look at their major hazard scenarios in a more detailed and comprehensive way.
Thought needs to be given as to whether the issues covered by the audit on a yearly basis are the right ones. If they are not, you won’t see any improvements in the number of process safety incidents. You’re likely to find that leading Process Safety Performance Indicators (PSPIs) are not consistent with the audit performance, and the lagging indicators show a concerning trend with the number of incidents remaining the same or even increasing.
Such incidents are usually caused by failures of multiple risk control systems at a detailed level. The potential interactions between risk control systems are often not visible at the level of the PSM system, which is constructed from distinct elements such as mechanical integrity, incident investigation or management of change.
It might be that interactions are missed in accordance with the ‘Swiss Cheese Model’ of accident causation. This is where an organisation’s defences against incidents are modelled as a series of barriers, represented as slices of cheese. The holes in the slices represent weaknesses in individual parts of the system and are continually varying in size and position across the slices. The system produces failures when a hole in each slice momentarily aligns, permitting what’s described as ‘a trajectory of accident opportunity’ enabling a hazard to pass through holes in all of the slices, resulting in an incident.
With this in mind, auditing PSM system elements may not actually identify the potential for a process safety incident. Instead, an assessment of specific incident scenarios and the verification of the specific barriers in place to prevent the incident is necessary. The solution? A Deep Dive Audit.
A detailed inspection
The Deep Dive Audit is a holistic approach, combining safety and integrity management. It involves a sample detailed inspection of key elements of the operation’s basis of safety, diving deeply into specific hazard scenarios. Part of this is identifying layers of protection and verifying that these layers are correctly designed, are in use and are effective. The findings can be extrapolated to reach conclusions on the effectiveness of some elements of the PSM systems.
This method provides assurance that process safety is being managed appropriately. It is worth noting that the Deep Dive Audit hasn’t been designed to replace existing PSM audits, but to complement them. Through its detailed approach it identifies issues that would go unnoticed with a regular audit (Figure 1). In contrast with a PSM audit, which can take up to three weeks, it can be undertaken in approximately three days. It is therefore a rapid and practical assessment process. Importantly, it identifies if PSM is delivering on site and does this in a collaborative way, which requires minimal preparation from the operators.
| Factor | Regular PSM audit | Deep Dive audit |
| Scope | All PSM system elements | Major accident hazard scenarios |
| Objective | Achieve best practice for individual elements | Ensure specific risk control barriers are working effectively |
| Focus of audit | Suitability of and adherence to written procedures | Weaknesses in plant, process or people aspects of barriers |
| Method | Check completeness of documents and test experience with system owner and users | Verify effectiveness of barriers based on plant records, understanding of staff, and field observations |
Figure 1: Outlines the main differences between the two types of process safety audit
As mentioned, the main focus of a Deep Dive Audit is to analyse major accident scenarios and their associated barriers and to provide rigorous assurance that they are working effectively. In summary, this type of audit is designed to:
Together, the above provides an overview of the process safety ‘vital signs’ and ensures that best practice in management systems is being achieved. A benefit of the Deep Dive approach is that it’s applicable to Seveso Directive and non-Seveso Directive facilities with process safety issues. It identifies specific actions relating to scenarios as well as generic site-wide issues and the methodology aligns to that employed by regulatory bodies during interventions. As an approach it is also proving popular for benchmarking across a number of sites.
The stages of a Deep Dive Audit
DAY 1 – How does the site manage its process safety?
A range of hazard analysis reports such as HAZID and HAZOPs must be reviewed to identify major accidents and the required barriers. From these, a list of varying high-risk scenarios for the detailed Deep Dive Audit can be established with a view to assessing the different types of prevention, control and mitigation barriers.
DAY 2 – What layers of protection are in place for the key scenarios?
Next, verification is sought for the effective functioning of each scenario and its associated barriers. There are three foci to this stage: barrier verifications; processes and the people operating them.
From my experience, the best results can be obtained by deploying two process safety specialists as assessors; one with a PSM system and operations background and the other with a plant engineering and asset integrity management background.
Onsite process engineers, operating managers and maintenance engineers, also provide a valuable source of knowledge to help with the understanding of major accident scenarios.
At this stage, a field visit needs conducting to focus on verifying specific barriers. This has two purposes, firstly to physically check that safeguards are installed in line with the design intent, for example that relief devices are in place and that passive fire protection and secondary containment are in good condition. Photographs of deficiencies can be used to provide high-impact evidence to site management. The second purpose is to talk to operators and maintenance technicians to establish their understanding of the process and of the major accident hazard that is being assessed. This provides an insight into the quality, training and experience of staff.
When conducting such site visits, we’ve had several cases where operators have been unaware of the necessary emergency procedures. Other issues regularly highlighted at the verification stage have included: inhibited alarms, non-Atex approved equipment in hazardous areas and gaps in earth and lightning protection testing (Figure 2).
DAY 3 – Carrying out additional verifications and forming feedback
The audit report provides details of the assessment for each barrier, along with a decision on whether it is working effectively or whether a related weakness needs to be addressed. This could relate to the plant, processes or people involved.
| Common Findings | |
| 1 | Testing/inspection of active fire system found to be excessive in some areas and deficient in others |
| 2 | Non-Atex approved equipment found in hazardous areas |
| 3 | Calibration of test equipment not recorded on proof tests |
| 4 | Inspection of pressure equipment focuses on short-term and not long-term asset sustainability |
| 5 | No formal auditing of permit to work system |
| 6 | Alarms found inhibited |
| 7 | No standard set or control of initial mechanical isolation to achieve isolation standards |
| 8 | Lack of identification of safety critical procedures |
| 9 | Gaps in earth and lightning protection testing |
| 10 | Inspection of electrical equipment in Atex areas not to relevant good practice |
Figure 2: The top 10 common findings uncovered by conducting a Deep Dive Audit
Conclusion
Good process safety management is about preventing major process incidents from occurring. It therefore makes sense to devote some assurance effort directly to the scenarios themselves, focusing on the specific risks and layers of protection.
At ABB Consulting we’re finding more and more operators are choosing to carry out Deep Dive Audits across their global sites in order to provide a time efficient snapshot of performance, and to benchmark sites in order to identify those requiring greater senior management attention.
The level of detail provided by a Deep Dive Audit can benefit not only the scenarios under assessment, but many similar scenarios too as it can help uncover weaknesses in the generic risk controls.
Whilst we must remember, the scope of the Deep Dive Audit is limited when compared to a conventional PSM audit, it provides us with confidence that barriers are working effectively. It also ensures a focus on major accident hazards and identifies areas for improvement. By taking process safety on to the next level, this approach is fast becoming a welcome accompaniment to the traditional PSM audit.
Conrad Ellison is Principal Safety Consultant at ABB Consulting, UK
The Safety Conversation with SHP (previously the Safety and Health Podcast) aims to bring you the latest news, insights and legislation updates in the form of interviews, discussions and panel debates from leading figures within the profession.
Find us on Apple Podcasts, Spotify and Google Podcasts, subscribe and join the conversation today!
Not dissimilar to the engineering community’s Fault Tree Analysis approach. What if? What if? What if?