(55aa) The Importance of Monitoring NON-Tolerable Scenarios and Its Recommendations

It has been a long journey since the first efforts to establish process safety management models or systems. The Seveso Directive, in 1982, was the first collective proposal to define which working practices are mandatory to achieve a reasonable enough process safety performance. Several other model, systems or frameworks have been proposed afterwards, including two reviews to the Seveso Directive, in 1996 and 2003. But maybe the state of the art in this regards might be the Risk Based Process Safety Management (RBPSM), released in 2007 by the Center for Chemical Process Safety (CCPS), a recognizable improvement to the worldwide accepted Process Safety Management (PSM), which had been published by CCPS in the 1990s.

Since the Seveso Directive it is common sense that hazard identification and risk analysis is mandatory for preventing major accidents in the chemical industry. Several techniques have been proposed and applied for this purpose, from the project stage to normal operation, including as an integral part of management of change, and yet to deactivation of chemical process equipment and plants. Identifying the scenarios that lead to more severe consequences helps concentrating efforts and investments.

The Hazard and Operability Study method, simply known as HAZOP, was first developed by Imperial Chemical Industries LTD (ICI), in the 1960s, in the United Kingdon, and its development and application were then published by Chemical Industries Association Guidelines (CIA) in 1977. Since then, HAZOP has become one of the most powerful tools used in the chemical process industries for, not only identifying process hazards, but also for identifying equipment deficiencies or failures and operability problems and assessing their risks, as well as a tool for prioritizing actions and recommendations for process-risk reduction.

The HAZOP methodology is a systematic team-based technique that can be used to effectively identify and analyze the risks of potentially hazardous process operations. Usually, it aims to assess possible consequences to working personnel, neighborhood communities, environment, equipment, installations or even for the company image to the public. And, by conception, it is based on the premise that accidental scenarios are generally caused by failed design, equipment failure or operational actions, as stated in IEC 31010.

It is important to state that, a tolerability matrix must be standardized, with a limited levels of severity and frequency which, combined, indicate the resulting risk of a giving scenario. In summary, the HAZOP methodology goes all the way from identifying all the possible hazards, to assessing the probability of occurrence and the severity of its consequences, to the equally important stage of defining a set of recommendations which will help mitigate the risks, usually by reducing the probability of occurrence.

HAZOP studies have been long applied in our company during the design stages of new processes or projects, for major process modifications and for periodic review of existing operations. It was a common sense that all the risks had been mapped and controlled. It was only after a major process safety accident that corporately we realized that, in truth, the technique had been mostly applied for the identification of operability problems and failures.

An exhaustive but accelerated effort to reevaluate all the HAZOP studies then started, which included reassessing more than 1.000 HAZOP nodes, meaning approximately 6.000 risk scenarios, in just one facility. The objective was achieved within 18 months, resulting in more than 1.600 recommendations, which included a wide range of adjustments, such as procedure adequacy, HMI redesign, Pressure Safety Valve (PSV) substitution, adjustment of Safety Integrity Level (SIL) of Safety Instrumented Functions (SIF), as well as more complex projects to increase Maximum Allowable Working Pressure (MAWP) of vessels and heat exchangers.

It, then, should have been identified which scenarios, the non-tolerable ones at first, demanded prioritization, which was not accordingly executed. We heavily relied on operational monitoring of those scenarios, defining a set of actions that, supposedly, would prevent loss of primary containment (LOPC) or at least avoid the potential non desirable consequences.

As time went by, recommendations started being implemented by personnel assigned to each of them, usually engineers, technicians, and operators. At this point, it is important to mention that, once marked as implemented at the system used for registering the HAZOP analysis and manage its recommendations, there was no required approval by the plant managers.

It was a common sense that, once recommendations were implemented, risk were, finally, under control, even those related to non-tolerable scenarios. Sometime later, an internal sampling audit explored some of those critical scenarios and its recommendations, finding out innumerous non-compliance to its implementation, such as, attaching email messages as evidence, even if they were only used to indicated what should have been implemented, but not evidence of its actual implementation.

We then reevaluated all non-tolerable scenarios, tens of them, in other to certify implementation of their recommendations. It confirmed several other non-compliance evidence. Aiming to, definitely, control identified risks during the HAZOP studies, tens of new recommendations were defined, but now they were assigned only to plant managers in order to guarantee their implementation. Furthermore, all the non-tolerable scenarios and their recommendations would go through a regular and monthly internal audit.

Since then, we have reduced the number of non-tolerable scenarios yet with its risks controlled by operational monitoring, to only a couple of them. All other tens of initially non-tolerable scenarios have had their risks reduced to tolerable or, at least, moderate.