Risk-Based Process Safety | AIChE

You are here

Risk-Based Process Safety

Back To Basics

What happens when organizations don’t follow risk-based process safety guidelines?

The Center for Chemical Process Safety (CCPS) published its Guidelines for Risk Based Process Safety (RBPS) (1) in 2007 to provide guidance to the chemical process industries (CPI) for designing, correcting, or improving process safety management practices. The guide includes 20 elements organized under four pillars (see sidebar).

The 20 Elements of Risk-Based Process Safety

I. Commit to process safety

1. Process safety culture

2. Compliance with standards

3. Process safety competency

4. Workforce involvement

5. Stakeholder outreach

II. Understanding hazards and risks

6. Process knowledge management

7. Hazard identification and risk management

III. Manage risk

8. Operating procedures

9. Safe work practices

10. Asset integrity and reliability

11. Contractor management

12 Training and performance assurance

13. Management of change

14. Operational readiness

15. Conduct of operations

16. Emergency management

IV. Learn from experience

17. Incident investigation

18. Measurement and metrics

19. Auditing

20. Management review and continuous improvement

Prior to its publication, I witnessed many incidents and near misses that could have been prevented by RBPS elements. When I started my career in 1979 as a rookie chemical engineer, little did I realize that plants are dangerous if not operated properly. This article documents 12 process safety events I’ve encountered and highlights the RBPS element(s) that could have prevented them. Because this is also meant to be a learning exercise, you will be prompted to determine the element(s) on your own for two of the events, with answers to follow at the end of the article.

1 A conflict ensues between safety and production

In the 1990s, I worked at a methanol plant that had a waste-heat boiler nearing the end of its life. A replacement was planned for the next turnaround, which at the time was scheduled for a month after the incident occurred. On the day of the incident, a tube leak in the boiler forced us to shut down the plant to fix the leak. Because methanol prices were at record highs, the plant manager decided it was best to make the fix quickly. Instead of installing a blind in the boiler feedwater inlet line (operating at a pressure of 116 kg/cm2), we were advised to lock out and tag out all of the boiler feedwater pumps and isolation valves and drain all of the boiler feedwater from the system.

After we completed the tasks, the plant manager called the safety manager at 11 pm for approval of a confined-space-entry permit. We had attached the pre-approved blind list for boiler entry to the work permit and mentioned that the blind in the feedwater inlet line was not installed, as we had drained the water and locked out and tagged out the pumps and isolation valves.

The safety manager did not approve of the fix and insisted that we follow the pre-approved blind list and fix the blind in the boiler feedwater inlet line. The plant manager felt that the safety manager was being unreasonable and woke up the president of the company to get his permission. After some discussion, the president agreed with the safety manager and instructed us to install the blind, which took six hours.

The next day, the president called a meeting and clearly warned the plant manager that it was his responsibility to ensure that blind lists were updated with any changes. The company had lost money due to the delay and the manager was warned that his job would be at stake if safety procedures were not followed again.

This event sent a strong signal throughout the company that safety was valued over production. Although the company lost money this time, it was an investment for the future. The safety systems were continually improved and employees actively participated in the improvements, thus preventing incidents.

Which RBPS element was demonstrated in this event? This event demonstrates the importance of process safety culture, including the need to establish process safety as a core value, provide strong leadership, and establish and enforce high standards of performance.

2 A furnace explodes due to bypassed flame-failure detectors

The flame-failure detectors in a gas-fired preheater at a petrochemical plant were not in operating condition. These instruments detect flame-out conditions, which require immediate action to isolate the fuel gas. Otherwise, large quantities of unburned gas can accumulate in the combustion chamber and subsequently reignite explosively, which could have serious consequences for personnel and equipment. Plant management knew that the flame-failure detectors were not operational, but allowed the fired heater to operate anyway. The potential explosion hazard of relighting the furnace without properly purging the firebox was well known.

When a fuel gas pressure upset eventually extinguished the burner flames, the control room operator advised the field operator to immediately relight the burners, as the culture of the organization was to maintain production. The field operator tried to ignite the burners without first purging the firebox of the accumulated unburned gas, causing an explosion.

Which RBPS element could have prevented the event? This incident shows the consequences of poor process safety culture that failed to establish process safety as a core value, provide strong leadership, or establish and enforce high standards of performance.

3 An atmospheric ammonia storage tank flare tower collapses

A few days before the Bhopal disaster, I was working in an ammonia plant when a hurricane hit. Management was forewarned and instructed us to shut off the back end of the plant, which involved high-pressure operations. The front end, which included the furnace, remained in operation and the synthesis gas was vented. The high wind speeds forced us to seek shelter in the control room.

Another plant within the same complex reported an ammonia smell. It was raining heavily and the wind gusts were strong, so we thought the odor could have been caused by the high winds extinguishing the ammonia flare’s pilot burners. The ammonia flare was supported by a derrick and was intended for emergency venting of the ammonia storage tank. Operators went out to check on the flare, but reported it was missing. I went to check with another team. To our horror, we found that the flare structure had collapsed on the main ammonia vapor line from the tank.

The derrick structure could not bear the brunt of the wind speeds. The main flare gas pipe, however, was in good condition. When the derrick toppled, the main gas pipe prevented the flare from falling suddenly and, instead, it fell slowly. It came to rest on an 8-in. ammonia vapor line that connected the ammonia storage tank to the ammonia compressors, which was dented but not leaking. To ease isolation during maintenance, it is a standard practice to locate the isolation valve in this line at pipe-rack level, rather than on top of the tank. Had the ammonia vapor line leaked, there would have been no way to isolate the flow of ammonia vapor through the line. At the time of the incident, the plant was storing about 2,000 m.t. of anhydrous ammonia

Which RBPS element could have prevented the event? The asset integrity and reliability element helps ensure that equipment is designed and installed in accordance with specifications and remains fit for use throughout its life. Safety-critical equipment, which includes preventive and mitigative systems, ensure that a loss-of-containment incident does not occur.

The plant was located by the coast, and the salty air increased the rate of corrosion of the derrick structure. Periodic painting was not able to keep pace with the rapid corrosion, and the structure was badly corroded. Although the structure was designed to withstand 80-mph winds, in its compromised state it could not handle the stress. A good asset integrity program considers changes to frequency of inspection, test, and maintenance plans based on actual levels of corrosion and other factors.

4 A floating roof tank is damaged during decommissioning


Figure 1. These diagrams show the floating roof with the support legs in (a) low and (b) high positions.

A floating-roof tank stored liquid naphtha. The roof was mounted on hollow sections called pontoons, which enabled it to float and rise and fall with the level of product inside the tank. Support legs on the roof could be adjusted to two positions: a low position for normal operation (Figure 1a) and a high position to provide space for cleaning and maintenance (Figure 1b).

For entry through the manway at the bottom of the tank during maintenance, the support legs are extended to the high position by following these steps:

  1. Fill the tank to a level higher than the high-leg level.
  2. Remove the cotter pin, which anchors the pontoons to the support legs.
  3. Raise the pontoon to the high position and insert the cotter pin to the support leg and pontoon.
  4. Slowly empty the tank completely to allow the roof to settle onto the support legs.

Figure 2. (a) The cotter pin was inserted through the support leg but not the pontoon when the legs were transitioned from the low to the high position. (b) As the tank was emptied, the unsupported pontoon dropped to the tank floor, causing damage.

Step 3 was carried out incorrectly and the cotter pin was fixed in the high position on the support legs but without supporting the pontoon (Figure 2a). When the tank was emptied during Step 4, the pontoons settled onto the floor of the tank, damaging the pump suction nozzle and other accessories (Figure 2b). The operator observed the pump suction piping bending upward and stopped the emptying operation before the flanges in the tank outlet line gave way. Further analysis of the event revealed that the drawings for the tank were not available and the shift crew was given oral instructions to perform the operation.

Which RBPS elements could have prevented the event? The process knowledge management element requires accurate and complete process knowledge to identify process hazards and analyze risk. In this incident, the drawings for the tank internals were not available and the operation was carried out based on past experience.

The safe work practices element ensures that written procedures are available for all activities not covered by operation and maintenance procedures. Decommissioning the tank and changing the support leg height for the floating roof should have been covered by a written, approved procedure, complete with sketches, drawings, and warning statements.

5 A small change causes a storage sphere to topple

A plant decided to import a toxic intermediate chemical (i.e., ammonia) to save money, rather than continue to manufacture it. The facility that had been manufacturing ammonia was permanently shut down, and a pressurized intermediate chemical sphere that had been used to store it was decommissioned. The sphere was still in good condition, so it was used as excess storage for demineralized water.

Because it was no longer used for ammonia, inspection, testing, and maintenance of the sphere were curtailed, including inspecting for corrosion under the insulation on the support legs. The tank was exposed to a wet climate, and rain water had gotten under the insulation and corroded the legs. Eventually, a badly corroded leg gave out and the sphere toppled. No one was injured.

Which RBPS elements could have prevented the event? The management-of-change (MOC) element requires a review and authorization process for evaluating changes to facility design, operations, organization, or activities prior to implementation to ensure that no unforeseen additional hazards are introduced. These changes include decommissioning equipment and changing the material stored, even if the new material is less hazardous.

Had an MOC review taken place, the hazard identification and risk analysis element would have highlighted the dangers of corrosion under insulation. This would have led to recommendations that the inspection schedule continue.

6 A naphtha pump runs deadheaded and overheats

While working a night shift, I departed for my customary field visit of the plant, which took me to the naphtha hydrodesulfurization section. I noticed a reddish glow coming from the casing of a naphtha recovery centrifugal pump (Pump A) that was in operation and noted that its discharge valve was closed. I stopped the pump and the red glow slowly vanished. I manually started the standby pump (Pump B) to reduce the level in the naphtha separator. Pump A was designed to start automatically when the level in the separator was high, and Pump B would start if the level reached high-high level. The pumps would automatically stop when the level was low.

During the previous shift, preventive maintenance was being performed on Pump A and Pump B was in operation. When the maintenance job was finished, Pump B was stopped and Pump A was put back online. By mistake, its discharge valve remained closed. When the separator level reached high level, Pump A automatically started. Since the discharge valve was closed, the pump casing overheated. Taking my usual plant walk helped me to notice the red glow and intervene.

Which RBPS element could have prevented the event? The operational readiness element verifies that equipment that had been shut down is in a safe condition for restart. Prior to energizing the motor of the pump, a walk down of the line connected to Pump A should have been conducted.

7 Management failed to follow through on an engineering recommendation

A manufacturing facility had been handling bromine in glass bottles, but after a serious incident involving broken bottles, the incident investigation team recommended a solution that eliminated the use of glass bottles. The proposal was sent to corporate headquarters for approval of the capital expenditure.

Questions were raised by the finance department regarding the necessity of spending a large amount of money for the engineered system that eliminated the use of glass bottles. This discussion continued to take place and a couple of months passed. Meanwhile, during a planned external audit of the process safety management (PSM) system, the auditor mentioned to management that the recommendation for eliminating the glass bottles was still pending. The auditor’s finding was not acted upon, and a few more incidents involving broken bromine bottles occurred after the audit.

Which RBPS elements could have prevented the event? RBPS is founded on the concept that a company first understands the risk associated with its activities and then decides on actions needed to eliminate, reduce, or control the existing risk. The incident investigation element requires the prompt resolution of recommendations. If the recommendation of the engineered solution had been implemented in a timely manner, the additional incidents could have been avoided.

The purpose of the management review element is to monitor the organizational performance of other RBPS elements. Management reviews are required after any internal or external audit. If a management review was conducted after the planned PSM external review, the auditor’s finding would have highlighted the delay in implementation of the recommendation. The risk of continuing to use the glass bottles would have been discussed and actions would have been taken to make the necessary changes.

8 A leak in a pipeline that hadn’t been inspected

A refinery complex consisted of 17 plants and common utilities. Some of the safety-critical utility pipeline systems could not be inspected because they were always in operation and could not be taken out of service for internal inspection. Although the inspection group knew that these pipelines had not been inspected for more than ten years, the risk associated was never conveyed to management. A leak occurred in a common steam pipeline that was supplying steam to multiple refinery units, requiring several refinery units to be shut down.

Which RBPS element could have prevented the event? Inherent to the RBPS approach is recognizing that all hazards and risks are not equal. Resources should be allocated first to the items with the highest risk. The hazard identification and risk analysis element of RBPS requires that facilities understand the risk associated with its activities and answer: What can go wrong? How bad could it be? How often might it happen? Based on the answers to these questions, the company can decide what actions, if any, are needed to eliminate, reduce, or control existing risk.

9 A thermal expansion leak occurs despite a thermal relief valve

A plant was implementing an energy-saving modification that included the addition of a new liquid ammonia line. The internal hazard and operability (HAZOP) study recommended including a thermal relief valve on the line. The HAZOP team had noted that the pipeline could overpressurize when it was isolated due to thermal expansion of the liquid ammonia at high ambient temperature.

The maintenance manager was under pressure to commission the line. To implement the HAZOP recommendation, he obtained a new thermal relief valve from inventory. The thermal relief valve was installed, a pre-startup safety review (PSSR) was carried out, and the line was cleared for commissioning. A year later, a flange in the line developed a leak due to thermal expansion of liquid ammonia when the line was accidentally blocked during a shutdown. The investigation revealed that the thermal relief valve had a higher set pressure than the maximum allowable working pressure of the pipeline.

The internal HAZOP team had included a new process engineer who was not competent in the specification of relief valves. The recommendation had simply stated, “provide a thermal relief valve,” but did not specify the setpoint or other details. The maintenance crew installing the thermal relief valve selected a valve from the existing stock.

The PSSR team included the same process engineer who participated in the HAZOP study. The others on the team conducting the PSSR were not aware of the meaning of one of the questions on the PSSR checklist that asked: whether design basis of relief valve has been documented and set pressure checked. The answer to this question was marked “yes” by the team even though no set pressure had been specified or checked.

Which RBPS element could have prevented the event? This event occurred because the engineers responsible for the HAZOP and PSSR lacked process safety competency. Organizations should realize the limitations of HAZOP and PSSR studies conducted by internal teams that do not have proper technical competency. Organizations are responsible for ensuring that personnel involved in process-safety-critical activities have the appropriate technical competency.

10 High-risk piping exhibits accelerated corrosion

A refinery complex had implemented an inspection program as part of a mechanical integrity and quality-assurance system. The program requirements included corrosion monitoring of equipment and piping identified as high risk by a risk-based inspection program.

The process department was responsible for monitoring the quantity of corrosion inhibitor and iron levels in the circulating solution in the high-risk piping circuit. The inspection department was responsible for monitoring the corrosion probes installed in the equipment. The process department noted a higher-than-acceptable rate of corrosion in one of the high-risk piping sections. A note communicated to all of the departments the need for an inspection of the corrosion probe at the next available opportunity to confirm the accelerated corrosion and take suitable action (i.e., replace the pipe).

During the next available shutdown, however, the corrosion probe was not monitored by the inspection department because its members were busy with other activities. When the plant was brought back online, the high-risk equipment developed a leak in the piping and the plant had to be shut down again.

Which RBPS element could have prevented the event? Misplaced priorities and unclear job responsibilities caused the inspection department to overlook the need to evaluate the probe for corrosion. The asset integrity and reliability element ensures that inspection, test, and maintenance plans evaluate safety-critical equipment. This equipment must be suitable for its intended application throughout its life to enable it to prevent a potential loss-of-containment incident. Documented roles and responsibilities are part of the asset integrity and reliability program. The program also requires a system for the prompt resolution of potential equipment failures and deficiencies

Test yourself

Check your understanding of RBPS by identifying the element(s) that could have prevented the following events.

11 Toxic vapors travel to the surrounding community

A petrochemical complex hired a human resources consultant to suggest rationalization of manpower to reduce costs. One recommendation was to eliminate one of the two shift managers who were in charge of the complex after office hours. The premise for the staffing reduction was that the normal workload had been reduced since one of the units had been permanently shut down.

The recommendation overlooked one of the benefits of having two shift managers. During an emergency, one shift manager would report the incident, while the other would assume responsibility as an emergency controller.

One evening, a flange on a pipeline transporting a highly hazardous chemical started to leak and the toxic vapors drifted out of the site. The sole shift manager went to the incident site. The community emergency response plan was not activated because the security personnel were awaiting instructions from the shift manager who was at the incident site. The delayed activation of a community emergency response plan resulted in residents of the surrounding area being exposed to the toxic chemical, requiring them to be hospitalized.

12 Misplaced drum leads to an incorrect assumption

It was routine practice for operators of a petrochemical plant to top up the hydraulic oil of a steam turbine governing system if the oil level dropped below a certain level. The operator would get the oil from the oil drum storage shed, which was located away from the turbine. An operator noticed a drum located close to the turbine and used its contents to top off the system. Soon after, the steam turbine speed started to vary.

An investigation found that the drum near the turbine had not contained oil but antifoam agent. The antifoam agent had been left at this location as part of process trials, which were taking place in another section of the plant. It was also observed that the trial had been approved by the organization’s MOC procedure.

How’d you do?

Event 11. Organizations must identify the minimum number of competent personnel required for operating and maintaining the plant safely. These requirements must include not only operating personnel but also support functions like maintenance, inspection, process engineering, fire and safety, laboratory, and stores. The number of competent personnel required must be identified for different phases of plant operation, including normal operations, abnormal operations, emergencies, and startup and shutdown.

The MOC element requires a review and authorization process for evaluating changes to facility design, operations, organization, or activities prior to implementation to ensure that no unforeseen additional hazards are introduced. Management of organizational changes include changes to job assignments, personnel, and organization.

Event 12. The conduct of operations element ensures that operational and management tasks are carried out in a deliberate and structured manner. It is closely aligned with the organization’s culture. Conduct of operations institutionalizes a commitment to excellence in the performance of every task. Workers perform their tasks with a sense of vulnerability, thus ensuring alertness at all times.

Literature Cited

  1. Center for Chemical Process Safety, “Guidelines for Risk Based Process Safety” AIChE and John Wiley and Sons, Hoboken, NJ (2007).


Copyright Permissions 

Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.