PrintedManual RGowland OMV PDF

Incidents and History
Inherent Safety
Process Safety Management
Fire and Explosion
Reactive Chemicals
Chemical Exposure
HAZOP
LOPA
Metrics
Human Factors
Culture
Competence
Auditing
Resources and References
Introductions
Richard Gowland.
Technical Director, European Process
Safety Centre. Formerly (until 1 March
2004) Process Safety Associate the Dow
Chemical Co.
Rtgowland@aol.com
Willem Patberg.
Formerly (until mid 2007) Process Safety
Associate the Dow Chemical Co.
wbpatberg@zeelandnet.nl
Richard Gowland
Graduated as Mechanical Engineer 1966

Steel Industry Mechanical Engineer
Polyurethanes Project Engineer
Dow Engineering (1971-5)
Dow Projects (1976-7)
Dow Production Management (1977-1987)
Dow Technology Center Project Manager (1987-9)
Dow Process Safety (1989-2004)
by Richard Gowland
Willem Patberg
1972 Physical and Chemical Technology RUG

1972 1974 Factory Mutual in US and UK
1974 2006 Dow Chemical Co.
1974 1994 Various manufacturing roles
1994 2006 Process Safety
2004 - External expert OVV
2006 - Process Safety support for Dows
projects in the Middle East
2006 - etc.
by Richard Gowland
Relevant Experience in Process Safety:
Basic risk assessment

Process Safety Management systems
Global Standards and Requirements
Process Safety Leadership for Dow Agrosciences and
MDI/Polyurethanes
Auditing
Legislation implementation
Working with European Commission on Major Hazards
by Richard Gowland
The Facts about Industrial Accidents
The Facts about Industrial Accidents
IN EUROPE.
Accidents in industry kill one person every 2
hours and injure one person every 15 seconds
The death toll is approximately 4,900 every
year from a total of 7.6 million accidents
by Richard Gowland
Some approximate statistical comparisons
Most of Chemical Industry is performing with
an average accident rate of less than 1 per

200,000 man hours (a significant number are
achieving 0.4 or lower)
Translate this average to the working
population of European Union and the number
of accidents should be approximately 1.3
million saving >6 million accidents
Performance in the top quartile would result in
520000 accidents > 90% improvement
In 2003 a global major in the sector found that
70% of its sites had no reportable accidents
by Richard Gowland
Outcomes
Chemical Industry accident (Lost Time

Injuries, Fatalities etc.) statistics are among
the best for all industry .BUT
Perception (and unfortunately sometimes
reality) is that when something goes wrong,
many people can be affected in the worker
population and the community
An Aversion factor is quite understandable
by Richard Gowland
Significant milestones in improving safety and lowering risk
Finding a way to identify what can go wrong

Finding a simple set of tools which allow
quantification of the severity
Finding a way to communicate it within an
organisation
Making everyone accountable for knowing what can
go wrong, what role they have in preventing it and if

it happens, what they need to do to mitigate it.
Making business leadership understand that they
(and not the Safety Department) are primarily
accountable for performance
Board of Directors setting the risk governance
criteria in the full knowledge of what it is likely to
cost
by Richard Gowland
KEY roles of the CEO, Board of Directors and Business Leaders
Understand the risks for each business

Recognise their responsibility for
performance
Dialogue with the Technical Expertise in the
company who have assessed the risks
Challenge the Technical Expertise on
improvement programmes tell them what
must be done not how it must be done
Make binding agreements with
unambiguous metrics and timings
Fund the programmes and discipline the
organisation
Follow up with periodic reports
by Richard Gowland
Transparency putting your CEO reputation on the line!
Tell the world that todays performance is not

good enough
Tell what targets you have set (however
ambitious e.g. 90% reduction - they might
seem)
Tell them you will report progress (and do it)
Even the hard-nosed financial and insurance
world are interested today
by Richard Gowland
The MARS database2 records that,

approximately 30 Major Accidents happen
each year
within the industry sectors covered by the
Seveso 2 Directive. These accidents are not
major
contributors to the overall statistics but have a
major impact on industry and society. The
major accident, which occurred at Toulouse on
21st September 2001, killed 21 people on the
site, 9 people off-site and injured 2,242
people. 27,000 homes and 1,300 companies
suffered
significant damage. 5,000 people needed
treatment for acute stress. The economic cost
exceeded 1 500 million.
by Richard Gowland
Why Process Safety?
Drivers:
Corporate Ethics and

Responsibility
Economics
International Standards (I.S.O.
18001 etc.)
Law
by Richard Gowland
Corporate Responsibility
Major events in Chemicals, Oil and Gas

and Processing Industry
Reaction of:
Employees and their families
Public, Neighbours, Community directly affected
injured etc.
Public, Neighbours, Community indirectly affected
worry, loss of property value.
Government and Government Agencies (e.g.
O.S.H.A., Health and Safety Executive)
Stockholders (Stock Market, Investors)
N.G.O.s
by Richard Gowland
The Law
U.S.: O.S.H.A. PSM 1910

Europe: Seveso Directive
Australia ..
Saudi Arabia..
by Richard Gowland
Link to Corporate Responsibility Details

Example from U.K. Institute of Directors and
Health and Safety Executive
Reference Director Responsibilities.pdf
and
link to documents in U.K. Health and Safety
Executive
http://www.hse.gov.uk/pubns/indg417.pdf
by Richard Gowland
by Richard Gowland
Basic Responsibilities under the U.K. law
Companies and organisations that take their

obligations under health and safety law
seriously are not likely to be
in breach of the new provisions.
Nonetheless, companies and organisations
should keep their health and safety
management systems under review, in
particular, the way in which their activities
are managed
or organised by senior management.
by Richard Gowland
Consequences of failure
Financial sanctions
Possible imprisonment
Loss of reputation
Stock price fluctuations
by Richard Gowland
The ethical dimension
People want to work for ethical

organisations
The public requires corporations to act
ethically
Results in industry initiatives and
programmes
Challenge recognised in 1986
by Richard Gowland
Responsible Care
Industry initiative in 1990

Started in Canada
Required Codes
Process Safety Code
Measuring and Reporting performance
Fully adopted in U.S., Canada and many other
countries
Europe measures but does not yet require public
reporting
by Richard Gowland
Responsible Care - originated in

Canada 1985
Europe adopted in 1989
by Richard Gowland
A Typical Company Responsible Care Policy statement

To lead our companies in ethical ways that increasingly benefit society, the
economy and the environment.
To design and develop products that can be manufactured, transported, used
and disposed of or recycled safely.
To work with customers, carriers, suppliers, distributors and contractors to
foster the safe and secure use, transport and disposal of chemicals and
provide hazard and risk information that can be accessed and applied in their
operations and products.
To design and operate our facilities in a safe, secure and environmentally
sound manner.
To instill a culture throughout all levels of our organizations to continually
identify, reduce and manage process safety risks.
To promote pollution prevention, minimization of waste and conservation of
energy and other critical resources at every stage of the life cycle of our
products.
by Richard Gowland
And public reporting
Up to 2005 a simple standard system

but not really the whole answer
2005-2008 evolution of a new system
Work by Center for Chemical Process
Safety (CCPS) and American
Petroleum Institute (API)
API 754 standard for reporting process
Safety Incidents
by Richard Gowland
Performance Monitoring
Responsible Care in North America

has ALWAYS had a Process Safety
Code and a requirement for reporting
via American Chemistry Council
Responsible Care in Europe has
NEVER had a Process Safety
dimension
This will change soon
I HOPE!
More on Responsible Care later
by Richard Gowland
And
Loss of Primary Containment

programmes tailored to each user need
Big challenge, but it is worth the effort
by Richard Gowland
Where does all this lead?
The strategy for the company What

are we going to do?
The tactics How are we going to do
it?
by Richard Gowland
Decisions at the top of the company
(example) Chief Executive sets

expectations e.g. 90% reduction in
incidents over 8 years
Measurement techniques agreed or
devised
E.g. Process Safety Incident metrics
Loss of Primary Containment criteria
Agrees with Business Leaders (Vice

Presidents) on resourcing
by Richard Gowland
Decisions at the top of the company
Business leaders takes advice

from specialists in EH&S
E.g. Process Safety
How can we make the target reduction?
Risk Management
What will it cost?
by Richard Gowland
How does a proper system inform leadership?
Business leaders ARE accountable for their

business performance
Accidents, Incidents, Near Misses and Key
Performance Indicators
They need to know how their business is
performing
They need good relationship with process
safety specialists to improve performance
Examples follow
by Richard Gowland
Process Safety Code

The Dow Chemical Company
200
180
Annualized for Current Year

The Dow Chemical Company
2005 Goal Objectives
179
160
140
129
124
124
120
98
100
80
73
72
76
64
60
38
40
18
20
0
1994
7/23/2002
by Richard Gowland
1995
1996
1997
1998
1999
Dow Restricted
2000
2001
2002
YTD
2003
2004
2005
16
At the periodic Director or Vice President meetings

with the Chief Executive Officer
EH&S results for each business are

discussed
Successes are examined for sharing
Weaknesses are identified for follow up
Examples: Process Safety Incidents
Loss of Primary Containment statistics
by Richard Gowland
Business comparisons at Leadership level

Global Business Comparison (thru 2Q2003)
134
PERFORMANCE CHEMICALS
73
THERMOSETS
71
POLYOLEFINS & ELASTOMERS
61
CHEMICALS
60
HYDROCARBONS & ENERGY AND EO/EG
49
DOW AGROSCIENCES
UNALLOCATED
40
33
STYRENICS & ENGINEERED PRODUCTS
MARKET FACING
by Richard Gowland
20
40
60
80
100
120
140
Dow AgroSciences EH&S

Loss of Containment Incidents
Leaks, Breaks & Spills
Goal: 90% Reduction (1996 Base Year)
60
40
152
139
147
135
130
20
111
109
00
80
49
60
40
20
0
1996
1997
1998
1999
DAS
2000
2001
2002
2005 Goal
by Richard Gowland
How does this translate into an effective

programme for PROCESS SAFETY?
Existing Operations
New projects and business
opportunities
Mergers and Acquisitions
by Richard Gowland
2003
2004
2005
Existing Operations and new projects
Progressive Process Risk Management

System example:
by Richard Gowland
Summary diagram of a progressive system adjusted for typical ops

LEVEL 1: PROCESS HAZARDS ANALYSIS
Triggers : All plants, significant projects and changes
Fire & Explosion Index (FEI)
Chemical Exposure Index (CEI)
Credible case scenarios and lines of defence (with
frequency or LOPA target factors).
Worst case scenarios and relationship to Emergency Plan
Explosion Impact (Building Overpressure) evaluation*
PHA Questionnaire
LEVEL 2: RISK REVIEW
Triggers: F&EI >=110 or CEI = ERPG2 at fence line ,
LOPA Target Factor to be defined (check output from
Level 1) e.g. fatality at freq > KNR governance criteria
Cause-Consequence pair Identification* e.g. bow tie
HAZOP
LOPA and Triggers: LOPA Target >= 6 or LOPA
inappropriate.
Structured Hazard Analysis
(Fault Tree analysis*, FMEA, Checklist, etc.)
LEVEL 3: ENHANCED RISK REVIEW
Triggers: LOPA Protection Gap > 0 i.e. we are not meeting
governance criteria
More accurate Dose considerations e.g. AEGLs or AETLs
Screen for QRA*
LEVEL 4: QUANTITATIVE RISK ASSESSMENT
Triggers: Individual Risk contours in off-site population exceeds
Business Governance Elevation Criteria
Combination of Consequence Analysis, Frequency of Impact
Focuses on highest risk activities
by Richard Gowland
Level 1:
PROCESS HAZARD ANALYSIS
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
Applied to what?
Existing Operations
New Projects
Mergers and Acquisitions
Contracted out operations
(partial and
with a sub set)
by Richard Gowland
Contracted out operations
New product scale up

Synthesis steps carried by companies
with appropriate expertise, e.g.
Complex Grignard, Nitrations etc
Formulation and packing of
Agricultural, pharmaceutical and
domestic products
Have a special programme for example QAIS by
Dow Agrosciences (see later)
by Richard Gowland
A means for Business Leaders to make

informed risk decisions
Outputs of the Process Risk

management System are made
available to the appropriate level of
leadership for decisions
When major projects are considered
Periodically (e.g. every 3-5 years) for existing
operations
At Due Diligence before Mergers and Acquisitions
by Richard Gowland
Who makes risk decisions?
Everyone but to a hierarchy based on

consequence or risk of potential
incidents
Using the scheme from next slide:
Operations Manager makes decisions at lower left
Business leader or Vice President makes decisions in
middle band
C.E.O.s Director Level Management Board makes
decisions on highest risk issues.
by Richard Gowland
Typical Governance Risk Elevation Criteria

Corporate leadership make decisions in this area
Frequency of N or more Serious Injuries
1.E-02
1.E-03
1.E-04
1.E-05
Corporate Governance
Elevation Criteria
1.E-06
1.E-07
1.E-08
Business Elevation Criteria

Business
1.E-09
1.E-10
1.E-11
1.E-12
1
10
100
1,000
10,000
(N) Number of Potential Fatalities
Operations leaders take decisions on risk

In this area
by Richard Gowland
Example 1:
Operations Manager reviews
a project
which indicates a predicted risk of a
single fatality at a frequency of 2.5 E07 (i.e. 2.5 chances every 10 million
years.)
The company governance criteria
indicate that Operations Manager can
make this decision on his own
authority and check:
The local Government regulator requirements are
shown in next slide: - indicates risk is broadly
acceptable
by Richard Gowland
Example 2:
a project which
indicates a predicted risk of a single fatality
at a frequency of 7.1 E-06 (i.e. 7.1chances
every 1 million years.)
The company governance criteria indicate
that Operations Manager cannot make this
decision on his own authority
Business leadership must decide accept or
provide resources to reduce risk or
abandon project
The local Government regulator requirements are shown in next
slide: - indicates risk is broadly acceptable
by Richard Gowland
Example 3:
a project which
indicates a predicted risk of a 8 fatalities at a
frequency of 2.1 E-05 (i.e. 21 chances every
1,000,000 years.)
The company governance criteria indicate
that Operations Manager cannot make this
decision on his own authority
Business leadership cannot decide
Executive Board of the company must decide
accept or provide resources to reduce risk
or abandon project
The local Government regulator requirements are shown in next
slide: - indicates risk is tolerable if ALARP
by Richard Gowland
U.K. regulator risk: From Buncefield LOPA Guidance Dec 2009
Likelihood of n fatalities from a tank

explosion per tank per year
Risk Tolerability
10-4/yr - 10-5/yr
Tolerable if ALARP
Tolerable if ALARP
Tolerable if ALARP
10-5/yr - 10-6/yr
Broadly acceptable
Tolerable if ALARP
Tolerable if ALARP
10-6/yr - 10-7/yr
Broadly acceptable
Broadly acceptable
Tolerable if ALARP
Broadly acceptable
Broadly acceptable
Broadly acceptable
2-10
11-50
10-7/yr - 10-8/yr
Fatalities (n)
Table 2 Risk matrix for scenario-based safety assessments
by Richard Gowland
ALARP?
As Low as Reasonably Practicable
Risk is managed to a level where any further

risk reduction cannot be justified based on a
cost/benefit analysis.
If Cost is grossly disproportionate to benefit
risk reduction is not justified
Test of gross disproportion is in the hands of
courts to decide but some guidance is
available discuss..
by Richard Gowland
So what is achieved?
Risk is assessed and understood in detail by

the Operations Management and his team
Risk levels are managed at an appropriate
level
Risk is communicated to the top
Management so that they can understand
what they are accountable for, whether they
can accept it or take further action.
by Richard Gowland
Process Safety Management - Where

we have failed
The worst events
Bhopal
More than 6000 people killed
People still suffering 25 years later
Large release of Methyl Isocyanate during runaway
reaction with water
Cooling system was disabled because of running cost
Scrubber system not operational
Flare system too small
People living close to facility fence no control of
building
by Richard Gowland
Link to Bhopal video
Bhopal
Operated by Union Carbide India
Prosecution in Indian Courts
Settlement of $400MM by Union
Carbide
Union Carbide was greatly affected as a
company and never really recovered
Bought out by Dow in 2001
Site remains a problem even today
by Richard Gowland
Piper Alpha
North Sea Oil and Gas rig

Produces 10% of U.K. gas needs
Gas leak during maintenance
Large fire
Production pressures
Fire would have been made much smaller if other local rigs had
been isolated
But no, some of the burning gas was coming from other rigs
No one wanted to provoke a major shutdown of the field
Unsympathetic management environment
Most rig workers died in the event
Those who obeyed the emergency plan died

in the Emergency Refuge
Those who survived disobeyed the
Emergency Plan and jumped into the sea
by Richard Gowland
Link to Piper Alpha video
by Richard Gowland
by Richard Gowland
Longford Australia - The fire burned for 2 days
by Richard Gowland
Fireworks Warehouse Fire and Explosion
Link to Enschede video
by Richard Gowland
Enschede Netherlands
The Enschede fireworks disaster was a catastrophic

fireworks explosion occurring at the SE Fireworks depot
on 1305/2000 in the Dutch city of Enschede.
The fire led to an enormous explosion which killed
23 people (including four firemen) and injured 947.[1]
The biggest blast was felt up to 30 kilometres (19 mi)
from the scene.
SE Fireworks was a major importer of fireworks
from China and supplier to pop concerts and major
festive events in the Netherlands. Prior to the disaster it
had a good safety record and met all safety audits[2].
by Richard Gowland
by Richard Gowland
Texas City Refinery

Texas City refinery is located
40 miles from Houston in
Texas, USA
1600 people work at the
refinery plus contractors
It is one of the largest
refineries in the USA,
processing 460,000 barrels of
crude oil/day, around 3% of
gasoline US supplies
by Richard Gowland
Texas City - The accident

An explosion and fire occurred
at the refinerys isomerization
unit
The explosion happened at
13:20 (Houston time) on March
23, 2005
15 people died and many more
were injured
Note: The isomerization unit
boosts the octane of gasoline
blendstocks.
by Richard Gowland
Simplified block diagram of Raffinate Splitter

Vent Relief system
Feed Heat
Exchanger
Condensate
Bottom
Product
Feed
Blowdown
stack
Furnace
Raffinate
Splitter
by Richard Gowland
Raffinate Splitter and Blowdown Drum Stack

Raffinate Splitter Tower
Blowdown Drum Stack
by Richard Gowland
by Richard Gowland
What happened?
Feb. 21
March
22
March
23
Shut down part of the Isomerization unit to refresh the

catalyst in the feed unit
On the night shift, the raffinate splitter was being
restarted after the shutdown. The raffinate splitter is
part of the Isomerization unit that distils chemicals for
the Isomerization process
Splitter was over-filled and over-heated
When liquid subsequently filled the overhead line the
relief valves opened
This caused excessive liquid and vapour to flow to
blowdown drum and vent at top of the stack
An explosion occurred which killed 15 people and
injured many others
by Richard Gowland
Texas City Refinery March 23, 2005

15 People Killed
Many more injured
A community devastated
by Richard Gowland
Isomerization Unit
by Richard Gowland
Inside Satellite Control Room
by Richard Gowland
Trailer
by Richard Gowland
Isomerization Unit
by Richard Gowland
Double-Wide Trailer
by Richard Gowland
Key Issues
Operator Inattention
Following Procedures
Supervisor Absence
Communication shift handover
Trailers Too Close to Hazards
Some Instrumentation Did Not Work

Tower Level Transmitter Worked as Designed
Abnormal Start-ups
Investigation of Previous Incidents
Blowdown Drum Vented Hydrocarbons to
Atmosphere
Opportunities to Replace Blowdown Drum
Evaluation of Connection to Flare
by Richard Gowland
BP incident investigation team reports

The Interim Report identified 4 critical factors; the Final Report confirmed the critical factors and identified
underlying cultural issues:
CRITICAL FACTORS:
UNDERLYING CULTURE:
Insufficient business context
Safety as a priority
Organizational complexity
Inability to see risk
Lack of early warning indicators
Start-up procedures and management

oversight
Loss of containment
Design and engineering of blowdown unit
Control of work and trailer siting
by Richard Gowland
Underlying Cultural Issues
Business Context
Motivation
Morale
PAS Score
Inability to See
Risk
(Process) Safety as a
Priority
Emphasis on Environment
and Occupational Safety
Organizational
Complexity &
Capability
Investment in People
Layers and Span of
Control
Communication
by Richard Gowland
Hazard Identification
Skills
Understanding of
Process Safety
Facility Siting
Vehicles
Lack of Early
Warning
Depth of Audit
KPIs for Process
Safety
Sharing of Learning /
Ideas
Reminder of the Swiss Cheese Model

Hazard
Protective
Barriers
Hazards are contained

by multiple protective
barriers
Barriers may have
weaknesses or holes
When holes align hazard energy is released,
resulting in the potential for harm
Barriers may be physical engineered
containment or behavioral controls dependent
on people
Holes can be latent/incipient, or actively
opened by people
by Richard Gowland
Weaknesses
Or Holes
Accident
A brief look at the Buncefield fuel terminal accident in the U.K.
December 11, 2005

Terminal fed by pipeline with gasoline
Tank 912 filling at > 500 M3 per hour
Level indicator being used by operators to manage level in tank
stopped working
Operators did not observe that level indicator was frozen
Level in tank increased until the level alarm and high level shut off
should occur
High Level shut off system failed
Tank overflowed at >500M3 per hour for 40 minutes
250000 M3 Vapour cloud formed
Vapour cloud ignited
Local buildings on and off site (neighbour) buildings seriously
damaged by explosion
Fires burned for several days (largest fire in Europe for 60 years)
Neighbours evacuated
by Richard Gowland
Emerging consequences of the Buncefield Fire and Explosion
Fire and Explosion to be illustrated

later in this course
No one was killed
No one was injured
by Richard Gowland
Legal action against the operating

companies
Legal action against the manufacturers
of equipment which failed to operate
correctly
Changes to land use planning laws
Extremely Large remediation cost at
Buncefield
Large costs at all other similar
operations
by Richard Gowland
The Buncefield Fuel Storage facility
Fed by refinery pipelines from different locations.

Feeding users including Heathrow Airport via road
And distribution lines
by Richard Gowland
Servo level
Indicator
ATG
Access hatch for dipping
Independent level switch

high-high
atmos. vents
Vented ullage
Funnel for dip

Int. floating
roof
Gasoline
In/out
T912
by Richard Gowland
1) Fuel cascaded down the tank and formed a rich fuel/air mix, which
collected in dike A
2) CCTV footage showed vapour flowing out of dike A from 0538. The
cloud was initially about 1m deep, but thickened to 2m.
by Richard Gowland
by Richard Gowland
by Richard Gowland
Link to Buncefield video
by Richard Gowland
Environmental Effects to Air
by Richard Gowland
Explosion overpressure effects on neighbour buildings

Safety implications!
by Richard Gowland
Large costs at all other similar operations
Studies at other terminals reveal

investment needs:
Overflow prevention
Risk Assessment with new knowledge
Secondary and Tertiary Containment
Management Systems
Emergency Planning
It is quite normal to require >$5MM

Remember
These other locations did not experience an accident,
but they are required to do the work and spend the
money
by Richard Gowland
Legal action against the operating

companies
Legal action against the manufacturers
of equipment which failed to operate
correctly
Changes to land use planning laws
Extremely Large remediation cost at
Buncefield
Large costs at all other similar
operations
by Richard Gowland
Let us look at the Longford Accident and the

recommendations made Many of which seem to
have been missed by the industry.
by Richard Gowland
The Esso Longford Accident

1998
The location in Australia
by Richard Gowland
The Accident
The ESSO Longford explosion occurred in
September 1998 when a heat exchanger (GP 905)

ruptured and approximately 10000 kg of flammables
released and an explosion occurred. There was a
large release of liquefied gas which formed a cloud
which drifted to the fired furnaces in the facility.
This released gas was ignited and a second
explosion occurred.
by Richard Gowland
The furnaces
by Richard Gowland
The fire progresses
by Richard Gowland
The site
by Richard Gowland
The fire burned for 2 days
by Richard Gowland
The scene afterwards
by Richard Gowland
Built in 1969, the plant at Longford is the onshore
receiving point for oil and natural gasoutput from

production platforms in the Bass Strait. The
Longford Gas Plant Complex consists of three gas
processing plants and one crude
oil stabilisation plant. It was the primary provider of
natural gas to Victoria, and provided some supply
to New South Wales.
by Richard Gowland
The feed from the Bass Strait platforms consists of
liquid and gaseous hydrocarbons, water(H2O)

and hydrogen sulfide (H2S). The water and H2S are
removed before reaching the plant, leaving a
hydrocarbon stream to be the feed to Gas Plant 1.
This stream contained both gaseous and liquid
components. The liquid component was known as
"condensate". The LPG is further extracted by
means of a shell and tube heat exchanger, in which
heated "lean oil" and cold "rich oil" (oil which has
absorbed LPG) are pumped into the exchanger,
cooling the lean oil and heating the rich oil.
by Richard Gowland
During the morning of Friday 25 September
1998, a pump supplying heated lean oil to

heat exchanger GP905 in Gas Plant No. 1
went offline for four hours, due to an
increase in flow from the Marlin Gas Field
which caused an overflow of condensate in
the absorber.
by Richard Gowland
Temperatures throughout GP905 normally ranged
from 60 C to 230 C. Investigators estimated that,

due to the failure of the lean oil pump, parts of
GP905 experienced temperatures as low as 48 C .
Ice had formed on the unit, and it was decided to
resume pumping heated lean oil in to thaw it. When
the lean oil pump resumed operation, it pumped oil
into the heat exchanger at 230 C - the temperature
differential caused a brittle fracture in the exchanger
(GP905) at 12.26pm.
by Richard Gowland
About 10 metric tonnes of hydrocarbon
vapour were immediately vented from

the rupture. A vapour cloud formed and
drifted downwind. When it reached a set of
heaters 170 metres away, it ignited. This
caused a deflagration . The flame front burnt
its way through the vapour cloud, without
causing an explosion. When the flame front
reached the rupture in the heat exchanger, a
fierce jet fire developed that lasted for two
days.
by Richard Gowland
Peter Wilson and John Lowery were
killed in the accident and eight others

were injured.
by Richard Gowland
Findings from the Royal Commission investigation
the Longford plant was poorly designed, and made
isolation of dangerous vapours and materials very

difficult;
inadequate training of personnel in normal operating
procedures of a hazardous process;
excessive alarm and warning systems had caused
workers to become desensitised to possible
hazardous occurrences;
the relocation of plant engineers to Melbourne had
reduced the quality of supervision at the plant;
poor communication between shifts meant that the
pump shutdown was not communicated to the
following shift.
by Richard Gowland
the company had neglected to commission a HAZOP
(HAZard and OPerability) analysis of the heat

exchange system, which would almost certainly
have highlighted the risk of tank rupture caused by
sudden temperature change;
Esso's two-tiered reporting system (from operators
to supervisors to management) meant that certain
warning signs such as a previous similar incident
(on 28 August) were not reported to the appropriate
parties;
the company's "safety culture" was more oriented
towards preventing lost time due to accidents or
injuries, rather than protection of workers and their
health.
by Richard Gowland
Inherently Safer Design

Principles
INHERENT SAFETY
What is inherent safety?

What are the principles of inherent safety?
How can we apply the principles of inherent safety?
by Richard Gowland
INHERENT SAFETY PRINCIPLES
MINIMIZE
the amount of hazardous material that is in use.
SUBSTITUTE
less hazardous materials and processes wherever possible.
MODERATE
the process conditions of the hazardous materials.
SIMPLIFY
the equipment and processes that are used.
Remember to make changes early
Preliminary Hazard Analysis (PHA) would be a good time.
by Richard Gowland
INHERENT SAFETY PRINCIPLES
MODERATE
the process conditions of the hazardous materials.
SIMPLIFY
the equipment and processes that are used.
Remember to make changes early
Preliminary Hazard Analysis (PHA) would be a good time.
by Richard Gowland
PSM Elements Selected for IS

Incorporation
Process Risk Management
Management of Change
Process and Equipment Integrity
Human Factors
Training and Performance
Incident Investigation
Standards, Codes and Regulations
by Richard Gowland
Measuring the degree of Inherently

Safer Design
Use of the Dow Fire and Explosion Index
The Use of Fire and Explosion Index as

a measure of Inherent Safety
Richard Gowland
The impact of Inherent safety on me
Common sense
Given relevance and
brought to reality by
Trevor Kletz
Probably not fully
exploited by industry
by Richard Gowland
What did we already do in support of Inherently Safer Process

Design? (the green shoots)
Internal Guidance for
Process Engineers
Fire and Explosion
Index
Process Risk
management
or
by Richard Gowland
Effect of Process Risk Management
3 0 0
Higher F.&E.I. =
2 5 0
More work for

Plant people to do!
2 0 0
1 5 0
F .& E .I.
(m a x )
F .& E .I.
(a v e )
1 0 0
5 0
0
1 9
9 1
1 9
9 3
1 9
9 5
Trend of Fire and Explosion Index in Dow Europe

by Richard Gowland
Why were Fire and Explosion Indexes reducing?
Higher Indexes required Hazop studies and other
more taxing work - designers responded by reducing

risk and the consequent work load
New plants projects were being examined to
minimise Fire and Explosion Index
Technology with hardware and software were
making advances
by Richard Gowland
Relationship between F.&E.I. and Inherent Safety?
Trend was occurring

Related to Process Risk
Management
Direct or Indirect effect?
Installations becoming
inherently safer?
by Richard Gowland
300
250
200
150
100
50
0
F.&E.I.
(max)
F.&E.I.
(ave)
19
91
19
93
19
95
Almost certainly - YES
by Richard Gowland
Inherent Safety effect on the fire and Explosion Index.
MATERIAL FACTOR:
derived from the intrinsic

rate of potential energy release from fire or
explosion or Chemical Reaction.
Uses the NFPA indexes for Flammability,
Reactivity
Inherently safermaterial - lower MATERIAL FACTOR
Substitute?
by Richard Gowland
Type of Reaction
Exotherm,
Hydrolysis, nitration
etc
Endotherm
Varying penalties
Can you Attenuate/Moderate?
by Richard Gowland
MATERIAL HANDLING AND

TRANSFER
e.g. Hoses, drums,

Tankers, Connect Disconnect - Leaks
by Richard Gowland
INDOOR or ENCLOSED units
Attract Higher
Penalties
by Richard Gowland
Inherent Safety effect on the fire and Explosion Index
ACCESS
For Emergency
Purposes
by Richard Gowland
DRAINAGE
What if a spill
OR Fire Water
dont drain safely?
by Richard Gowland
TOXIC MATERIALS
- Effect on operators
- Effect on neighbours
- Effect on Environment
- Effect on emergency response
i.e. SUBSTITUTE
by Richard Gowland
Use of Vacuum
- Penalty for vacuum

(possible air leak into
process)
Can you Attenuate/Moderate
the process?
by Richard Gowland
Operation near Flammable

Range
- attenuate or moderate
processing conditions and lower the penalty !!
by Richard Gowland
Dust Explosion:
Reduce penalty by:
Increasing particle size or
handling in alternative form
SUBSTITUTE?
by Richard Gowland
Relief Pressure
Moderate the process

pressure and lower the
penalty
by Richard Gowland
Hazardous Inventory in
process or storage
Lower the penalty

by Minimising the
Quantity of hazardous material
by Richard Gowland
Hardware selection:
- seal-less pumps and
agitators
Double walled pipes
Improved Technology
Avoidance of Knock on effects by using
the index to give plant layout.
by Richard Gowland
Example of a Progressive Safety

Management System
Requirements within a Process Risk Management

System (example)
Levels 1 4
Summary diagram
by Richard Gowland

PHA Questionnaire
Level 1) e.g. fatality at freq > governance criteria
HAZOP
inappropriate.
Level 1:

Triggers: LOPA Protection Gap > 0 i.e. not meeting governance criteria
Advanced LOPA
Screen for QRA*
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
by Richard Gowland
Examples of Requirements within Process Safety Management system (1)
The Risk Evaluation elements of the Process

Risk Management Standard shall be applied
to all:
existing facilities,
new projects,
significant modifications and
acquisitions (If possible during Due
Diligence but in all cases within 6 months of
acquisition).
by Richard Gowland
A Process Hazard Analysis (PHA) shall be created. It

shall contain:
Risk Evaluation
Progressive risk studies linking depth of study to severity of

potential consequences (The PSM)
Use of tools described in the PSM
Reference to process description, process flow diagrams, piping
and
instrument diagrams
The Chemistry for the process, including: Chemical reaction
hazards of the process itself and the materials involved
(compatibility, incompatibility, thermal stability, side reactions,
shock sensitivity, pyrophoric potential, catalysts and inhibitors)
by Richard Gowland
Reference to safe operating envelope for the

process
Identification of worst case scenarios
Reference to all hazard and risk studies carried out
for the facility (e.g. HAZOP, What if, Quantitative
Risk Assessment etc.)
Consequence modelling (e.g. overpressure from
explosions effects on occupied buildings, thermal
radiation from fire, delayed ignition, toxic vapour
dispersion)
Consequence descriptions (on site and off site)
Potential for domino effects
by Richard Gowland
Safety Instrumented Systems in process control

(Determination, evaluation and management)
Design basis (scenario etc.) for relief systems
Relief systems management
Hazardous Area classification system (Risk
Assessment, Hazardous Zone decisions and plot
plans),
Training
Gap assessment versus standards and requirements
Comparison of results with company risk governance
criteria
Communication process for risk levels to be accepted
at appropriate leadership levels
by Richard Gowland
A Process Hazard Analysis shall be required

for a facility whenever the Production
Manager is changed. (part of Management of
Change)
All newly acquired facilities shall have their
PHA and supporting documentation in place
within 6 months of completion of the
acquisition process.
Each facility shall use the corporate Incident
Reporting Database for recording and
retrieving information related to Process
Safety. (based on American Chemistry
Council criteria?)
by Richard Gowland
SIMPLIFIED RISK
MANAGEMENT PROCESS
PROCESS
DETERMINE
RISK REVIEW
REQUIREMENTS
WHEN
&
WHO
IDENTIFY
HAZARDS
REDUCE
RISK
Analyze/Assess
RISK
WHAT
&
YES
HOW
CAN
RISK BE
REDUCED
?
NO
IS
RISK
TOLERABLE
?
YES
NO
DISCONTINUE
ACTIVITY
by Richard Gowland
MANAGE
RESIDUAL RISK
FIGURE 1
Level 1
Applied to ALL facilities, projects and acquisitions

AND
Repeated within 90 days of a change in Plant
Superintendent
Content/Scope
Fire and Explosion Index
Chemical Exposure Index
Occupied Buildings exposed to explosion
Worst Case
Credible scenarios (ranking in severity)
PHA questionnaire and follow up
by Richard Gowland
Tools for estimating or ranking consequences
Fire and Explosion Index a semi quantitative
measure of hazard from fire and explosion (This

method is included in Italian and Netherlands and
Australian rules NOHSC:2016(1996))
TNO multi energy pressure calculation and UKHSE
guidance on explosion effects on occupied buildings
Chemical Exposure Index a quick means to
determine the distance a hazardous cloud will drift
from a point source release based on credible
scenarios .This method is included in Italian and
Australian standards (NOHSC:2016(1996))
EPA RMP dispersion a quick means of determining
the distance a hazardous cloud will drift from a point
source release based on worst case scenarios (all
inventory lost in 10 minutes) used primarily for
Emergency Planning
by Richard Gowland
Suggested criteria to elevate from level 1 Risk Analysis
a) Fire and Explosion Index (F&EI) 110*

b) Chemical Exposure Index (CEI) ERPG 2* outside
fence-line
c) Occupied Building Explosion exposure analysis
indicates a frequency of serious injury >= 1e-04
d) Qualitative estimate of worst case scenario
predicts possible fatality off site or on site at a

frequency > company risk governance criteria
WHY?
a) F&EI = 110 is the historic number for Netherlands
regulator
b) ERPG 2 at fence line mimics existing German
requirements
c) UKHSE and Chemical Industry Association criteria
d) If there is an obvious hazard in this context dont
ignore it
by Richard Gowland
Level 2 risk review
HAZOP study or
What If or
FMEA
These establish the causes for the consequences
already developed in level 1
List causes and lines of defence from above studies
Output of above feeds into LOPA

Estimate frequency of the consequences after
considering the effectiveness of lines of defence

(use fault trees if needed or Layer of Protection Analysis (LOPA))
Compare with predetermined company criteria
Tools include standard for HAZOP and Layer of

Protection Analysis (LOPA)
by Richard Gowland
Suggested criteria to elevate from level 2 Risk Analysis
Predicted frequencies of events exceed

company or legal criteria (individual or
societal risk) even when the lines of
defence (and any new ones planned)
are allowed for
Doubt about scale of effects may
require more accurate consequence
modelling and or specific fault tree
analysis
LOPA proves inconclusive
by Richard Gowland
Level 3
(relatively) more complex consequence

analysis e.g. PHAST (DNV) gas dispersion
Advanced LOPA
Fault Tree
Outcome should be a greater degree of
confidence in the consequence and
frequency and its position with respect to
company risk governance criteria
by Richard Gowland
Suggested criteria to elevate from level 3 Risk

Analysis a repeat of earlier suggestions
Predicted frequencies of events exceed

company or legal criteria (individual or
societal risk) even when the lines of
defence (and any new ones planned)
are allowed for
Doubt about scale of effects may
require more accurate consequence
modelling and or specific fault tree
analysis
by Richard Gowland
Level 4
QRA (to an agreed and consistent

methodology - also restrict to priority
scenarios)
by Richard Gowland

PHA Questionnaire
HAZOP
inappropriate.
Level 1:

Advanced LOPA
Screen for QRA*
by Richard Gowland
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
By Plant based people and

validated by Process safety expertise
By Plant based people

with Process Safety
expertise help
Level 1:
Level 2:
RISK REVIEW
Level 3
By Process Safety expertise with

Plant based people help
by Richard Gowland
ENHANCED RISK
REVIEW
L4:
QRA
Process Hazard Analysis (PHA)
Requirements within a Process Risk Management

System (example)
Levels 1 4
Summary diagram
by Richard Gowland

PHA Questionnaire
HAZOP
inappropriate.
Level 1:

Advanced LOPA
Screen for QRA*
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
by Richard Gowland
The Risk Evaluation elements of the Process

Risk Management Standard shall be applied
to all:
existing facilities,
new projects,
significant modifications and
acquisitions (If possible during Due
Diligence but in all cases within 6 months of
acquisition).
by Richard Gowland
A Process Hazard Analysis (PHA) shall be created. It

shall contain:
Risk Evaluation
Progressive risk studies linking depth of study to severity of

potential consequences (The PSM)
Use of tools described in the PSM
Reference to process description, process flow diagrams, piping
and
instrument diagrams
The Chemistry for the process, including: Chemical reaction
hazards of the process itself and the materials involved
(compatibility, incompatibility, thermal stability, side reactions,
shock sensitivity, pyrophoric potential, catalysts and inhibitors)
by Richard Gowland
Reference to safe operating envelope for the

process
Identification of worst case scenarios
Reference to all hazard and risk studies carried out
for the facility (e.g. HAZOP, What if, Quantitative
Risk Assessment etc.)
Consequence modelling (e.g. overpressure from
explosions effects on occupied buildings, thermal
radiation from fire, delayed ignition, toxic vapour
dispersion)
Consequence descriptions (on site and off site)
Potential for domino effects
by Richard Gowland
Safety Instrumented Systems in process control

(Determination, evaluation and management)
Design basis (scenario etc.) for relief systems
Relief systems management
Hazardous Area classification system (Risk
Assessment, Hazardous Zone decisions and plot
plans),
Training
Gap assessment versus standards and requirements
Comparison of results with company risk governance
criteria
Communication process for risk levels to be accepted
at appropriate leadership levels
by Richard Gowland
A Process Hazard Analysis shall be required

for a facility whenever the Production
Manager is changed. (part of Management of
Change)
All newly acquired facilities shall have their
PHA and supporting documentation in place
within 6 months of completion of the
acquisition process.
Each facility shall use the corporate Incident
Reporting Database for recording and
retrieving information related to Process
Safety. (based on American Chemistry
Council criteria?)
by Richard Gowland
SIMPLIFIED RISK
MANAGEMENT PROCESS
PROCESS
DETERMINE
RISK REVIEW
REQUIREMENTS
WHEN
&
WHO
IDENTIFY
HAZARDS
REDUCE
RISK
Analyze/Assess
RISK
WHAT
&
YES
HOW
CAN
RISK BE
REDUCED
?
NO
IS
RISK
TOLERABLE
?
YES
NO
DISCONTINUE
ACTIVITY
by Richard Gowland
MANAGE
RESIDUAL RISK
FIGURE 1
Level 1
Applied to ALL facilities, projects and acquisitions

AND
Repeated within 90 days of a change in Plant
Superintendent
Content/Scope
Occupied Buildings exposed to explosion
Worst Case
Credible scenarios (ranking in severity)
PHA questionnaire and follow up
by Richard Gowland
By Plant based people and

validated by Process safety expertise
Level 1:
By Plant based people

with Process Safety
expertise help
Level 2:
RISK REVIEW
Level 3

ENHANCED RISK
REVIEW
L4:
QRA
by Richard Gowland
Detail of PHA
Protocol
Questionnaire as guidance on what matters:
Hazardous Scenario Identification through
Analysis of the process including hazards from

Fire,
Explosion,
Reactive Chemicals
Analysis of unit operations e.g.:
by Richard Gowland
Storage
Reactors
Distillation
Heat Exchangers
Pumps
..
PHA
Description of HAZARD I.D.

(HAZOP etc.)
Consequence estimation
E.g. Fire, Explosion, Toxic release
Description of Risk Assessments

LOPA etc.
Description of key preventive measures e.g.

Safety Critical Systems
Typically in questionnaire (show PHA workbook example)
by Richard Gowland
PHA
By multi disciplined team to protocol example

On a cycle of 3-5 years
by Richard Gowland
Protocol for Process Hazard Analysis Review sessions:

1. Introduction.
Process Hazard Analysis (PHA) is one of the basic
requirements within the Process Risk management Standard. This review is
carried out periodically for Existing facilities according to the schedule laid down
in the Process Risk management Standard, during Capital Projects and within 90
days of a change of production Manager*.
2. The PHA Review.
When it is carried out according to the standard the following team is assembled
for the Review session:
x
x
x
x
x
x
x
x
Production Manager for the facility

Process Control (and operating program) Specialist for the facility
Production Engineer
Operator
Plant Process Safety Representative
Technical Support Specialist
Site HSEC Specialist
Session recorder for team observations and review outcomes and actions.
For all facilities, the following Operational information shall be available in the
facility at the Review:
All information held in the General and Process Safety library of the facility:
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Process Description
Process Flow Diagrams
Worst Case and Most probable Case scenarios
PHA questionnaire(s)
Explosion Impact Analysis for Occupied Buildings
Electrical Area Classification plot plan
Safe Operating procedures
Key critical control parameters (Critical Process Variables)
Piping and Instrument Diagrams (P&IDs)
Material Safety Data Sheets (MSDSs)
Process Safety Incidents and Accidents
Facility Emergency Response Plans
If the facility qualifies for Level 2 Risk Review, the information relating to Layer of
Protection Analysis and other procedures required by the Process Safety
Management Standard should also be available. (e.g. HAZOP studies)

The Review is led by the Production Manager for the facility.
It would be normal for some members of the team to be unfamiliar with detailed
operations on the facility, therefore a plant tour is advised to ensure that the
whole review team can relate the process description to the physical equipment
and the plant itself.
The Review is:
x
x
x
x
presentation of the Process Flow Diagram

explanation of the process description.
explanation of the Worst case and Most probable credible scenarios and
lines of defence
focused discussion on each section of the PHA questionnaire, with the
team gaining an understanding of the reasoning behind the answers and
explanations.
Recording of the teams observations for follow up.
*Note that when a New Production Manager Review takes place, the
periodic review schedule re-starts. This is to take the full benefit of the
review and to avoid repetition and duplication of effort
Confined Space Entry
Confined Spaces
Process equipment
Vessels, columns, reactors, mixers, tank etc.
Poorly ventilated areas
Containment around storage tanks, skirts of columns and vessels
by Richard Gowland
Confined Space Entry

Why is entry critical?
Exposure to oxygen depleted atmosphere, toxic
materials, high temperatures can result in
severe injury or death
by Richard Gowland
Injuries/fatalities in Confined Spaces
Injuries and fatalities involving confined spaces are frequent

and often involve successive fatalities when would-be
rescuers succumb to the same problem as the initial victim.
Approximately 60% of fatalities involve would-be rescuers
and more than 30% of fatalities occur in a space that has
been tested and found to be safe to enter.
Accidents in confined spaces present unique challenges
and are often catastrophic.
In the US there are, on average, 90 fatal injuries in confined
spaces per year.
by Richard Gowland
Confined space
"Confined space" means a space that:
(1) Is large enough and so configured that an employee can
bodily enter and perform assigned work; and
(2) Has limited or restricted means for entry or exit (for
example, tanks, vessels, silos, storage bins, hoppers, vaults,
and pits are spaces that may have limited means of entry.); and
(3) Is not designed for continuous employee occupancy.
by Richard Gowland
Confined Space
A Confined Space has the three characteristics listed before
(which define a confined space) and one or more of the
following:
Contains or has the potential to contain a hazardous atmosphere
Contains a material that has the potential for engulfing the entrant
Has an internal configuration that might cause an entrant to be
trapped by inwardly converging walls or by a floor that slopes
downward and tapers to a smaller cross section
Has the potential for oxygen depletion through corrosion
Contains any other recognized serious safety or health hazards.
by Richard Gowland
Confined Space Entry Procedure (1)
Notification
Rescue Procedure
Preparation
Testing
Personal Protective Equipment
Communication
Permit
by Richard Gowland
Notification
Notification of the responsible persons and emergency services
Rescue procedure
Determine the need for a specific rescue procedure (such as an

elevated entry)
by Richard Gowland
Preparation of the equipment

Flushing/cleaning/cooling
Complete isolation (blinds or double block and bleed)
by Richard Gowland
Blinding
Blinding means the absolute closure of a pipe, line,
or duct by the fastening of a solid plate (such as a
spectacle blind or a skillet blind) that completely
covers the bore and that is capable of withstanding
the maximum pressure of the pipe, line, or duct with
no leakage beyond the plate.
by Richard Gowland
Double block and bleed

"Double block and bleed" means the closure of a
line, duct, or pipe by closing and locking or tagging
two in-line valves and by opening and locking or
tagging a drain or vent valve in the line between the
two closed valves.
by Richard Gowland
Safe Entry Procedure (4)
Testing
Confirmation of a non-hazardous atmosphere (next slide) by means of a
representative sample shortly before entry
Testing and alarming during entry
by Richard Gowland
Hazardous Atmosphere
"Hazardous atmosphere" means an atmosphere that may expose employees to the risk of
death, incapacitation, impairment of ability to self-rescue (that is, escape unaided from a
permit space), injury, or acute illness from one or more of the following causes:
(1) Flammable gas, vapor, or mist in excess of 10 percent of its lower flammable limit (LFL);
(2) Airborne combustible dust at a concentration that meets or exceeds its LFL;
NOTE: This concentration may be approximated as a condition in which the dust obscures
vision at a distance of 5 feet (1.52 m) or less.
(3) Atmospheric oxygen concentration below 19.5 percent or above 23.5 percent;
(4) Atmospheric concentration of any substance for which a dose or a permissible
exposure limit is published in Subpart G, Occupational Health and Environmental Control,
or in Subpart Z, Toxic and Hazardous Substances, of this Part and which could result in
employee exposure in excess of its dose or permissible exposure limit;
NOTE: An atmospheric concentration of any substance that is not capable of causing
death, incapacitation, impairment of ability to self-rescue, injury, or acute illness due to its
health effects is not covered by this provision.
(5) Any other atmospheric condition that is immediately dangerous to life/health
by Richard Gowland
Personal Protection Equipment

Oxygen and/or LEL monitor with alarm
Monitor with alarm for specific material
Communication
Means of communication with outside guard as well as by guard with
controlroom/emergency center
by Richard Gowland
Permit
Permit that confirms the steps taken and documents the test results
Signed by all persons involved
Responsible person signs last. This is usually done at a higher level
than for Safe/Hot Work permits. Delegation only to a higher level
Maximum validity of permit. Maximum is 8 hours or less
Confirmation of Completion
by Richard Gowland
The Hazards of Nitrogen

Asphyxiation
US Chemical Safety and Hazard
Investigation Board
Introduction
Nitrogen makes up 78% of the air we
breath; because of this it is often assumed
that nitrogen is not hazardous.
However, nitrogen is safe to breath only if it is
mixed with an appropriate amount of oxygen.
Additional nitrogen (lower oxygen) cannot
be detected by the sense of smell.
Introduction
Nitrogen is used commercially as an inerting
agent to keep material free of contaminants
(including oxygen) that may corrode
equipment, present a fire hazard, or be toxic.
A lower oxygen concentration (e.g., caused by
an increased amount of nitrogen) can have a
range of effects on the human body and can be
fatal if if falls below 10%
Effects of Oxygen Deficiency on

the Human Body
Atmospheric Oxygen
Concentration (%)
Possible Results
20.9
Normal
19.0
Some unnoticeable adverse physiological effects
16.0
Increased pulse and breathing rate, impaired thinking and

attention, reduced coordination
14.0
Abnormal fatigue upon exertion, emotional upset, faulty

coordination, poor judgment
12.5
Very poor judgment and coordination, impaired

respiration that may cause permanent heart damage,
nausea, and vomiting
<10
Inability to move, loss of consciousness, convulsions,

death
Source: Compressed Gas Association, 2001
Statistics on Incidents
CSB reviewed cases of nitrogen asphyxiation that
occurred in the US between 1992 and 2002 and
determined the following:
85 incidents of nitrogen asphyxiation resulted
in 80 deaths and 50 injuries.
The majority of incidents occurred in
manufacturing and industrial settings, but
several incidents occurred in other settings
including laboratories and medical facilities.
Facilities and Areas Where

Incidents Occurred
Manufacturing/industry
5%
13%
6%
62%
Trenches, manhole covers (not

identified)
Maintenance activities (not
necessarily at manufacturing sites)
14%
Laboratories
Miscellaneous (including medical

facilities and transportation)
(contd)
The majority of incidents
occurred in and around
confined spaces, though
several incidents occurred in
open areas, including inside
buildings and outdoors near
equipment.
Almost half the incidents
involved contractors, including
construction workers.
Contractors account for over
60% of the fatalities.
(contd)
Causes of the incidents included:
Failure to detect an oxygendeficient atmosphere in and
around confined spaces.
Mistakenly using nitrogen instead
of breathing air.
Inadequately preparing for rescue.
Data Sources for Statistics

Data sources for the CSB review included
regulatory agencies, media reports, technical
publications, and contacts with safety
personnel; however, only those incidents
that were reported and accessible are
evaluated. Statistical analysis is based on
the available, limited information.
Although the summary data reported above
are not all-inclusive, the numbers clearly
indicate that nitrogen asphyxiation presents
a serious hazard in the workplace.
Case Study: Failure to Recognize

Asphyxiation Hazards Near
Confined Spaces
Three workers were cleaning filters in a
hydrogen purifying tank.
Tank was purged with nitrogen during
cleaning.
One worker leaned over a manway
opening in the upper portion of the
tank.
He was found unconscious and later
died.
Case Study: Failure to Recognize

Asphyxiation Hazards Near
Confined Spaces
An operator was conducting a flammable gas
test on a line connected to a flare in order to
issue a hot work permit.
The operator issued a permit that required
an air-supplied respirator.
Two contractors wore respirators to remove
a valve, but the operator did not.
Nitrogen inadvertently entered the flare and
the operator lost consciousness.
Case Study: Inadequate

Monitoring of Atmosphere
A tank car at a refinery contained white
mineral oil, and an employee started
cleaning it.
The mineral oil was offloaded by
injecting nitrogen gas into the car.
The nitrogen was still present when the
employee started to clean the car and he
was asphyxiated.
Case Study: Corrupt Breathing

Air Supply
Two contractors were abrasive blasting tubes
inside a boiler.
They wore supplied-air respirators
connected to compressed air cylinders.
After the workers failed to respond to an air
horn, they were found unconscious.
Follow-up testing of the air supply which
had been manufactured by mixing oxygen
and nitrogen - found that it contained less
than 5% oxygen.
Case Study: Mix-Up Nitrogen

and Air, and Improper Rescue
The atmosphere inside a coated tank was
tested and ventilated the day before
work was to be performed inside.
A contractor entered the tank to clean it the
next day and collapsed.
Two plant employees attempted rescue and
were overcome. All three workers died.
The tank had mistakenly been ventilated
with nitrogen instead of compressed air.
Case Study: Mix-up Nitrogen

and Air
A contract employee planned to use a
hammer powered by air to chip residue
from a furnace in an aluminum foundry.
He wore an airline respirator.
Two compressed gas lines were available,
one was labeled natural gas and one was
labeled air.
Once the respirator was in place, the
employee was asphyxiated. The air line
actually contained pure nitrogen.
Case Study: Mix-up Breathing

Air Supply in a Medical
Facility
A supplier mistakenly delivered a
cylinder of nitrogen during a
delivery of oxygen cylinders.
The nursing home employee
mistakenly accepted the nitrogen tank.
The cylinder was labeled with a
nitrogen label partially covering an
oxygen label.
Case Study: Mix-Up Breathing

Air Supply in a Medical
Facility (contd)
The tank had nitrogen-compatible

fittings.
A maintenance employee removed
the fittings from an empty oxygen
cylinder and used it as an adapter
to connect the nitrogen tank to the
oxygen system.
Four patients died and six were
injured.
Good Practices for Safe

Handling of Nitrogen
Implement warning systems and
continuous atmospheric monitoring of
enclosures
Continuously monitor for oxygen-deficient,
toxic, or explosive atmospheres.
Employ warning systems including flashing
lights, alarms, and auto-locking entryways.
Use personnel monitors to indicate low
oxygen concentrations.
Remember that the atmosphere can change
over time.

Ensure ventilation with fresh-air in
confined and enclosed areas.
Maintain continuous forced draft
ventilation with fresh air before job
begins and through completion.
Ensure that ventilation systems are
properly designed, evaluated, and
maintained.
Use warning systems to alert personnel
if the system fails.

Implement a system for the safe retrieval
and rescue of workers
Employees in confined spaces should wear
equipment to facilitate retrieval, such as a
body harness, anklets, or wristlets, and a
lifeline.
Standby personnel must be present at all
times and have constant communication with
personnel inside.
Personnel should not attempt rescue unless
they are properly trained and equipped.

Ensure the uninterrupted flow and
integrity of breathing air
Take steps to ensure that supplied air is not
interrupted. Steps include having alternate sources
of power for air compressors, inspecting and
replacing air hoses, and restricting traffic in areas
with supply hoses.
Carry escape packs.
Ensure the composition of supplied breathing air is
correct. Continuously monitor the air supply.

Prevent inadvertent mix-up of
nitrogen and breathing air
Ensure that personnel understand the
reason for specific unique fittings on
cylinders of different compressed
gases. Do not fabricate adapters to
defeat their purpose.
Ensure that cylinders are clearly
labeled.
Use color coding to identify systems.

Develop and implement training programs for
employees and contract personnel, including
information on:
Proper use of ventilation, retrieval, air monitoring, and
air supply systems.
Safe practices for confined space entry and rescue.
Precautions to take when working around confined
areas.
Dangers of nitrogen enriched atmosphere and
preventing mix-ups between breathing air and
nitrogen.
Implementing good hazard communication.
More Information
A safety bulletin and 1-page brochure on
the hazards of nitrogen asphyxiation, as
well as this presentation, are available
from the US Chemical Safety and Hazard
Investigation Board.
www.csb.gov
(202)261-7600
FIRE & EXPLOSION INDEX

HAZARD CLASSIFICATION
GUIDE
Dow FIRE & EXPLOSION INDEX
HAZARD CLASSIFICATION
GUIDE
7th edition
January 1994
by Richard Gowland
Is a Risk Management tool which calculates the

risk of a specific process
Gives a numerical level of risk
Used by some Competent Authorities (NL and It.)
by Richard Gowland
PURPOSE OF THE F&E INDEX SYSTEM

QUANTIFY THE EXPECTED DAMAGE
IDENTIFY EQUIPMENT
COMMUNICATE THE RISK
POTENTIAL TO MANAGEMENT
TO MAKE YOU AWARE OF THE
LOSS POTENTIAL
OF YOUR OWN PROCESS AREA
and
IDENTIFY WAYS TO LESSEN THE SEVERITY

AND RESULTANT DOLLARLOSS
by Richard Gowland
F&EI IS A TOOL TO:
HELP DETERMINE THE AREAS OF

GREATEST LOSS POTENTIAL.
PREDICT THE PHYSICAL DAMAGE AND

BUSINESS INTERRUPTION IN THE
EVENT
OF AN INCIDENT.
by Richard Gowland
EFFECTS
1.
THE BLAST WAVE OR DEFLAGRATION
2.
FIRE EXPOSURE FROM ORIGINAL
RELEASE
3.
MISSILE IMPACT ON PIPING AND

EQUIPMENT FROM VESSEL
EXPLOSION
4.
by Richard Gowland
OTHER FUEL RELEASES AS SECONDARY

EVENTS
SELECT PERTINENT PROCESS UNITS

*
CHEMICAL ENERGY POTENTIAL
QUANTITY OF HAZARDOUS MATERIAL
CAPITAL DENSITY
*
PROCESS PRESSURE AND
TEMPERATURE
*
PAST HISTORY OF PROBLEMS
*
UNITS CRITICAL TO PLANT
OPERATION
by Richard Gowland
DETERMINE THE MATERIAL FACTOR

*BASIC STARTING VALUE IN THE F&EI
CALCULATION
*OBTAINED FROM NFPA RATINGS
Nr, REACTIVITY AND Nf, FLAMMABILITY
TABLE 1
*IT IS THE MEASURE OF THE INTRINSIC

RATE OF POTENTIAL ENERGY
RELEASE
by Richard Gowland
CALCULATION TO BE COMPLETED FOR

*
GENERAL PROCESS HAZARDS FACTOR
SPECIAL PROCESS HAZARDS FACTOR
LOSS CONTROL CREDIT FACTOR
by Richard Gowland
GENERAL PROCESS HAZARDS HAVE

A PRIMARY ROLE IN DETERMINING
THE MAGNITUDE OF A LOSS INCIDENT
(6 ITEMS).
by Richard Gowland
1.
General Process Hazards

Penalty Factor
Penalty
Range
Used(1)
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
1.00
________
________
________
________
________
0.25 to 0.50
________
Factor
Base Factor
A.
B.
C.
D.
E.
F.
Exothermic Chemical Reactions

Endothermic Processes
Material Handling and Transfer
Enclosed or Indoor Process Units
Access
Drainage and Spill Control
__________ gal or cu.m.
General Process Hazards Factor (F1)
________
by Richard Gowland
SPECIAL PROCESS HAZARDS

CONTRIBUTE PRIMARILY TO THE
PROBABILITY OF A LOSS INCIDENT
(12 ITEMS).
by Richard Gowland
2.Special Process Hazards

Base Factor
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
1.00
1.
Liquids or Gases in Process (See Figure 3)
______
2.
Liquids or Gases in Storage (See Figure 4)
______
3.
Combustible Solids in Storage, Dust in Process (See Figure 5)______
Corrosion and Erosion
0.10 to 0.75 ______
Leakage Joints and Packing
0.10 to 1.50 ______
Use of Fired Equipment (See Figure 6)
______
Hot Oil Heat Exchange System (See Table 5)
0.15 to 1.15 ______
Rotating Equipment
0.50
______
Special Process Hazards Factor (F2)

by Richard Gowland
SOME CONTRIBUTING FACTORS:
by Richard Gowland
1.00
Toxic Material(s)
0.20 to 0.80 ______
Sub-Atmospheric Pressure (< 500 mm Hg)
0.50
______
Operation In or Near Flammable Range___ Inerted___ Not Inerted
1.
Tank Farms Storage Flammable Liquids
0.50
______
2.
Process Upset or Purge Failure
0.30
______
3.
Always in Flammable Range
0.80
______
Dust Explosion (See Table 3)
0.25 to 2.00 ______
Pressure (See Figure 2) Operating
______
Pressure ________ psig or kPa gauge
Relief Setting ________ psig or kPa gauge
Low Temperature
0.20 to 0.30 ______
Quantity of Flammable/Unstable Material: Quantity _____ lb or kg
HC = _____BTU/lb or kcal/kg
TYPE OF REACTION
PROCESS TEMPERATURES
PROCESS PRESSURE
QUANTITIES OF FUEL
______
DETERMINE
1.
PROCESS UNIT HAZARD FACTOR

PRODUCT OF THE GENERAL AND SPECIAL
PROCESS HAZARDS FACTOR
Process Unit Hazards Factor (F1 x F2) =

F3
2.
THE
PRODUCT OF THE UNIT HAZARDS FACTOR AND

MATERIAL FACTOR
Fire and Explosion Index (F3 x MF =

F&EI)
by Richard Gowland
DETERMINE
3.
AREA OF EXPOSURE
Fire & Explosion Index (F&EI)
Radius of Exposure....(Figure 7) ____ft or
m
Area of Exposure
m2
4.
REPLACEMENT VALUE
Value of Area of Exposure
by Richard Gowland
____ft2 or
DETERMINE THE AREA OF

EXPOSURE
CALCULATE THE RADIUS OF THE EXPOSED
AREA
THE PRODUCT OF
R = F&EI X 0.84 X 0.3048 m

CYLINDRICAL VOLUME
by Richard Gowland
VALUE OF AREA OF EXPOSURE

OBTAINED FROM REPLACEMENT VALUE
OF PROPERTY, INCLUDING INVENTORY
r ACCOUNTING RECORDS
r CURRENT ENGINEERING COST ESTIMATE
r EQUIPMENT COSTS PER SQUARE
FOOT/METRE
by Richard Gowland
Now to an example..
Using the calculation book
by Richard Gowland
Inherently Safer Design and Dow Fire and Explosion Index .
Case Study:
You are required to upgrade an Emulsion Polymerisation plant. The relevant units in the upgrade are:
Butadiene Unloading
Butadiene Storage
Monomer Weigh tank (Storage/feed)
Polymerisation Reactor
All other units (Styrene, Acrylonitrile, surfactant etc. handling will not be changed (already optimised))
Resources you will need:
Folders with the Dow Fire and Explosion Index and Chemical Exposure Index calculation methods.
Calculator
Butadiene Unloading Station:

Unloading from 40 metric ton railcars. These railcars are nitrogen padded. This Nitrogen inerting system and the vapour
pressure of butadiene keeps the vapour space of the railcar and the storage tank free of Oxygen. Failure of the nitrogen
system when the storage tank is empty after maintenance could result in pockets of air in the vapour circuit. Butadiene is
unloaded from the bottom via articulated stainless steel loading arms. The motive force for unloading is provided by a
vapour compressor which takes vapour from the top of the storage tank, compresses it into the top of the railcar. The
achieved rate for discharge is 28 metric tons per hour. The normal pressure at which discharge takes place is 310 kPa.
For index calculation purposes, the flammable material is taken to be in process. Ambient temperature is taken to be
25C. Worst Case scenarios include full bore failure of 75 mm liquid line, 37.5 mm gas line, subsequent fire or Unconfined
Vapour Cloud Explosion, Boiling Liquid Evaporating Vapour Explosion. Toxic release (Butadiene Emergency response
Planning Guideline 2, (ERPG 2) = 50 ppm.
Automatic Water Deluge Fire Protection is standard provision.
Possible arrangements of the unloading station are as follows:
1) The side of a warehouse at the end of a product loading dock This area is roofed and enclosed on 2 sides. This is
the cheapest option for the project. The facility has a run off basin for spills and fire water 70 metres away. Emergency
Access is limited to one side only via paved road.
2) On an extension to the rail line 40 metres from the loading dock. This operation could be roofed but no walls are
planned. The possible site is 30 metres distant. From the run off basin
Access is available from 2 sides via paved road.
Exercise:
Discuss the advantages and disadvantages of the two possible locations and calculate the Fire and Explosion
Indexes for each case
PROCESS SAFETY COURSE 2012
Butadiene Storage tank.

Capacity 100 metric tons.
Working pressure 310 kPa
Relief Pressure 480 kPa
For index calculation purposes, the flammable material is taken to be in storage. Ambient temperature is taken to be
25C.
The choices for the tanks are:
a) Bullet horizontal cylinder shaped tank on saddles open air with concrete walls located 3 metres from each end of the
tank straddling the centre line of the tank.
Worst Case scenarios include full bore failure of 75 mm liquid line, 37.5 mm gas line, subsequent fire or Unconfined
Vapour Cloud Explosion, Boiling Liquid Evaporating Vapour Explosion. Toxic release (Butadiene Emergency response
Planning Guideline 2, (ERPG 2) = 50 ppm
b) Bullet horizontal cylinder shaped tank on saddles. Buried above ground in sand with concrete retaining walls.
Worst Case scenarios include full bore failure of 75 mm liquid line, 37.5 mm gas line, subsequent fire or Unconfined
Vapour Cloud Explosion, Toxic release (Butadiene Emergency response Planning Guideline 2, (ERPG 2) = 50 ppm.
Materials of construction to give total corrosion resistance
Automatic Water Deluge Fire Protection is standard provision.
The storage tank will be located at the end of a tank farm 30 metres from the run off basin.
Both possible designs can are deemed to be totally unenclosed.
.
Transfer system from storage to reaction area.
Pump: To be selected from the following possible:
Multistage centrifugal with double mechanical seal.
Multistage centrifugal magnetic drive through diaphragm. No seal.
Single stage vane pump with petroleum seal (single mechanical seal with outboard gland/stuffing box.
Delivery into T101 weigh tank. (Can be used in batch mode or in a continuous feed to the polymerisation reactor)
Location within a diked/bunded area which is drained to the run off basin Pump will be mounted on an elevated plinth.
Location is open air, no enclosures.
Exercise:
Calculate the Fire and Explosion Indexes for the storage tank for each option selected:
Monomer Weigh tank:

6 cubic metres
Working pressure 350 kPa. Relief pressure 495 kPa.
Working temperature 25 C
Reactor charge of monomers (2800 kg Butadiene
600 kg Acrylonitrile)
Location within a diked/bunded area which is drained to the run off basin Pump will be mounted on an elevated plinth.
Location is open air, no enclosures.
For index calculation purposes, the flammable material is taken to be in process. Ambient temperature is taken to be
25C.
Access is available on one sire only.
Exercise:
Calculate the Fire and Explosion Index for the Monomer Weigh Tank
BACK OF FORM C-22380 Rev/01-94
Polymerisation Reactor:
Total volume 16 M3
Continuously Stirred reactor (25 KW POWER AVAILABLE). Double mechanical seal on agitator.
For index calculation purposes, the flammable material is taken to be in process.
Location within a diked/bunded area which is drained to the run off basin
Location is open air, no enclosures. Access from 2 sides via paved road.
Polymerisation Reaction Charge:

4000 kg water
500 kg surfactants (relatively inert, not combustible)
3550 kg Styrene
3400 kg monomers (Butadiene and Acrylonitrile)
Sequence of addition
Water, Surfactants (vary, depending on chain length recipe), Monomers.
Reactor is heated to 120 C by a steam heated pressurised water jacket with circulation pumps. When reaction starts,
automatic temperature control brings in cooling water and steam is shut down. The agitator runs at all times when
chemicals are present. Reaction complete in 40 minutes. The normal reaction produces a peak temperature of 134C.
This is an exothermic reaction typical of polymerisation. . Temperature alarms are set at 140C. Runaway reaction can
occur with some recipes at 155C.
Operating pressure 750 kPa. Relief pressure 2000 kPa.
Various modes of operation are available. More than 1 is currently practised.
Exercise:
Suggest various modes of operation and describe those they consider to be Inherently Safer.
The participant are requested to calculate the Reactor Fire and Explosion Indexes for all modes they suggest.
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
PROCESS UNIT
DATE
14 MARCH 2001
1,3 BUTADIENE UNLOADING FROM RAIL CAR
PREPARED BY:
APPROVED BY: (Superintendent)
BUILDING
REVIEWED BY: (Management)
REVIEWED BY: (Technology Center)
REVIEWED BY: (Safety & Loss Prevention)
MATERIALS IN PROCESS UNIT

BUTADIENE (N2 PAD)
STATE OF OPERATION
___ DESIGN
___ START UP
BASIC MATERIAL(S) FOR MATERIAL FACTOR

__
X_ NORMAL OPERATION
___ SHUTDOWN
BUTADIENE
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1. General Process Hazards

Base Factor .................................................................................................................
A.
B.
C.
D.
E.
F.

Access
__________ gal or cum.
Penalty Factor Range
Penalty Factor Used(1)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
General Process Hazards Factor (F1) .................................................................................................

2. Special Process Hazards
Base Factor .................................................................................................................
A. Toxic Material(s)
B. Sub-Atmospheric Pressure (< 500 mm Hg)
C. Operation In or Near Flammable Range
___ Inserted
___ Not Inerted
1. Tank Farms Storage Flammable Liquids
2. Process Upset or Purge Failure
3. Always in Flammable Range
D. Dust Explosion (See Table 3)
E. Pressure (See Figure 2)
Operating Pressure ________ psig or kPa gauge
F. Low Temperature
G. Quantity of Flammable/Unstable Material:
Quantity _____ lb or kg
1. Liquids or Gases in Process (See Figure 3)
2. Liquids or Gases in Storage (See Figure 4)
3. Combustible Solids in Storage, Dust in Process (See Figure 5)
H. Corrosion and Erosion
I. Leakage Joints and Packing
J. Use of Fired Equipment (See Figure 6)
K. Hot Oil Heat Exchange System (See Table 5)
L. Rotating Equipment
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
Special Process Hazards Factor (F2) .................................................................................................

Process Unit Hazards Factor (F1 x F2) = F3 ..................................................................................
Fire and Explosion Index (F3 x MF = F&EI) ....................................................................................
(1) For no penalty use 0.00.
1.00
LOSS CONTROL CREDIT FACTORS

1. Process Control Credit Factor (C1)
Credit
Factor
Range
Feature
a. Emergency Power
Credit
Factor
Used(2)
Credit
Factor
Range
Feature
0.98
f. Inert Gas
0.94 to 0.96
b. Cooling
0.97 to 0.99
g. Operating Instructions/Procedures
0.91 to 0.99
c. Explosion Control
0.84 to 0.98
h. Reactive Chemical Review
0.91 to 0.98
d. Emergency Shutdown
0.96 to 0.99
i. Other Process Hazard Analysis
0.91 to 0.98
e. Computer Control
0.93 to 0.99
Credit
Factor
Used(2)
C1 Value(3)
2. Material Isolation Credit Factor (C2)
Credit
Factor
Range
Feature
Credit
Factor
Used(2)
Credit
Factor
Range
Feature
a. Remote Control Valves
0.96 to 0.98
c. Drainage
0.91 to 0.97
b. Dump/Blowdown
0.96 to 0.98
d. Interlock
0.98
Credit
Factor
Used(2)
C2 Value(3)
3. Fire Protection Credit Factor (C3)
Credit
Factor
Range
Feature
Credit
Factor
Used(2)
Credit
Factor
Range
Feature
a. Leak Detection
0.94 to 0.98
f. Water Curtains
0.97 to 0.98
b. Structural Steel
0.95 to 0.98
g. Foam
0.92 to 0.97
c. Fire Water Supply
0.94 to 0.97
h. Hand Extinguishers/Monitors
0.93 to 0.98
i. Cable Protection
0.94 to 0.98
d. Special Systems
0.91
e. Sprinkler Systems
Credit
Factor
Used(2)
0.74 to 0.97
C3 Value(3)
(Enter on line 7 below)
Loss Control Credit Factor = C1 X C2 X C3(3) =
................................................................................................................................................................................................
PROCESS UNIT RISK ANALYSIS SUMMARY

1.
Fire & Explosion Index (F&EI) ........................... (See Front)
2.
Radius of Exposure.... ......................................... (Figure 7)
ft or m
ft2
or m2
3.
Area of Exposure.................................................................
4.
Value of Area of Exposure .........................................................................................................
5.
Damage Factor.......... ......................................... (Figure 8)
6.
Base Maximum Probable Property Damage (Base MPPD) [4 x 5] .......................................
7.
Loss Control Credit Factor .............................. (See Above)
8.
Actual Maximum Probable Property Damage (Actual MPPD) [6 x 7] ...................................
9.
Maximum Probable Days Outage (MPDO)....... (Figure 9)
$MM
$MM
days
10. Business Interruption (BI) ........................................................................................................

(2) For no credit factor enter 1.00.
$MM
$MM
(3) Product of all factors used.

Refer to Fire & Explosion Index Hazard Classification Guide (Form #471-00001) for details.
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 March 2001
PROCESS UNIT
1,3 BUTADIENE STORAGE
PREPARED BY:
BUILDING

1, 3 BUTADIENE
STATE OF OPERATION
___ DESIGN
SHUTDOWN
___ START UP
__X_ NORMAL OPERATION
___
BUTADIENE

Base Factor .................................................................................................................
A.
B.
C.
D.
E.
F.

Access
__________ gal or cu.m.
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50

Base Factor .................................................................................................................
___ Inerted
___ Not Inerted
F. Low Temperature
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50

1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 March 2001
PROCESS UNIT
1,3 BUTADIENE STORAGE
PREPARED BY:
BUILDING

1, 3 BUTADIENE
STATE OF OPERATION
___ DESIGN
SHUTDOWN
___ START UP
___
BUTADIENE

Base Factor .................................................................................................................
A.
B.
C.
D.
E.
F.

Access
__________ gal or cu.m.
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50

Base Factor .................................................................................................................
___ Inerted
___ Not Inerted
F. Low Temperature
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50

1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
PROCESS UNIT
DATE
PREPARED BY:
BUILDING
STATE OF OPERATION
___ DESIGN
___ START UP

___ SHUTDOWN

Base Factor .................................................................................................................
A.
B.
C.
D.
E.
F.

Access
__________ gal or cu.m.
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50

Base Factor .................................................................................................................
___ Inerted
___ Not Inerted
F. Low Temperature
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50

1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 MARCH 2001
PROCESS UNIT
MONOMER FEED WEIGH TANK
PREPARED BY:
BUILDING

BUTADIENE, ACRYLONITRILE
STATE OF OPERATION
___ DESIGN
SHUTDOWN
___ START UP
___
MIXTURE FOR COMPOSITE MF

Base Factor .................................................................................................................
A.
B.
C.
D.
E.
F.

Access
__________ gal or cu.m.
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50

Base Factor .................................................................................................................
___ Inerted
___ Not Inerted
F. Low Temperature
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50

1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 MARCH 2001
PROCESS UNIT
POLYMERISATION REACTOR
PREPARED BY:
BUILDING

WATER, STYRENE, BUTADIENE, ACRYLONITRILE, SURFACTANTS.
STATE OF OPERATION
___ DESIGN
___ START UP
__
X_ NORMAL OPERATION
___ SHUTDOWN

COMPOSITE BASED ON BUTADIENE, ACRYLONITRILE, STYRENE AND
WATER BY PROPORTION

Base Factor .................................................................................................................
A.
B.
C.
D.
E.
F.

Access
__________ gal or cu.m.
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50

Base Factor .................................................................................................................
___ Inerted
___ Not Inerted
F. Low Temperature
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50

1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 MARCH 2001
PROCESS UNIT
POLYMERISATION REACTOR
PREPARED BY:
BUILDING

WATER, STYRENE, BUTADIENE, ACRYLONITRILE, SURFACTANTS.
STATE OF OPERATION
___ DESIGN
___ START UP

___ SHUTDOWN
COMPOSITE BASED ON BUTADIENE, ACRYLONITRILE, STYRENE AND

WATER BY PROPORTION

Base Factor .................................................................................................................
A.
B.
C.
D.
E.
F.

Access
__________ gal or cu.m.
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50

Base Factor .................................................................................................................
___ Inerted
___ Not Inerted
F. Low Temperature
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50

(1)
For no penalty use 0.00.
1.00
CHEMICAL EXPOSURE INDEX:

Calculate Chemical Exposure Index for
a)
Butadiene Unloading. Consider worst cases from liquid and gas line fracture and how the discharge might be minimised.
Calculate Chemical Exposure Indexes for credible cases which would result. Course tutor will act as consultant.
b)
Butadiene storage Consider worst cases from liquid and gas line fracture and how the discharge might be minimised. Calculate
Chemical Exposure Indexes for credible cases which would result. Course tutor will act as consultant.
Storage conditions are as described above. Other data is in the provided material. Please substitute the following updated material for
Emergency Response Planning Guidelines
1,3 Butadiene
ERPG 1
22 mg/M3
10 ppm
Dow Classes of Fire and Explosion Index

Light HAZARD
Medium HAZARD
Intermediate Hazard
High HAZARD
Extreme HAZARD
1-60
61-96
97-128
128 - 158
>= 159
Dow Classes of Chemical Exposure Index

High Hazard
CEI >200 or
Potential of ERPG 3 concentrations outside the fence.
ERPG 2
442 mg/M3
200 ppm
ERPG 3
11060 mg/M3
5000 ppm
Explanation of the Dow Fire and Explosion Index.

The Fire and Explosion Index (F&E!) calculation is a tool to help determine the areas of greatest
loss potential in a particular process. It also enables one to predict the physical damage that
would occur in the event of an incident.
The first step in making the F&EI calculation requires using an efficient and logical procedure to
determine which process units should be studied. A process unit is defined as any major item of
process equipment. The following process units could be identified in a typical plant.
Unloading facility
Storage tank
Reactor
Distillation Column
Quench Vessel
Storage Vessel
Loading facility
A designation of the Process Unit must be entered in the appropriate space on the F&EI
form. The Manufacturing Unit designation must also be entered on the F&EI form. A
Manufacturing Unit is the entire production facility including chemical processes,
mechanical processes, warehouse, packaging lines, etc.
It is quite clear that most manufacturing units have many process units. To calculate the Fire and
Explosion Index, however, only process units that could have an impact from a loss prevention
standpoint should be evaluated. These are known as Pertinent Process Units.
Important factors for selecting Pertinent Process Units include:
a. Chemical energy potential (Material Factor)
b. Quantity of hazardous material in the Process Unit
c. Process pressure and process temperature
d. Units critical to plant operation, e.g. Reactor
Important Considerations
A.
The Fire and Explosion Index system assumes that a process unit handles a minimum of
2,500 kg of a flammable, combustible or reactive material. If less material is involved,
generally the risk will be overstated. However, F&EI calculations can provide meaningful
results for pilot plants if they handle at least 500 kg) of combustible or reactive material.
B.
Careful consideration is needed when equipment is arranged in series and the items are not
effectively isolated from each other. An example would be a reaction train without an
intermediate pump. In such situations, the type of process determines whether several
vessels or just a single vessel should be considered as the Process Unit.
It should rarely be necessary to calculate the F&EI for more than three or four Process Units
in a single process area of a Manufacturing Unit. The number of Process Units will vary
according to the type of process and the configuration of the Manufacturing Unit.
A separate F&EI form must be completed for each process unit evaluated.
C.
It is also important to give careful consideration to the state or point in time of the operation.
By their nature, such normal stages as startup, steady-state operation, shutdown, filling,
emptying, adding catalyst, etc., often create unique conditions having an impact on the
F&EI. Generally, good judgment will enable selection of the point in time of operation to
perform the F&EI calculation. Occasionally more than one point in time will have to be
studied to determine the significant risk.
DETERMINATION OF MATERIAL FACTOR

The Material Factor (MF) is the basic starting value in the computation of the F&EI and other
risk analysis values. The MF is a measure of the intrinsic rate of potential energy release from
fire or explosion produced by combustion or chemical reaction.
The MF is obtained from the flammability and instability rankings according to NFPA 704.
Generally, the flammability and instability rankings are for ambient temperatures. It is
recognized that the fire and reaction hazards of a material increase markedly with temperature.
The fire hazard from a combustible liquid at a temperature above its flash point is equivalent to
that from a flammable liquid at ambient temperature. Reaction rates also increase very markedly
with temperature. If the temperature of the material on which the MF is based is over 140 F (60
C), a certain adjustment may be required, as discussed below under C. Temperature
Adjustment of Material Factor.
Appendix A provides a listing of MFs for a number of chemical compounds and materials, and
these values will be used in most cases. If Appendix A does not list the material, the
flammability and instability rankings may possibly be found in NFPA 325M or NFPA 49
adjusted for temperature, if appropriate, and used with Table l to determine the MF. If the
material is a combustible dust, use the Dust Hazard Class Number (St number) rather than the
flammability ranking.
A.
Unlisted Substances
If neither Appendix A, NFPA 49, nor NFPA 325M contains values for the substance,
mixture or compound in question, these values will have to be determined from the
flammability ranking or dust class (St) (see Table l). First, the parameters shown in the left
column of the table will have to be determined. The flammability ranking of liquids and
gases is obtained from flash point data, and the St of dusts or mists is determined by dust
explosion testing. The flammability ranking of combustible solids depends on the nature of
the material as categorized in the left column.
The instability ranking can be obtained from a qualitative description of the instability (or
reactivity with water) of the substance, mixture or compound at ambient temperature.
Definitions in National Fire Protection Association (NFPA) 704 should be used to assign hazard
ratings for materials which are not listed in the F&EI calculation tool in S2S.
MATERIAL FACTOR DETERMINATION GUIDE

Flammability
Ranking
Instability Ranking
Non-combustible2
14
24
29
40
F.P. > 200 F (> 93.3 C)
14
24
29
40
F.P. > 100 F (> 37.8 C) 200 F (

93.3 C)
10
14
24
29
40
F.P. 73 F ( 22.8 C)
< 100 F (< 37.8 C) or
F.P. < 73 F (< 22.8 C) &
BP. 100 F ( 37.8 C)
F.P. < 73 F (< 22.8 C) &
B.P. < 100 F (< 37.8 C)
16
16
24
29
40
21
21
24
29
40
16
21
24
16
21
24
24
24
24
29
29
29
40
40
40
4
10
16
14
14
16
24
24
24
29
29
29
40
40
40
Combustible Dust or Mist3

St-1 (KSt 200 bar m/sec)
St-2 (KSt = 201-300 bar m/sec)
St-3 (KSt > 300 bar m/sec)
Combustible Solids
Dense > 40 mm thick4
Open < 40 mm thick5
Foam, fiber, powder, etc.6
F.P. = Flash Point, closed cup
1
2
3
B.P. = Boiling Point at Standard Temperatures and Pressure (STP)
Notes:
1 Includes volatile solids.
2 Will not burn in air when exposed to a temperature of 816 C for a period of five minutes.
3 K values are for a 16 Litre or larger closed test vessel with strong ignition source. See NFPA
St
68, Guide for Venting of Deflagrations.
4 Includes wood 2 inches nominal thickness, magnesium ingots, tight stacks of solids and tight
rolls of paper or plastic film5 Includes coarse granular material such as plastic pellets, rack
storage, wood pallets and non-dusting ground material such as polystyrene.
6 Includes rubber goods such as tyres and boots,
PROCESS UNIT HAZARDS FACTORS

After the appropriate Material Factor has been determined, the next step is to calculate the
Process Unit Hazards Factor (F3), which is the term that is multiplied by the Material Factor to
obtain the F&EI.
The numerical value of the Process Unit Hazards Factor is determined by first determining the
General Process Hazards Factor and Special Process Hazards Factor listed on the F&EI form.
Each item which contributes to the Process Hazards Factors contributes to the development or
escalation of an incident that could cause a fire or an explosion.
When calculating the penalties comprising the Process Unit Hazards Factor, F3, pick a single
specific instant in time during which the material under consideration is in the most hazardous
normal operation state associated with the Process Unit. Startup, continuous operation and
shutdown are among the operational states that may be considered.
This rather strict definition is intended to prevent double or triple counting of hazards occurring
during the process. Since the MF is taken to be that of the most hazardous substance present in
the Process Unit, it can be certain that the Fire and Explosion analysis will really be based upon a
worst case when focus is placed on the most hazardous operational point involving the MF, and
this will be a realistic worst case one that could actually occur.
In the F&EI system, only one hazard may be evaluated at a time. If the MF is based on a
flammable liquid present in the Process Unit, do not take penalties relating to combustible dusts,
even though dust may be present at a different time. A reasonable approach might be to evaluate
the Process Unit once using the MF of the flammable liquid and a second time using the MF of
the dust. Only the calculation resulting in the highest F&EI and Actual Maximum Probable
Property Damage need to be reported.
One important exception is the hybrid, described previously under Mixtures. If a hybrid
mixture is selected as the most hazardous material present, it is penalized both as a dust and as a
flammable vapor in the Process Unit Hazards Factor sections of this manual.
Some items on the F&EI form have fixed penalty values. For those that do not, determine the
appropriate penalty by consulting the text that follows. Remember analyze only one hazard at
a time, relating the analysis to a specific, most hazardous time (e.g., startup, normal operation or
shutdown). Keep the focus on the Process Unit and Material Factor selected for analysis and
keep in mind that the results of the final calculation are only as valid as the appropriateness of the
penalty assessments.
The entry of all the pertinent information to allow calculation of the Fire and Explosion Index and
the radius of exposure is made in the excel workbook F&EI Calculation workbook S2S July
2006.xls
When the indexes for all pertinent units in the plant have been calculated, the results give an indication of
the ranking of risk of each unit relative to another. This ranking can be used for screening out the lower risk
items and concentrating study on the higher ones.
NFPA Definitions for ratings on Health, Flammability and Instability:

Degrees of Health Hazards
Degree of Hazard*
Criteria
4 Materials that, under emergency conditions, can be Gases whose LC50 for acute inhalation toxicity is less than or equal
lethal.
to 1000 parts per million (ppm).
Any liquid whose saturated vapor concentration at 20C (68F) is
equal to or greater than ten times its LC50 for acute inhalation
toxicity, if its LC50 is less than or equal to 1000 ppm.
Dusts and mists whose LC50 for acute inhalation toxicity is less than
or equal to 0.5 milligrams per liter (mg/L).
Materials whose LD50 for acute dermal toxicity is less than or equal
to 40 milligrams per kilogram (mg/kg).
Materials whose LD50 for acute oral toxicity is less than or equal to 5
mg/kg.
3 Materials that, under emergency conditions, can
Gases whose LC50 for acute inhalation toxicity is greater than 1000
cause serious or permanent injury.
ppm but less than or equal to 3000 ppm.

cause temporary incapacitation or residual injury.

cause significant irritation.
0 Materials that, under emergency conditions, would

offer no hazard beyond that of ordinary combustible
materials.

equal to or greater than its LC50 for acute inhalation toxicity, if its
LC50 is less than or equal to 3000 ppm and that does not meet the
criteria for degree of hazard 4.
Dusts and mists whose LC50 for acute inhalation toxicity is greater
than 0.5 mg/L but less than or equal to 2 mg/L.
Materials whose LD50 for acute dermal toxicity is greater than 40
mg/kg but less than or equal to 200 mg/kg.
Materials that are corrosive to the respiratory tract.
Materials that are corrosive to the eye or cause irreversible corneal
opacity.
Materials that are corrosive to skin.
Cryogenic gases that cause frostbite and irreversible tissue damage.
Compressed liquefied gases with boiling points at or below -55C (66.5F) that cause frostbite and irreversible tissue damage.
Materials whose LD50 for acute oral toxicity is greater than 5 mg/kg
but less than or equal to 50 mg/kg.
Gases whose LC50 for acute inhalation toxicity is greater than 3000
ppm but less than or equal to 5000 ppm
equal to or greater than one-fifth its LC50 for acute inhalation
toxicity, if its LC50 is less than or equal to 5000 ppm and that does
not meet the criteria for either degree of hazard 3 or degree of hazard
4.
than 2 mg/L but less than or equal to 10 mg/L.
Compressed liquefied gases with boiling points between -30C (22F) and -55C (-66.5F) that can cause severe tissue damage,
depending on duration of exposure.
Materials that are respiratory irritants.
Materials that cause severe but reversible irritation to the eyes or
lacrimators.
Materials that are primary skin irritants or sensitizers.
Materials whose LD50 for acute oral toxicity is greater than 50 mg/kg
but less than or equal to 500 mg/kg.
Gases and vapors whose LC50 for acute inhalation toxicity is greater
than 5000 ppm but less than or equal to 10,000 ppm.
than 10 mg/L but less than or equal to 200 mg/L.
Materials that cause slight to moderate irritation to the respiratory
tract, eyes, and skin.
Materials whose LD50 for acute oral toxicity is greater than 500
Gases and vapors whose LC50 for acute inhalation toxicity is greater
than 10,000 ppm.
than 200 mg/L.
mg/kg.
Materials whose LD50 for acute oral toxicity is greater than 2000
mg/kg.
Materials that are essentially nonirritating to the respiratory tract,
eyes, and skin.
*For each degree of hazard, the criteria are listed in a priority order based upon the likelihood of exposure.
Degrees of Flammability Hazards
Degree of Hazard
Criteria
4 Materials that will rapidly or completely vaporize Flammable gases.
at atmospheric pressure and normal ambient
Flammable cryogenic materials.
temperature or that are readily dispersed in air and will Any liquid or gaseous material that is liquid while under
burn readily.
pressure and has a flash point below 22.8C (73F) and a
boiling point below 37.8C (100F) (i.e., Class IA liquids).
Materials that ignite spontaneously when exposed to air.
Solids containing greater than 0.5 percent by weight of a
flammable or combustible solvent are rated by the closed cup
flash point of the solvent.
3 Liquids and solids that can be ignited under
almost all ambient temperature conditions. Materials in
this degree produce hazardous atmospheres with air
under almost all ambient temperatures or, though
unaffected by ambient temperatures, are readily ignited
under almost all conditions.
Liquids having a flash point below 22.8C (73F) and having a

boiling point at or above 37.8C (100F) and those liquids
having a flash point at or above 22.8C (73F) and below
37.8C (100F) (i.e., Class IB and Class IC liquids).
Materials that on account of their physical form or
environmental conditions can form explosive mixtures with air
and that are readily dispersed in air.
Flammable or combustible dusts with representative diameter
less than 420 microns (40 mesh).
Materials that burn with extreme rapidity, usually by reason of
self-contained oxygen (e.g., dry nitrocellulose and many organic
peroxides).
2 Materials that must be moderately heated or
Liquids having a flash point at or above 37.8C (100F) and
exposed to relatively high ambient temperatures before below 93.4C (200F) (i.e., Class II and Class IIIA liquids).
ignition can occur. Materials in this degree would not
Solid materials in the form of powders or coarse dusts of
under normal conditions form hazardous atmospheres representative diameter between 420 microns (40 mesh) and 2
with air, but under high ambient temperatures or under mm (10 mesh) that burn rapidly but that generally do not form
moderate heating could release vapor in sufficient
explosive mixtures with air.
quantities to produce hazardous atmospheres with air. Solid materials in a fibrous or shredded form that burn rapidly
and create flash fire hazards, such as cotton, sisal, and hemp.
Solids and semisolids that readily give off flammable vapors.
1 Materials that must be preheated before ignition

can occur. Materials in this degree require considerable
preheating, under all ambient temperature conditions,
before ignition and combustion can occur.
Materials that will burn in air when exposed to a temperature of

815.5C (1500F) for a period of 5 minutes in accordance with
Annex D.
Liquids, solids, and semisolids having a flash point at or above
93.4C (200F) (i.e., Class IIIB liquids).
Liquids with a flash point greater than 35C (95F) that do not
sustain combustion when tested using the Method of Testing for
Sustained Combustibility, per 49 CFR 173, Appendix H or the
UN Recommendations on the Transport of Dangerous Goods,
Model Regulations, 11th revised edition, and the related Manual
of Tests and Criteria, 3rd revised edition.
Liquids with a flash point greater than 35C (95F) in a watermiscible solution or dispersion with a water noncombustible
liquid/solid content of more than 85 percent by weight.
Liquids that have no fire point when tested by ASTM D 92,
Standard Test Method for Flash and Fire Points by Cleveland
Open Cup, up to the boiling point of the liquid or up to a
temperature at which the sample being tested shows an obvious
physical change.
Combustible pellets with a representative diameter greater than
2 mm (10 mesh).
Most ordinary combustible materials.
0 Materials that will not burn under typical fire

conditions, including intrinsically noncombustible
materials such as concrete, stone, and sand.
Materials that will not burn in air when exposed to a

temperature of 816C (1500F) for a period of 5 minutes in
accordance with Annex D.
Degrees of Instability Hazards

Degree of Hazard
Criteria
4 Materials that in themselves are readily capable of Materials that are sensitive to localized thermal or
detonation or explosive decomposition or explosive
mechanical shock at normal temperatures and pressures.
reaction at normal temperatures and pressures.
Materials that have an instantaneous power density
(product of heat of reaction and reaction rate) at 250C
(482F) of 1000 W/mL or greater.
3 Materials that in themselves are capable of
detonation or explosive decomposition or explosive
reaction, but that require a strong initiating source or
that must be heated under confinement before
initiation.

(482F) at or above 100 W/mL and bel
ow 1000 W/mL.
Materials that are sensitive to thermal or mechanical
shock at elevated temperatures and pressures.
2 Materials that readily undergo violent chemical

change at elevated temperatures and pressures.

(482F) at or above 10 W/mL and below 100 W/mL.
(482F) at or above 0.01 W/mL and below 10 W/mL.
1 Materials that in themselves are normally stable,

but that can become unstable at elevated temperatures
and pressures.
0 Materials that in themselves are normally stable,

even under fire conditions.

(482F) below 0.01 W/mL.
Materials that do not exhibit an exotherm at
temperatures less than or equal to 500C (932F) when
tested by differential scanning calorimetry.
Vapour Cloud Deflagrative

Overpressure estimation
Occupied Buildings subject to External Process Hazards

explosion in confined structure
by Richard Gowland
In cases where flammable materials are handled above

flash point
AND close to or above boiling point.
Can my occupied Building survive an explosion
overpressure?
R-3
Separation Distance D
by Richard Gowland
It depends on the strength of the building and the

overpressure from the explosion.
Overpressures
between 100 millibar and 1 bar are

not uncommon results of Vapour Cloud Explosion
(VCE)
Typical Brick or block buildings will suffer serious
structural damage if subjected to side on
overpressure of > 70millibar
by Richard Gowland
Overpressure from a Vapour Cloud Explosion

Extent of
explosive vapour
cloud
C-6
T-3
R-3
Leak
P-R3
by Richard Gowland

Extent of
Explosive vapour
cloud
C-6
R-3
T-3
Leak
P-R3
by Richard Gowland
Extent of
Confinement

Extent of
Explosive vapour
cloud
Fraction of Explodeable
cloud contributing to
Overpressure
C-6
T-3
R-3
Extent of
Confinement
Leak
P-R3
by Richard Gowland

Extent of
Explosive vapour
cloud
Fraction of Explodable
Overpressure
Fraction of cloud
outside confinement
does not contribute
to overpressure
C-6
R-3
T-3
Leak
P-R3
by Richard Gowland
Extent of
Confinement

Extent of
Explosive vapour
cloud
Fraction of Explodable
Overpressure
Fraction of cloud
outside confinement
does not contribute
to overpressure
C-6
R-3
T-3
Confined
Volume = V
Leak
Extent of
Confinement
P-R3
by Richard Gowland
In cases where flammable materials are handled above flash point

AND above boiling point.
Can my occupied Building survive an explosion overpressure?
R-3
by Richard Gowland
In cases where flammable materials are handled above flash point

AND close to or above boiling point.
Can my occupied Building survive an explosion overpressure?
Calculate
R-3
by Richard Gowland
How to calculate:
Characterise fuel reactivity (Low. Med.
Normal
Hydrocarbons) or High)
Estimate confined volume (M3)
Estimate Confinement restricting exploding
vapour cloud from unconfined expansion (usually
2 D or 1D)
Estimate degree of congestion in the Confined
volume (more congestion makes the expanding
flame front accelerate - bad news)
by Richard Gowland
Overpressure curves from

TNO experimentation
INTEGERS DEPEND ON:
Reactivity of Fuel, Degree of
confinement,/Dimension,
Congestion
Not valid for

Detonations or
very large
vapour clouds
which may
cover target
Approximation for typ. Hydrocarbon R= 0.1305 x D x (V x 0.0814) -0.33

by Richard Gowland
Which curve to use?
Based on fuel reactivity (e.g. Fundamental Burning
Velocity) and
Degree of confinement dimension(s) of freedom
for gases to expand on combustion and
Degree of congestion
by Richard Gowland
Alternatives for Congestion
Low
Medium
High
by Richard Gowland
1 D Explosion gases free to expand in 1 dimension
Sides of structure are solid or partially buried

Single direction for burnt gases expansion
by Richard Gowland
2 D Explosion gases free to expand in 2 dimensions

Floor or roof
Sides of structure are open
by Richard Gowland
3 D Explosion gases free to expand in 3 dimensions
Sides of structure are open and no floor

or roof above explosion source
by Richard Gowland
Low Congestion Examples
by Richard Gowland
Medium Congestion Examples
by Richard Gowland
High Congestion Example 1
by Richard Gowland
High Congestion Example 2
by Richard Gowland
Guidance on assigning the reactivity decision
Fundamental Burning
Velocity
Low Reactivity
< 45 cm/sec
Medium Reactivity
between 45 and 75
cm/sec
High Reactivity
> 75 cm/sec
Dimension of expansion zone
1D
2D
Reactivity of fuel (Low 1, Medium 2, High 3)
Degree of congestion, (Low 1, Medium 2, High 3)
Use Curve No
3D
by Richard Gowland
Overpressure curves from

TNO experimentation
INTEGERS DEPEND ON:
Reactivity of Fuel, Degree of
confinement,/Dimension,
Congestion
Not valid for

Detonations or
very large
vapour clouds
which may
cover target
Approximation for typ. Hydrocarbon R= 0.1305 x D x (V x 0.0814) -0.33

by Richard Gowland
What to do with result?
Typical Brick or block buildings will suffer serious
structural damage if subjected to side on

overpressure of > 70millibar
Overpressure result needs to be reviewed by Civil
Engineer to check if overpressure is a problem for
an existing building
If existing building fails the test - do risk assessment
- act on result - accept or move people or strengthen
building.
Civil Engineer uses overpressure result for newly
designed facilities
Example workbook
by Richard Gowland
Dust Explosion Basics
What is dust?
Dust is defined as small particles in the atmosphere
which can settle due to their own weight, but which

remain airborne as a dust/air mix for some time.
Although it is generally accepted that the actual
shape of the particles is less relevant, the particle
sizes are generally in the range of 400-500 m
(35-40 mesh) maximum.
by Richard Gowland
Approximately 70% of the powders handled by industry,

including dust that may be generated from handling solid
materials like epoxy resins, can form combustible dust.
If these materials are finely dispersed in the air and
ignite, then the flames can propagate through the dust/air
mixture similarly to what might occur in gas/air mixtures. The
resultant explosion is normally spontaneous, very violent and
can cause significant damage, injuries and environmental
problems.
see Sugar Explosion video from CSB
by Richard Gowland
Typically, dust explosions are relatively slow

combustion processes. If ignition occurs in a dust
cloud in an open area, then little or no overpressure
results and the primary hazard is a fireball.
by Richard Gowland
Explosions are defined as sudden reactions
involving a rapid physical or chemical oxidation

reaction, or decay generating an increase in
temperature or pressure, or both simultaneously.
When the flame speed is greater than the speed of
sound, we call it a detonation. Otherwise, the
explosion is known as a deflagration. Detonations
are much more destructive than deflagrations. They
generate high pressures and shock waves
by Richard Gowland
Although particle size/specific surface area
is the main factor in determining the

likelihood of a dust explosion, other factors
will also have an influence. They include:
The dusts chemical composition and moisture
content.
Pressure and temperature.
Particle shape and size distribution.
Concentration distribution in the dust cloud.
Turbulence in the dust cloud.
Flame front disturbance by mechanisms other than
turbulence.
Radiant heat transfer from the flame (dependent on
chemistry).
by Richard Gowland
The following chemical compound
types are usually unable to produce

dust explosions:
Silicates
Sulphates
Nitrates
Carbonates
Phosphates
by Richard Gowland
Materials that can cause dust

explosions include:
Natural organic materials (grain, linen, sugar,

etc.)
Synthetic organic materials (plastics including
epoxy resins,
organic pigments, pesticides, etc.)
Coal and peat
Metals (aluminum, zinc, iron, etc.)
by Richard Gowland
Fuel Concentration
For a dust cloud explosion to occur, the dust
concentration must be within certain limits. This is

analogous with the concept of upper and lower
flammability limits for mixtures of gas (or vapours) and
air. In general, the lowest concentration of dust that
can cause a dust explosion is around 30-60 g/m3 and
the maximum is 2-4 kg/m3 (See Table 1). These limits
are dependent on the particular material in question and
on the particle size distribution. The most severe cases
are usually when the dust concentration is slightly above
the ideal stoichiometric concentration. The upper
concentration limit is
dictated by the minimum
amount of oxygen needed for explosion and the lower
limit by the minimum quantity of particles
needed to
sustain combustion.
by Richard Gowland
Critical Parameters for Dust Explosions
by Richard Gowland
KSt
The KSt value (barm/sec) is a classifying
parameter that describes the volatility of the

combustion. It equals the value for the maximum
speed of pressure build-up during the explosion
of a dust/air mix in a container measuring 1 m3.
The KSt value is the basis for calculating
pressure discharge surfaces and forms the basis
for categorization of dust clouds into three
hazard
classes, listed in Table 2.
by Richard Gowland
Explosion Classes
by Richard Gowland
Primary and Secondary Explosions
The concentrations needed for a dust explosion
are rarely seen outside of process vessels. The

most severe dust explosions start within a piece
of equipment, such as: mills, mixers, screens,
dryers, cyclones, hoppers, filters, bucket
elevators, silos, aspiration ducts, and pneumatic
transit systems. Explosions in these vessels are
known as primary explosions.
by Richard Gowland
Secondary explosions
are caused when a dust film is disturbed by the

primary explosion and forms a second dust
cloud, which then is ignited by the primary
explosion. The problem is that small amounts of
dust film occupy very little space, but once
disturbed can easily form dangerous clouds. A 1
mm layer of dust of 500 kg/m3 can give rise to a
5 m deep cloud of 100 g/m3 dust. There can be
a large series of explosions triggered in this
manner, leading to devastating results.
by Richard Gowland
by Richard Gowland
Surface Area
No matter how combustible the
dust may be, a dust explosion will
generally not take place if the
particle size is too large. Although
there is a clear dependence on the
size and surface area of dust
particles, it does not vary linearly
with how explosive the powder
may be.
by Richard Gowland
Ignition
A dust cloud, within its flammable concentration

limits, usually will not burn unless sufficient
energy is provided to ignite it. The minimum
energy of an electrical spark thats capable of
igniting the explosive dust/air mix and causing
flame propagation is the Minimum Ignition
Energy (MIE) value. The MIE is strongly
dependent on particle size (Refer to Dust
Explosions in the Process
Industries, R. K. Eckhoff). Figure 3 illustrates this
effect.
by Richard Gowland
by Richard Gowland
Ignition Sources
Potential ignition sources include items

such as:
Open flames (welding, cutting, matches,
etc.)
Hot surfaces (dryers, bearings, heaters,
etc.)
Heat from mechanical impacts
Electrical discharges
Electrostatic discharges
Smouldering or burning dust
by Richard Gowland
ATEX Regulation
Addresses area classification for electrical

equipment and other sources of ignition
To minimise potential sources of ignition for

flammable vapours and dusts
by Richard Gowland
Reactive Chemicals runaway

reactions, explosions.
Content
Some Definitions
The need for a Reactive Chemicals Programme
Examples
Flammability (pt 2)
Thermal Hazard Evaluation Tools (see separate
intro training in PROMIS)
Static Electricity
Dust Explosions
Inter-reactivity Charts
by Richard Gowland
The main business of most chemical companies is to

manufacture products through the control of reactive
chemicals. The reactivity that makes chemicals useful
can also make them hazardous. Therefore, it is
essential that we understand the nature of the reactive
chemicals in your processes.
A reactive chemical incident can result from an
uncontrolled reaction or dangerous energy release
which may result in injury or property damage.
by Richard Gowland
A Main Point of Reactive Chemicals Efforts:

Understanding the Inherent Energy of the
Systems and Conditions under which Energy
can be Released!
by Richard Gowland
Reactive Substances
REACTIVE distinguished from THERMALLY UNSTABLE
REACTIVE
= Reacting with the Environment

under Process Conditions
ENVIRONMENT = Air, water, redox agents, gasket

materials, greases, rust, heat
transfer media, absorbents,
wastes, etc.
Self-Reactivity must be considered !
by Richard Gowland
What is a Chemical Reaction?

Energy Change !
by Richard Gowland
Endothermic:
Heat is absorbed
Exothermic:
Heat is released
Some Examples of Chemical Reactions

u
u
u
u
u
u
u
u
u
u
u
Nitration
Condensation
Oxidation
Amination
Alkylation
Halogenation
Hydrogenation
Esterification
Combustion
Polymerization
.....
by Richard Gowland
Some Other Examples of Heat Changes

u
u
u
u
u
u
u
u
by Richard Gowland
Adsorption
Neutralization
Vaporization
Mixing
Dilution
Wetting
Corrosion
.....
Energy Build-up
The heat production overtakes the heat removal at the

TNR (temperature of no return) point.
by Richard Gowland
Identify the point of no return
reaction
point of
no return
Need to know/predict
control
Temperature
by Richard Gowland
cooling
Operating Units where desired reactions can occur:
Batch Reactors
Continuous Reactors
Static mixers (sometimes)
Scrubbers
by Richard Gowland
Operating Units where undesired reactions can occur:
Batch Reactors
Continuous Reactors
Static mixers (sometimes)
Scrubbers
Pumps
Storage tanks
Adsorbers
Absorbers
Ion Exchange beds
Storage tanks
High surface area substrates (e.g. thermal insulation)
Distillation column trays and packing
Heat Exchangers
Product storage drums
by Richard Gowland
Batch Reactors
Loss of Temperature control

Wrong materials, (something added, something missed, wrong
quantity ratio, wrong order of addition)
Too much, too little, or no catalyst
Incomplete transfer
Loss of agitation (and subsequent re-start)
Loss of cooling
by Richard Gowland
Continuous Reactors
Loss of Temperature control

Wrong materials, (something added, something
missed, wrong quantity ratio, wrong order of

addition)
Loss of flow (and subsequent re-start)
Loss of cooling
by Richard Gowland
Static Mixers
When designed only to mix they do not normally

have temperature monitoring
by Richard Gowland
Scrubbers
Normally designed to react out or neutralise a hazardous vent

stream
Connected to vapour space of a process unit (e.g. storage
tanks or reactors)
Scrubber medium normally reacts with the content of the
process unit
Reverse flow is a potential problem scrubber liquid gets into
process vessel and reacts in an undesired way.
by Richard Gowland
Adsorbers
Carbon adsorbers in common use for removing organics from

aqueous streams or vents
Heat of adsorption not known or accounted for
Temperature can rise igniting the organics rich areas and the
carbon in the presence of air large fires have resulted
by Richard Gowland
High surface area substrates
Distillation column packing contaminated with
residues exposed to the air when dismantled

Thermal insulation soaked with organic material
ignites (temperature, exothermic degradation of
organic in a matrix where heat cannot dissipate)
by Richard Gowland
Distillation columns
Pyrophoric residues on trays or packing ignites
when exposed to air

Reboiler corrosion
by Richard Gowland
Heat Exchangers
Leaks allow heat exchange media to mix with
process fluids (or vice versa) unwanted reaction

or potential corrosion.
by Richard Gowland
Storage tanks
Wrong materials enter the tank

Products of corrosion enter tank from elsewhere, e.g. Hydrogen
from acid attack on connected pipework collects in vapour
space of tank. (e.g. wrong material or lining fails)
Corrosion of the tank
Heating system control fails (e.g. Acrylic Acid overheated and
ran away to explosion)
by Richard Gowland
Product storage drums
Corrosion leads to drums bulging

Mixed wastes react and gas evolution bulges drums
by Richard Gowland
Pumps
Corrosion of the pump

Pump lining fails
Tracing system temperature control fails (e.g.
Acrylic Acid overheated and runs away to

explosion)
Pump runs when in and out connections blocked
(Valves closed or lines frozen)
by Richard Gowland
Example 1 Programmes & the human factor

Instead of distilling off 50% of the solvent after the end of the
batch, as required by the operating procedure, the operators
distilled off only 15%.
Instead of adding 3000 litres of water to cool the reaction
mixture to 50-60C, as required by the operating procedure,

the operators added none.
Instead of stirring the reaction mixture until it was fully cooled,
as required by the operating procedure, the operators stopped

stirring 15 min. after stopping the distillation.
Instead of leaving the temperature recorder operating until the

mixture was cooled, as required by the operating procedure,
the operator switched off the temp. recorder at 158C.
Instead of remaining with the unit cooling to 50-60C had been

achieved, as required by the operating procedure, the
operators left at 6 a.m.
by Richard Gowland
The human factor - or lack of training?
by Richard Gowland
Major Examples 2
The refrigeration unit, designed to keep the stored Methyl
Isocyanate at 0C, had been shut down for 6 months.
The flare on the vent line from the scrubber was out of service
for repair.
The tank temperature alarm had not been reset to signal a

rise above the already elevated storage temperature.
Only after the incident started was the units vent gas
scrubber, on standby for about 45 days, restarted.
Large amounts of water allowed into the storage tank and

reacted exotherm temperature increase runaway release
by Richard Gowland
Major Examples 2
by Richard Gowland
Industry Reactive Chemicals Examples:
Terra Industries Port Neal, Iowa,

Ammonium Nitrate Plant Explosion and
Gas Release 1995
u
Five people killed, 25 injured

15,000 tons of ammonia release
100 tons of nitric acid released
$175 Million loss
Significant Litigation
by Richard Gowland
Other Industry Reactive Chemicals Examples:

Hoechst Series of Reactive Chemicals Events
near Frankfurt 1994/1995/1996
1+ fatality
Heavily criticized by the public and government
Risking potential plant closures
Government mandated Dm 200 Million Plant
Safety Improvement Program
Union Carbide 1991 Sea Drift Texas (EO) $81
Million Loss
by Richard Gowland
Myths
Its small and shouldnt be a problem...
People all over the world practice this
chemistry...
Ive already done it several times and there
is no problem...
The Thermal Analysis doesnt show
anything...
Its an inert solvent...
We dont expect any reaction at this
temperature...
It is well below the flashpoint.
Ill just let it run over the weekend - no
problem...
by Richard Gowland
Know your system capabilities and limitations
Process knowledge
Has Inherently Safer Process Design been addressed?
Think about thermally unstable materials, shock sensitive
materials, pyrophoric materials (ignite when exposed to air),
combustible dusts.
Control systems
Cooling
Mechanical Integrity
Layers of Protection/Lines of defence
Relief systems
Mitigation systems (scrubbers, flares etc.)
by Richard Gowland
Key Elements of the

Reactive Chemicals Thought Process
Know Your Chemistry
Obtain Test Data on Raw Materials, Intermediates and
Products
Evaluate the Test Data With the Process Conditions
Develop Worst Case Scenarios
-- History
-- Brainstorming
-- Hazard Evaluation
Review Your Lines of Defence

Develop Opportunities for Improvement
All found by carrying out Process Hazard Analysis (PHA)
see
by Richard
GowlandPROMIS content
Addressing the following
What exactly is the desired process / chemistry?

What is known about the chemistry?
Which process details are relevant?
What is the worst case?
What happens in the worst case?
Which layers of protection are planned / in place?
What are the safety related protection systems, safety trips, Safety
Instrumented Systems (SIS)?
Are they adequate and tested?
What are the energy sources?
What are potential ignition sources?
Which similar processes resulted in Reactive Chemicals incidents?
What is the energy potential of substances/mixtures?
What are the impurities?
What is the waste handling procedure?
What is the vent handling procedure?
by Richard Gowland
Inherently Safer?
Substitute
Replace hazardous material with a more safe one (e.g. aqueous or higher flash
point solvent)
Minimise
Inventory of hazardous material
Continuous or semi continuous reaction
Moderate
Lower temperature and/or pressure
Simplify
by Richard Gowland
Chemical Exposure Index simple

approximation of Hazardous footprint from a
toxic material release
Chemical
Exposure
Index
by Richard Gowland

WHAT IS IT?
1st Edition - May 1986
Developed by Dow after Bhopal.

Method of rating potential acute health hazard to
people from possible chemical releases.
Simple empirical rating in comparable, quantitative
manner.
Used to establish review schedule.
by Richard Gowland
2nd Edition - September 1993

USES
Initial PHA
By Each Location for Review Process
(Opportunity to eliminate, reduce, or mitigate releases)
In Emergency Response Planning
by Richard Gowland

Procedure for Calculation of
Define Possible Chemical Release Scenarios
Determine the Airborne Quantity (AQ)
of Scenarios
Select Scenario with Largest Airborne
Quantity (AQ)
Determine ERPG-2 / EEPG-2
Calculate the CEI
Calculate the Hazard Distances
Complete CEI Summary Sheets
by Richard Gowland
Scenario Selection
Final Scenario that gives largest
Airborne Quantity
Standardized to screen for further PHA

Consequence Based NOT Frequency Based
Choose scenarios for each of the following:
Process Pipes
Hoses
Relief Devices (Assume All Airborne)
Vessels
Overflows & Spills
Other
by Richard Gowland
Determine Airborne Quantity (AQ)

5 PATHS
1. Airborne Quantity Known
2. Vapour Release
Liquid Releases
3. Pool Evaporation Only
4. Liquid All Flashes or Entrained
5. Evaporation and Flash
by Richard Gowland

Flowchart for Calculating Airborne Quantity
Start
AQ
Known
Scenario with
Largest AQ
Yes
No
Type
Release
Gas
Calculate
AQ
Calculate Liquid Release Rate

Total Liquid Released
Op Temp less
than BP
Yes
Determine Pool Size
Determine Vapour from Pool
Calculate AQ
by Richard Gowland
Calculate
Flash
No
No
All
Airborne?
Yes

INFORMATION NEEDED
Figure A - Pool Evaporation

Amount of Liquid in Pool and Pool Size
Figure C - Flash + Entrainment

Liquid Flow Rate
Flash Fraction
Figure B - Pool + Flash

Amount in Pool and Pool Size
Liquid Flow Rate
Flash Fraction
ASSUMPTION: 5 times flash fraction stays

entrained with vapour as AQ.
by Richard Gowland

LIQUID RELEASES
Figure A
Pool Only
(Styrene)
Figure B
Pool + Flash
(Butadiene)
Figure D
by Richard Gowland
Figure C
All Flash Entrained
(Ammonia)
Determine ERPG-2 / EEPG-2
American Industrial Hygienists Association (AIHA)

established Emergency Response Planning
Guidelines
ERPG-1, 2, & 3
Table in 2nd Edition includes most Common

Chemicals
Current Values available on AIHA Web Page
Link http://www.aiha.org/insideaiha/Guideline
Development/ERPG/Pages/default.aspx
by Richard Gowland
What are Emergency Response Planning Guidelines

(ERPGs)?
ERPG1 the maximum airborne concentration below which it is

believed that nearly all individuals could be exposed to for up to
one hour without experiencing other than mild transient adverse
health effects or perceiving a clearly objectionable odour.
ERPG2- the maximum airborne concentration below which it is
one hour without experiencing or developing irreversible or other
serious health effects or symptoms that could impair their ability
to take protective action.
ERPG3 - the maximum airborne concentration below which it is
one hour without experiencing or developing life threatening
health effects.
by Richard Gowland
CEI Calculation
Consequence Based
Based on Continuous Release Dispersion Equation
If flow rate empties in less than 5 minutes, divide inventory by 5
minutes for flow rate.
Assumes 5 Metres/Sec Wind Speed: Neutral

Weather
Typical Average Weather
CEI = 655.1 x
AQ
ERPG-2(MW)
(AQ in kg/sec, ERPG in mg/M3)

by Richard Gowland
Hazard Distances
Approximate distances
each ERPG concentration would travel
for assumed weather conditions.
HD (Metres) = 6551 x
AQ
ERPG-x(MW)
(AQ in kg/sec, ERPG in mg/M3)

Use ERPG-1, 2, & 3 for three distances.
by Richard Gowland

CHEMICAL EXPOSURE INDEX SUMMARY
Location
___________________________
Plant
_________________________________________________________
Total Quantity In Plant
Chemical
________________________________________________________
________________
______________________________________________________________________________
Largest Single Containment
Pressure Of Containment
___________________________________
Temperature Of Containment
____________________
1.
Scenario Being Evaluated
2.
Airborne Release Rate from Scenario
______________________________________________________________________________________
3.
___________
___________
___________
4.
kg/sec
lb/min
Hazard Distance
Concentration
3
mg/m
ERPG-1/EEPG-1
ERPG-2/EEPG-2
ERPG-3/EEPG-3
________
________
________
PPM
________
________
________
5.
Distances to:
Public (generally considered property line)
Other in-company facility
6.
The CEI and the Hazard Distance establish the level of review needed as determined in the Dow
Process Risk Management Guidelines for Facilities and Distribution.
7.
If further review is required, complete Containment and Mitigation Checklist (Chemical Exposure
Index Guide , 2nd Edition Appendix 2, page 26) and prepare Review Package.
8.
List any sights, odors or sounds that might come from your facility and cause public concern or
inquiries (e.g., smoke, large relief valves, odors below hazardous levels such as mercaptans or amines, etc.)
meters
________
________
________
Non-company plant or business
feet
________
________
________
meters
________
________
________
feet
________
________
________
________________________________
_____________________________________________________________________________
________________________________
_____________________________________________________________________________
________________________________
_____________________________________________________________________________
Prepared by:
______________________________________________________________________________________________________
______________________________________________________________________________________________________
Reviewed by:
Date
________
________
________
___________________________________________________
___________________________________________________
___________________________________________________
Plant Superintendent or Manager

Site Review Representative
Additional Management Review
(if required)
Form C-91720 (471-00099) Rev. 9/93
by Richard Gowland
Chemical Exposure Index based on 2 inch leak vapour and liquid (x 10 = distance to ERPG2 conc.)
1000
900
CEI
800
700
Gas Release
600
Liquid Release
500
All releases are from a 2 in. diameter hole.

Storage conditions are 25 degrees C and saturated.
400
300
200
100
Styrene
Toluene diisocyanate
Ethylene dichloride
Epichlorohydrin
Propylene oxide
Vinyl acetate
Vinyl chloride
Acrylonitrile
Vinylidene chloride
Allyl chloride
Benzene
Methyl chloride
Ethylene oxide
Sulfuryl fluoride
Butadiene
Hydrogen fluoride
Sulphur trioxide
Ammonia
Hydrogen sulfide
Sulphur dioxide
Carbon monoxide
by Richard Gowland
Chlorine
Hydrogen chloride
Phosgene
Review Process
Purpose of Review
Focus on what CAN and WILL BE DONE to:
Eliminate Release
Reduce Release Quantity
Mitigate Release After It Occurs
by Richard Gowland
Workshop
Determine Scenarios of Butadiene
) Process Pipe
) Hoses
) Relief Devices
) Vessels
) Overflows & Spills
) Other
by Richard Gowland
CEI Scenario
POLYMER PLANT
2
2
Liquid
Butadiene
Butadiene
Vapor
20 Metric tons T/C

Ambient
250kPa
T-110
5
760 kg/m
25C
2
Piping
Hoses
Overfill
Relief Device
1
2
3
4
5
6
300 kPa 7 deg C

3
500kPa
Liquid
Vapor Line
Pump Suction Line
Pump Discharge Line
2 Unloading Hose
Assumes 760 kg/min Unloading rate
Vapor 225 kg/min
by Richard Gowland

CEI Workshop
Determine what scenarios should be used to determine
airborne quantity for butadiene unloading, storage, and transfer.
Several assumptions will need to be made. Please state any assumptions
when identifying a scenario.
Process Pipes
1. Assume 75mm vapor connection on tank.
2. Pump Suction - assume 100mm line; 200kPa g and 7 deg C (tank)
3. Pump Discharge - assume 75mm line; 500kPa g and 7 deg F (tank)
Hoses
4. 50mm Connection - assume 50mm hose, 250kPa g and 25 deg C
Tank Car temperature
Relief Devices
Sized at 225 kg/min 2 phase flow (Assume all airborne)
Vessels
Same scenarios as Process Pipes.
Overflow and Spills
5. Overfill during unloading - assume 760kg/min at 25 deg C
Others
None identified yet
by Richard Gowland

CEI Workshop
Properties for Butadiene from spreadsheet tool
by Richard Gowland

CHEMICAL EXPOSURE INDEX SPREADSHEET
Major aid in the determination of CEIs

Contains entire CEI Guide in help screens
PURPOSE
Provide improved accuracy

Much faster calculations
Provide electronic format
Can more easily document information
USE OF SYSTEM
Read operating procedure (README FIRST.DOC)
Download English or SI units folder
by Richard Gowland
Parting Shot
CEI is a screening tool!
Three Keys
Eliminate the Potential Hazard

Reduce the Potential Release
Provide Mitigation
The QUANTITY of Material

The DURATION of the Release
The FREQUENCY of the Release
Reduce the impact (Consequences) of the Release
by Richard Gowland
Brief description of the Dow Chemical Companys Chemical Exposure Index

methodology.
The Chemical Exposure Index (CEI) provides a simple method of rating the relative
acute health hazard potential to people in neighboring plants or communities from
possible chemical release incidents. Absolute measures of risk are very difficult to
determine, but the CEI system will provide a method of ranking one hazard relative to
another. It is NOT intended to define a particular design as safe or unsafe.
The CEI is used:
For conducting an initial Process Hazard Analysis (PHA).

As a screening tool for further study
In Emergency Response Planning.
A Full Description of the method is available from PROMIS web portal.

PROMIS Chemical Exposure June 2008
and a simple excel spreadsheet calculator is available:
Chemical Exposure June 2008.xl
A training presentation is available on PROMIS Chemical Exposure June.ppt
Hazard and Operability Study - HAZOP

Well accepted method of identifying Hazardous
Scenarios in process plants
WB3
HAZard and OPerability Study
A rigorous and systematic method of studying a
process to identify potential problems and

deviations from expected operation
Can be used for:
New capital projects
Existing plants
Hazards are caused by DEVIATIONS from the
DESIGN INTENTION
HAZOP is a method for generating these
DEVIATIONS using GUIDE WORDS
by Todd Hoffmann
Slide 2
Patberg, 1/2/2012
WB3
WB4
HAZard and OPerability Study
Rigorous and systematic means that it is an
excellent tool for identifying the hazardous

scenarios of the process that is studied
However ......................
by Todd Hoffmann
Slide 3
WB4
Patberg, 1/2/2012
HAZOP is Time Consuming!
by Todd Hoffmann
Normal scope of a HAZOP
Based on the operating unit(s) generating the
significant consequences (fire, explosion, toxic

release, financial loss)
Basic Criteria e.g. Fire and Explosion Index >X or
Chemical Exposure Index >Y or ERPG extends
beyond fence line or new technology or large
production outage.
All steps from start up, through normal running to
shut down
by Richard Gowland
HAZOP method
team maximum 6 persons from (example) production engineer

programmer
process control / instrumentation
process chemist
shift operations team member
study leader/facilitator
by Richard Gowland
HAZOP method
P. & I.D. split up into nodes - small , manageable
sections of plant, e.g. pump and filter, Reactor and

its connected pumps and valves, Distillation column
and its reboiler and condenser.
Experience of leader dictates size of nodes.
Each node connects to upstream and downstream
nodes
by Richard Gowland
Typical nodes
NODE 1
E 201
R 201
P 201
NODE 2
by Richard Gowland
Nodes
Usually start with a small node

As experience builds, move to a larger node
Follow the leaders intuition
If the team gets bored, the node is probably too
small
If the team gets confused, the node is probably too
big
by Richard Gowland
Starting the study:
The most knowledgeable person describes the
INTENTION of the node

Composition (which chemicals are in the equipment)
Flow, temperature, pressure, phase, quantity,
agitation etc
. Anything important to the process
Leader records for study team reference
by Richard Gowland
Study is based on PARAMETERS
Flow
Temperature
Pressure
Level
Composition
Agitation
Anything it is important to control
by Richard Gowland
In combination with GUIDE WORDS
No
Less
More
Reverse
Instead of or Other than (e.g. something else or
wrong composition)
by Richard Gowland
Combinations of parameters and guide words are

DEVIATIONS
No flow
Less flow
More flow
Reverse flow
Flow of something not planned
More temperature
Less temperature
And so on...
by Richard Gowland
Parameters are logical combinations like...
More temperature
Less pressure
Ignore illogical combinations like.

X Reverse temperature
by Richard Gowland
This is the Blank record sheet

Design Intention:..
GUIDE
WORD
PARAMETER
CAUSES
CONSEQUENCES
ACTION
by Richard Gowland
Start with Deviation No Flow
Team gives all the causes for no flow in the lines and
equipment inside the node

Leader prompts their thinking
These causes are recorded on the record sheet, flip
chart or in Software package
When the ideas dry up move on to
CONSEQUENCES
by Richard Gowland
Design intention: 20%A reacts with 30%B in presence of water as

heat sink to control exotherm at 130C. Agitator must run
Possible causes
GUIDE
WORD
No
PARAMETER
Flow
CAUSES
CONSEQUENCES
ACTION
(1) Manual Valve Closed

(2) Line blocked
(3) No feed supply (tank empty)
(4) Supply line ruptured
(5) Plant shut down
(6) P 201 Pump fault
(7)
(8) ............................
(9) Material flowing
somewhere else
(10) .........................
by Richard Gowland
When you think you have all causes, list the possible
Consequences:
GUIDE
WORD
No
PARAMETER
Flow
CAUSES
CONSEQUENCES
(1) Manual Valve Closed
(1) Pump p201

starved/overheats
(2) as (1)
(3) Pump runs dry
(4) As (3) plus large leak
(5) Normal event - no hazard
(6) Flow stops/pump damage
(2) Line blocked

(3) No feed supply
(4) Supply line ruptured
(5) Plant shut down
(6) P 201 Pump fault
(7) ..
(8) .
(9) Material flowing somewhere
else
(10) ........................
by Richard Gowland
(9) Other Hazards if this is

possible (similar to wrong valve
line up)
ACT
Team decision on ACTION column
Team may decide if any new action is needed

Can record as safeguards any protective devices
or alarms which become active e.g. PSVs

Can refer decision outside the team
Can refer serious consequences for
consequence analysis
MUST NOT REDESIGN THE PLANT in the Hazop
study session!!
by Richard Gowland
After no flow
Repeat exercise for less flow
(usually similar to
no flow
Repeat exercise for more flow
Repeat exercise for reverse flow
Repeat exercise for composition (other than
expected material composition)
UNTIL FLOW is completely studied
by Richard Gowland
After flow
List causes for more temperature

proceed to consequences for more temperature
repeat all steps as for flow
when temperature is studied, go to pressure
after pressure, consider other parameters, e.g.
agitation (use design intention as a guide)
by Richard Gowland
When parameters are all done for node 1
Repeat whole process for node 2

And all the other nodes defined in the study scope
List actions and responsibility for follow up
In case of:
Major Consequences
Many instrumented safeguards identified or defined
as actions/additions Do a Layer of Protection Analysis
(later in this training programme)
by Richard Gowland
HAZOP STUDY MEETING RECORD
Guideword
P&ID no
Node No.
Parameter
Node Description
Cause
Consequence
Design Intention
Existing
Safeguards
Recommendation
By
HAZARD AND OPERABILITY STUDY

(HAZOP)
Technical Director European Process Safety Centre

2012
Course Tutors:
Richard Gowland
Willem Patberg
CONTENTS
THE COURSE MANUAL ............................................................................................ 3

INTRODUCTORY REMARKS .................................................................................... 3
WHAT IS A HAZOP STUDY? ..................................................................................... 4
PLANNING THE HAZOP STUDY.6
HOW IS A HAZOP STUDY CONDUCTED? ............................................................... 7
HAZOP STUDY PROCEDURE ................................................................................... 7
RISK RANKING IN HAZOP STUDY..14
THE HAZOP TEAM AND SPECIFIC ROLES ........................................................... 15
TYPICAL HAZOP STUDY MEETING FORM............................................................ 18
THE PRODUCTS OF A HAZOP STUDY .................................................................. 19
WORKSHOP EXERCISES ....................................................................................... 22
APPENDIX A: LIST OF SUGGESTED FAILURE MODES AND CAUSES .............. 27
APPENDIX B: IDENTIFYING NODES .................................................................... 288
APPENDIX C: ESTIMATING THE TIME REQUIREMENTS FOR A HAZOP.33
APPENDIX D: KEEPING THE TEAM'S ATTENTION AND SUPPORT..35
This manual explains the technique of HAZOP study. It accompanies the training
programme delivered by the named course tutors.
Further literature is referred to in the appendix.
The manual is in sections, which will be covered at various points in the course. The
sections are:
Introductory Remarks
What is a HAZOP study?
How is a HAZOP study conducted?
What are the outcomes of a HAZOP study?
Appendices
The aims of the course are:
To prepare you to take part in HAZOP studies during your work.
To prepare you to implement the findings of a HAZOP
To allow a participant to understand HAZOP and allow development to

HAZOP team facilitation and leadership.
Course Tutors:
Richard Gowland and Willem Patberg
Introductory Remarks
Why is HAZOP a recommended practice?

HAZOP is very good at identifying the small deviations in the operation of the system
in the middle/base of the triangle that may lead to the events at the apex.
Eliminating at least some of these base events will break the chain that leads to the
bigger events.
Safety is assured by providing:
Plant & equipment that is fit for the purpose of reducing the risks from
identified hazards as far as is reasonably practicable (so you have to identify
these hazards first).
Systems and procedures to operate and maintain that equipment in a

satisfactory (what does satisfactory mean?) manner and to manage all
associated activities (what are the associated activities?).
People who are competent, through knowledge and skills to operate the plant
and equipment and to implement the systems and procedures
What is a HAZOP Study?
Hazard and operability study (HAZOP) is a

formal, qualitative, systematic and
rigorous examination of a plant, process or
operation to identify credible deviations
from the design intent in the context of the
complete system that can contribute to
hazards or operability problems, by
applying the experience, judgement and
imagination, stimulated by key words, of a
team.
To be called a HAZOP, each of the points in the definition must be satisfied.
Hazard: Something with the potential to cause harm.
Operability Problem: A difficult or complex operation which could be improved to
reduce risk of accident.
Qualitative: You decide if something CAN happen. Risk Assessment after a HAZOP
Study is covered later in the Process Safety course.
4
Systematic: The HAZOP study should consider all parts and all modes of the plant
or operation, not just the things that seem at first sight to be a problem. The plant or
operation is split into nodes or lines, which are studied individually. This study
extends from normal steady state operation to start up and shut down, as well as
commissioning and decommissioning and any other state you can imagine. Dont
ignore minor parts of the system (e.g. utilities).
Deviations: These describe possible ways that a process may go from a safe to
unsafe condition. For example, the temperature of the reactor goes outside
the designed safe range. In HAZOP, deviations are normally combination s of
guide words and parameters. E.g. More Flow or Less Flow.
HAZOP Team: HAZOP is not a solo exercise. An appropriate HAZOP team will
include a range of competent persons who can contribute to improving safe
operation.
Competence: The HAZOP team needs to be made up of competent persons. This

course does not provide a detailed list of competence but it does suggest the roles
who should be in a HAZOP team.
Guide Words: These help to identify possible deviations. These have been
developed over many years and found to be applicable to a wide range of situations.
Typical guide words are: more, no, less, instead of, reverse, etc.
Parameters: These are the process conditions of interest. Typically these are flow,
pressure, temperature, phase, composition, etc.
Documentation: A range of documents required for an effective HAZOP study.

These include:
Process Descriptions with operating conditions such as Temperature,

Pressure, flow etc.
Physical Properties of the materials in the process
Process Flow Diagrams
Piping and Instrument Diagrams (P&IDs)
Team members, with a justification for their choice.
Hazards vs Operability Problems

HAZOP is designed to uncover both hazards and operability problems. Not just one
of them. Operability problems have a history of becoming hazards over time,
particularly when people are involved (which they always are).
5
The use of HAZOP results in:
Fewer commissioning and operational problems;
Better informed personnel;
Plant or Process Improvements for eliminating or reducing the probability of

operating deviations;
Evidence for the regulatory authorities (and e.g. the Insurance Company) that
a comprehensive safety review has taken place;
Additional safety documentation for the lifetime records, which are also
applicable to design changes and any modifications that may occur during the
lifetime of the installation.
Planning the HAZOP:

Scheduling the HAZOP sessions:
It is difficult to predict how long a HAZOP will take. Typically the first node will take
much longer than the subsequent ones. The study speeds up as the team becomes
familiar with the method and the way the process operates. A rule of thumb is that
the first node will take at least 2 hours and the subsequent ones 1 hour or less. This
obviously depends on process complexity. The team needs to be alert for the whole
of the study and for this reason it is recommended that not more than 6 hours per day
is devoted to the study. For further guidance see Appendix B.
Selecting nodes:
Usually the selection of a node is for a unit operation such as a reactor, distillation
column, reboiler, condensate receiver, etc.
The HAZOP team:
A team of people knowledgeable about different aspects of the plant design and
operation.
A team leader who is:
Independent of the project
Experienced in leading HAZOP studies;
Primarily responsible for planning, leading, managing and progressing (NOT

contributing technically to) the study; and
Skilful in the general management of meetings and groups of people (who

often have diverse interests and motivations).
Make sure that other operating modes are considered, especially:

6
Start-up;
Shut-down;
Commissioning;
Decommissioning;
Isolation of equipment for e.g. maintenance;
Proposed modifications.
HAZOP Outcomes:
which can be:
HAZOP is a means of identifying Hazardous scenarios
Protected against or prevented

Fully understood by the necessary persons
Used for further risk studies
How is a HAZOP Study Conducted?

HAZOP is an examination based on the principle that an incident can only arise if
there is a deviation from the design intent.
In other words the design and operating team are capable of designing and
operating within normal operating conditions but potential problems are liable to be
overlooked because of the complexity of the system rather than lack of knowledge
amongst the design team members.
HAZOP Study Procedure
HAZOP study is applicable at any stage throughout the lifetime of the plant or the
duration of the operation. Generally however the study is initially carried out when
the drawings have reached the Approved for Design or equivalent stage. The inmeeting procedure is flowcharted at the end of this section.
The HAZOP procedure diagram shows that the study procedure actually consists of
examining the process or operation section by section (node by node). The first step
is defining the study sections (nodes). This is done prior to the HAZOP meeting(s),
and is usually the responsibility of the Team Leader (see Appendix B).
Process plant designs are normally defined in a set of key documents. Whilst the
details may vary from one organisation to another, the following are virtually
universal:
Process Flow Diagram (PFD).
Piping and Instrumentation Diagrams (P&IDs).

7
Process calculations.
Cause and Effect Charts.
Process data sheets.
Instrument data sheets
Interlock schedules.
Hazardous area classification information.
Operating instructions, if available.
General Arrangement / Layout drawings.
Equipment data sheets.
Record of high and low pressure interfaces.
The HAZOP experience of the team should be checked prior to the meetings, and
informally brief any individuals new to HAZOP in what will go on.
The HAZOP STUDY: The HAZOP team leader should explain how the nodes on the
first P&ID are selected. Process Knowledgeable person (e.g. Process Engineer)
should describe the design intent of the node being studied. This should be recorded.
A check list of guide words and relevant properties or parameters will have been
specifically prepared by the Team Leader for application to the particular study and
by means of this deviations from normal operation can be identified.
The Leader then introduces the first parameter to be studied, e.g. FLOW.
combines this with a GUIDE WORD e.g. NO or NONE.
He
The team is then required to give all the causes for NO FLOW. These are recorded.
For each of these causes, the CONSEQUENCE which could occur is now offered by
the team and each is recorded.
In each of these cases, the safeguards which prevent the deviation/consequence or
respond to it are recorded (with tag numbers)
The team assigns an approximate likelihood and severity scale to each of the cases.
This is used to highlight and prioritorise action and follow up.
The team makes a judgment about the adequacy of the protection and if not
satisfied, can recommend more protection or further study. This is entered into the
record as RECOMMENDATION
When the team is satisfied, the next combination of GUIDE WORD and
PARAMETER e.g. Reverse Flow and carries out the same procedure.
8
When all the deviations relating to flow are complete, the next parameter e.g.
Temperature is addressed. More temperature, Less Temperature etc.
When all the deviations, flow, temperature, pressure, phase, composition, other
than/instead of have been studied, the next node is addressed.
This repeats until the whole scope of study is competed.
Prepare for the Study
Apply Word to Node to identify

a Deviation
Is there a
Cause for this
Deviation?
N
Other Causes or
choose next Word
& identify Deviation
Does it result in a Hazard or

an Operability Problem?
Next Node
Identify Safeguards
Y
Safeguards Inadequate or is
there anything else that needs
to be checked?
HAZOP Review
Make
Recommendation
All Words
Applied?
10
Guide word
None/ No
Reverse
Parameter
Flow
Pressure
Level
Flow
Part of
Flow
Pressure
Quantity
Temperature
Level
Flow
Pressure
Quantity
Temperature
Level
Composition
More than
Composition
Other
than/instead
of
Flow
Sooner than
Later than
Action
Action
More
Less
Typical Deviation
No forward flow when required.
Flow is going in the opposite direction to the design

intent.
More of any relevant physical parameter than there
should be. More flow rate, more quantity, more
temperature, pressure, etc.
As for more but less in each instance.
The components are correct but the system

composition i.e. concentration is different from the
design intent.
Additional substances (other than those intended in
the design) are present e.g. impurities, an extra
phase, solids.
What other materials can flow e.g. air/nitrogen
during commissioning of hydrocarbon pipelines.
Wrong materials?
What needs to happen other than normal operation
e.g. start-up, shut-down, maintenance, sampling,
etc?
Error (by the operator or control system).
Error (by the operator or control system).
Each industry has its own set of (parameter) words. To identify the parameters of
interest, look for what is being controlled on the plant in the first instance.
After identifying the deviation,
Guide word + Parameter = Deviation
The team has to identify any possible causes (see Appendix A for a suggested set of
issues to investigate), which could result in the deviation from either design or
operating intent.
The team needs to conclude if the deviation is credible and can be studied. Non
credible deviations should also be recorded along with the reasoning for this.
11
If it is established that the deviation is credible (i.e. if a cause can be identified for the
deviation), then the potential consequences ignoring any safeguards
Safeguards
The proven safeguards (preventative, indication and mitigation) that have been
designed into the system against such a possibility must also be identified.
proven means that they can be proved to be in place and up to the job demanded of
them typically they are capable of a test and are tested in an appropriate way.
The team (not the leader or an individual) must then make some judgement on
whether or not the safeguards are adequate and complete. In judging this, the
following must be considered.
The consequences of the deviation. The more severe this is, the greater the
degree of protection is needed.
How the operator becomes aware of the deviation and is able to respond (time
available etc.)
Whether the safeguards prevent (act on the cause) or mitigate (act on the
consequences) the deviation.
The nature of the safeguards: engineered, Instrumented or procedural
What other components of the safeguard are required (e.g. training,

instructions)?
Is the safeguard testable? If it cannot be tested and maintained, care is

needed. It may not be relied upon.
Has the safeguard been identified? E.g. by Tag Number.
Should the results be incorporated in further study such as Layer of Protection

Analysis (LOPA)
The primary safeguards to be defined for any fault sequence should be, in order of
preference:
Preventative engineered passive systems. These protect against the onset of

the fault sequence without any operator or system response. An example
would be the use of intrinsically safe electrical systems to protect against the
initiation of a detonation of a hazardous atmosphere.
Preventative active engineered systems, automatically initiated. These require

the system to respond to the initiation of the sequence, but without any
12
operator intervention. Examples are: Safety Instrumented Systems and Safety

Related Protection Systems such as Relief Valves.
Preventative active engineered systems, manually initiated. These require the

operator to respond to the initiation, or conditions for initiation, of the
sequence.
Preventative management systems. These include e.g. training and

instructions or working to a safe system of work.
Engineered passive systems which mitigate the consequences. These

safeguards act, without any operator or system intervention, to mitigate the
consequences of a fault sequence or limit its development. An example is
Diking or bunding system of secondary containment.
Engineered automatically initiated active systems which mitigate the

consequences. These safeguards act, after system initiation but without any
operator intervention, to mitigate the effects of a fault sequence or limit its
development. An example is a fire sprinkler system which is automatically
initiated on the detection of a fire. Such a safeguard comprises the sprinkler
system, the fire detection instrumentation and the causative link between the
two. A further example is the emergency brakes on crane hoists.
Engineered manually initiated active systems which mitigate the

consequences. These safeguards act, after operator initiation, to mitigate the
effects of a fault sequence or limit its development. Such a safeguard
comprises the instrumentation or other which detects the fault condition and
warns the operator, as well as the mechanism or equipment which takes the
preventative action when activated by the operator. The instructions to the
operator are also a part of such a safeguard. An example is an emergency
stop on cranes and hoists.
Management systems which mitigate the consequences of a fault sequence.

These include, for example, local emergency instructions and the site
emergency plan (for large events) and the site emergency services
(ambulance, fire, etc.).
If it is judged that the installed safeguards are inadequate, then the team will either
(a) make a recommendation or (b) ask further written questions from an identified
source or (c) refer to further study such as LOPA. (all listed in the Recommendation
or Action column of the record sheet) to ensure that further precautions are taken.
This need is often defined by combining the seriousness and probability using a
Risk Ranking Matrix.
Recommendations / Actions
Recommendations should be clear and complete, and include all necessary follow
up with the persons responsible for action. There needs to be a formal means of
13
ensuring that this follow up is completed. This could include an agreement to provide
further protection or a reason why the recommendation was not applicable or an
alternative provided.
Risk Ranking:
The team may assign a Consequence Severity and Likelihood to each case. This can
be used to prioritorise action and highlight areas where safeguards may not be
adequate.
Set below is an example:
HAZOP STUDY SESSION
Prioritizing Grid
Severity
1
High
10
10
10
Medium
Low
Severity:
Likelihood
1 Catastrophic (Fatality/Major Damage)
1 High (>1/yr)
2 High (Severe Injury/Property Damage)
2 Moderate (1/yr 1/3 yrs)
3 Medium (Moderate Injury/Property Damage)
3 Medium (1/3-10 yrs)
4 Low (Light Injury/Property Damage)
4 Low (1/10-30 yrs)
5 None
5 Very Low (1/30-100 yrs)
30
14
The HAZOP Team and Specific Roles

The HAZOP team must be:
Small enough to be efficient (6 7 people is the ideal number).
Made up of a core membership, adding other specialist members as and when

required. (do not have persons as observers)
Sufficiently skilled to carryout a fully comprehensive study.
A typical HAZOP team (for a process application) consists of:
Team Leader.
Secretary/Scribe.
Instrument /Control engineer.
Process / Design Engineer.
Operational personnel
Maintenance personnel
Some of these roles may be shared by individuals. It is advised that a team

containing more than 6 persons is likely to prove difficult to manage.
The Team Leader:
Plans the study (in particular to identify nodes, estimates programme

requirements). See Appendix A, B, C for guidance.
Maintains the momentum of the study
Encourages team members to contribute.
Spots any unproven assumptions, and challenges them.
Summarises discussion on particular points, for incorporation into the Record.

The Team Leader can use this to focus the minds of the Team Members.
Prompts discussion if it is drifting or members are too passive.
15
Stops discussions where the resolution of issues requires outside help or is

simply unresolvable by the team members. These issues need to show as
recommendation for resolution outside the HAZOP study
Ensures that the study is complete
Uses his experience to prompt, encourage and guide the team towards a
conclusion.
Schedules the stop time for the day.
The Team Leader does not:
Impose his views;
Make decisions. This is the team responsibility
To achieve these roles the team leader should if possible, be:
Independent of the project
Understanding of the process studied: This allows the leader to ask questions
to prompt the study;
The Team Secretary (Scribe):
Records the discussion under the direction of the Team;
The secretary is ideally:
Technically competent in the project (ie knows all the words, numbering
conventions, etc);
Able to work closely with the Team Leader.
Team members must:
Be prepared, knowledgeable for their role;
Be sufficiently senior (i.e. someone whose judgement will be trusted) to make

decisions;
Be aware of their importance to the study;
Have allowed sufficient time for the study;
Be prepared for the intellectual rigour of HAZOP;
Be prepared to be challenged on things they have previously taken for

granted;
16
Be alert and responsive;
Recognise that things can, and do, go wrong and that even the most
improbable incident imagined in the HAZOP is possible;
Understand what causes accidents
Customised Key Words and Parameters

The examples above are classical key words and parameters. Many industries have
developed their own additional words. Those that are particularly useful and have
generic applicability are discussed below.
If presented with such words, imagine the source of those hazards. List them all.
Then treat them as deviations using the procedure already described.
Examples of such key words are discussed below.
Commissioning, start-up and shut-down
The normal HAZOP study is carried out under steady state operating conditions. On
some processes the conditions under start-up and shut-down (including before and
after maintenance) will be different. The team must look at these conditions
separately to ensure that no new problems occur. These may also present other
problems, due perhaps to the need for adding temporary equipment and
instrumentation, or disabling interlocks, etc.
If done properly, the issues surrounding such states should have been already dealt
with. For example, one cause of Low Flow is that the system hasnt got up to speed
yet (i.e. is starting up). These issues should be discussed when identified rather than
parked.
Domino effects
The effect on adjacent plants (and vice versa) of the plant under consideration should
be considered, in line with the agreed scope of the study. An untoward incident in
one plant can have serious consequences on an adjacent plant, particularly if the
incident releases large amounts of energy, toxic or flammable materials.
Decommissioning and demolition
In the past little attention was paid to the problems at the end of the life of a plant.
The accident record during such operations is very high and many incidents could be
avoided by better planning at the design stage. Revisiting the HAZOP at this stage is
recommended.
17
TYPICAL HAZOP STUDY MEETING FORM

Project Number____________ STUDY TITLE______________________________
Drawing/Operation No___________________________
Deviation
Cause
Consequence
Date____________
Sheet________of ______
Mod__________________
Existing Safeguards
Recommendation
By
Notes
18
The Products of a HAZOP study

A properly conducted HAZOP study will result in the following outputs:
List of Actions / Recommendations;
A Report.
A list of team members and their competencies/qualifications/job roles
Recommendations
HAZOP makes Recommendations during the discussion. In HAZOP, the team (not
the leader) defines them. These need to go into the follow up system of the company.
All recommendations need to be considered, but the HAZOP team is not responsible
for the final decisions on implementation.
The HAZOP study is completed when all recommendations have achieved closure.
Report
A HAZOP Report will form part of the Operational Discipline for the plant and
maintained through document management and updated via Management of Change
and periodic review.
The contents of a study report should include:
Scope, i.e. the facility, process or operation studied, and the aim of the study (I
have carried out studies aimed at identifying safety and operability problems
Description, a brief description of the facility / operation / process that was

studied, in enough detail to understand the study.
HAZOP methodology (as appropriate), the HAZOP words (guide and

parameter) used, the justification of any deviations or faults dismissed, and list
and describe the HAZOP nodes studied.
Team members and competencies and job roles.
Summary of main findings
HAZOP study records (see notes below on recording for what these should
cover).
Recommendations and Responses..

19
Supporting Material (e.g. signed drawings marked with the nodes studied).
Notes on Recording of HAZOP Studies during the Meetings

There are two methods of recording a HAZOP study; either in full or by exception.
If Recording in Full is being used then all parameters, deviations, consequences
and existing safeguards are recorded whether or not any further action is required.
When Recording by Exception is being used then only deviations that require
further action are recorded.
Before commencing a study a decision has to be made as to which type of recording
will be used. The advantages and disadvantages of each are:
Advantages
Recording in Full
Recording by Exception
Produces a complete study

record.
Much quicker reporting method.
Helps future audits.
A separate secretary (scribe) may

not be required.
Can be more useful in any

future accident investigations.
Report is significantly shorter.
Can assist in future plant

changes.
Emphasises the identified

problems.
Provides information for

production of the operating
manual.
Disadvantag
es
Can lengthen the HAZOP

study time.
May not be accepted as a true

record by external authorities or
insurance companies.
Can become tedious and

repetitive. This may be off putting.
The default position should always be to record in full. An example of a suitable

HAZOP record, and the amount of detail required, is shown on the following pages.
20
Manual and Computer Recording Methods

Computerised Reporting is now commonly used and there are a large number of
commercially available programs, and packages such as WORD and EXCEL are
easily adapted. It is best to display the record as it is being generated. In addition,
flip charts may be used. These have the advantage of not needing someone to
change screens to refer between nodes.
21
Workshop Exercises
1
HAZOP of a Continuous Process
Hydrocarbon is transferred down a 1km long pipeline, between the Intermediate

Storage Tank (IST) and the Reactor Feed/Settling Tank (RFST).
Hydrocarbon originating in a reflux drum and containing various amounts of water
(both free and dissolved) is transferred to the IST were the free water is allowed to
separate. The hydrocarbon layer (generally containing about 0.2% v/v suspended
water) is transferred from the IST by means of one of the pumps. The hydrocarbon
passes through a one-kilometre pipeline, running above ground, and adjacent to a
public highway, before reaching the RFST.
The RFST at 200C (total capacity 50m3) maintains a working volume of 25m3 by level
inlet control and is maintained at a pressure of 1.0 bar g. by nitrogen supplied by a
split range level control from the 2 bar g. site nitrogen supply.
For accountancy purposes, integrated flow measurement is provided on the common
delivery line from the pumps. A manual sampling point for off-line analysis is also
provided before the RFST level control system.
HAZOP Scope
You are to HAZOP the transfer of the hydrocarbon from the IST to the RFST.
22
HAZOP of a Batch Process involving people
Suspended water has a pronounced deactivating effect on the catalyst in the reactor
downstream of the Reactor Feed Settling Tank (RFST). The extremely small quantity
of dissolved water (a few ppm) has little or no effect. The design of the RFST is such
that any free water will collect in the boot from where it is manually drained at regular
4 hourly intervals.
v
At the design flow rate and normal water content (0.2% /v) the boot (0.5 m ) will take
3
10 hours to fill with water and there is further settling capacity (4.5 m ) in the wet
side of the RFST.
Several consecutive manual draining operations would therefore have to be missed
under normal operating conditions before there is any real chance of free water carryover into the reactor feed pumps system.
HAZOP Scope
You are to HAZOP the manual draining of the boot on the RFST. Be sure to think
about potential operator errors, as these will probably dominate the risk.
Hint: Draw out in flowchart form the actions required to complete the operation, and
be aware that people are carrying out these actions.
23
HAZOP of a Batch Process
This concerns the second of the P&IDs.

The P&ID shows the hydrocarbon dimerisation reactor system Liquid hydrocarbon,
which should contain no free water phase is pumped by a J2 pump and the flow
passing to the reactor is controlled by a valve fitted with both high and low flow
alarms. After passing through the shell side of the feed / product exchanger the
temperature of the liquid hydrocarbon is increased further using saturated steam on
the shell side.
The temperature of the liquid hydrocarbon should be 155C when it enters the
reactor. As the dimerisation step progresses the reactor temperature is controlled
using a cooling water circuit operated by a temperature control valve and
temperature sensor within the reactor. In the event of an unwanted exothermic
excursion within the reactor a temperature controlled trip system shuts off the steam
supply to the feed preheater and supplies cooling water to the reactor.
The product leaving the reactor at 160C passes through the tube side of the feed /
product heat exchanger before passing through an air cooler bringing the
temperature to 30C. The cooled liquid then passes through a pressure control valve
fitted with a low alarm and the pressure is reduced to 7 bar g. before the liquid
continues to a second pressure let down system.
HAZOP Scope
You are to study the reactor operation.
24
25
26
Appendix A: Summary list of Suggested Failure Modes and Causes

These tables contain guidance as to the types of failures that may be seen in fault
identification studies. They are used in the planning of HAZOP studies as an aide
memoir to likely faults, and as an aid to choosing appropriate guide and
parameter/property words in HAZOP studies.
Origins of Failures
General Failure Mechanisms for Process Plant
PARAMETER
PRESSURE
TEMPERATURE
FLOW
LEVEL
MECHANICAL
REACTION
CHEMICAL ATTACK
ELECTRIC
FAILURE MECHANISM
High Pressure.
Low Pressure.
Vacuum.
High Temperature.
Low Temperature.
High Flow.
Low Flow.
No Flow.
Abnormal Opening to Atmosphere.
Change in Planned Discharge.
High Level.
Low Level.
No Level.
Stress/Fatigue.
Impact.
Vibration.
Erosion.
Fouling.
High Reaction Rate.
Low Reaction Rate.
No Reaction.
Wrong Reaction.
External Corrosion.
Internal Corrosion.
Hardening/Swelling.
Power Supply Failure.
Galvanic Attack.
Static Electricity.
27
Appendix B: Identifying Nodes

A list of proposed study nodes should be prepared by the HAZOP Team Leader prior
to the HAZOP meetings. This should then be discussed with the relevant process
engineer and presented to the team. Team members may object and make
alternative suggestions. Its your call as Team Leader. However, you do want the
team on your side so dont ignore any well based challenges to your proposals.
The selection of nodes is something of an art, there is no absolute way to do it.
Principles are set out below for you to follow in the workshops at the end of this
Appendix, but you will develop your own tricks and skills, the important thing is that
ALL parts of the plant or process are studied.
General Guidelines for Sectioning a Drawing
(Applicable to continuous and batch processes).
Identify the major process components e.g. tanks, vessels, columns,

reactors, etc as individual nodes.
Identify all process lines entering or leaving each major process

component as individual nodes.
Treat interconnecting pipe-work between major components e.g. from a

tank to a reactor as one node and do not subdivide it into smaller nodes.
DO NOT go from one valve to the next, or from pump to control valve, etc.
Identify as separate nodes any additional line sections for each branch off
the main process flow line.
Emergency Shut Off Valves are often useful as termination points for
nodes. The next node can be considered as isolated from the current
node in any fault situation. During the study, the safeguards that close the
ESOV should be specified, with an explanation of their operation.
The above guidelines are based on:
If too many small nodes are selected then the workload will be increased
significantly and this will lead to extensive duplication.
The division of a drawing into too few very large nodes can result in
important deviations and consequences being missed.
Each section should contain active components i.e. components that can
introduce deviations. Piping should not be considered as a node in its own
right unless it contains for example a control valve which could give rise to
flow deviations or a heat exchanger which could cause deviations in
temperature.
Each node must be clearly identifiable on the P&ID; the terminal points for
each node must be agreed at the start of the HAZOP study and the P&ID
clearly marked up accordingly.
28
The same level of detail must be applied throughout the study. Dont study
e.g. drains in detail on one part of the plant then ignore them on another.
CASE STUDY ON IDENTIFYING THE NODES ON A P&ID

Hydrocarbon Storage & Transfer
See P&ID (page 42).
Wet hydrocarbon is received from a reflux drum in to an intermediate storage tank
blanketed with nitrogen. Here the free water is allowed to settle out and is manually
removed on a regular shift operation. The partially dried hydrocarbon is then
transferred by a pumping system (one pump operational and one on standby) over a
considerable distance to a Reactor Feed Settling Tank, (RFST) which is also
blanketed with nitrogen. Here any residual free water phase is allowed to separate.
It is an essential requirement of the process that when the hydrocarbon leaves the
feed settling storage tank there is no free water phase present. If free water were
present then there would be major operational problems later in the process.
Suggest Nodes for an efficient and complete HAZOP study, using the
procedure suggested above.
29
The Hydrocarbon Transfer System
Node 0
Line from the reflux drum to the Intermediate Storage Tank (IST) which
should have already been HAZOP studied.
Node 1
Line from the IST through the J1 pumps to the Reactor Feed Settling
Tank (RFS'I).
Node 2
Nitrogen supply line to the IST.
Node 3
Line from the IST to the flare system.
Node 4
Line through the relief valve from the IST to the flare system.
Node 5
The IST.
Node 6
Water drain line from the RFST.
Node 7
Line from the RFST to J2 Pumps and the spill back line associated with
the J2 Pumps system.
Node 8
The nitrogen supply line to the RFST.
Node 9
Line through the relief valve from the RFST to the flare system.
Node 10
The RFST.
Note
A further node in this exercise has been designated as Node 1 in

WORKSHOP 2 This is because due to the different process
operations involved it is considered better to deal with it in the
context of the second part of the process operation.
30
The Hydrocarbon Dimerisation Reactor System

See P&ID (page 43).
Liquid hydrocarbon containing which should contain no free water phase is pumped
by a J2 pump and the flow passing top the reactor is controlled by a valve fitted with
both high and low flow alarms. After passing through the shell side of the feed/
product exchanger the temperature of the liquid hydrocarbon is increased further by
means of saturated steam on the shell side.
The temperature of the liquid hydrocarbon should be 155C when it enters the
reactor. As the dimerisation step progresses the reactor temperature is controlled by
means of a cooling water circuit operated by a temperature control valve and
temperature sensor within the reactor. In the event of an unwanted exothermic
excursion within the reactor a temperature controlled trip system shuts off the steam
supply to the feed preheater and supplies cooling water to the reactor.
The product leaving the reactor at 160C passes through the tube side of the feed /
product heat exchanger before passing through an air cooler bringing the
temperature to 30C. The cooled liquid then passes through a pressure control valve
fitted with a low alarm and the pressure is reduced to 7 bar g. before the liquid
continues to a second pressure let down system.
Suggest Nodes for an efficient and complete HAZOP study, using the
procedure suggested above.
31
The Liquid Hydrocarbon Dimerisation Reactor System

Node 1
Line from the J2 pump through the shell side of the feed / product
exchanger, feed preheater exchanger, reactor, tube side of the
feed / product exchanger, air cooler system and through the
pressure control system.
Node 2
Saturated steam supply to the feed pre-heater.
Node 3
Cooling water circuit and supply to the reactor.
Node 4
The dimerisation reactor.
Node 5
Relief valve lines from feed product exchanger, feed pre-heater,

dimerisation reactor, reactor cooling water circuit.
32
Appendix C: Time Estimation for a HAZOP Study

Introduction
In the planning stage, we need to know how long will it take and how much will it
cost?
The following presents the outlines of a variety of methods which have been
satisfactorily used to estimate HAZOP time requirements. Once you have estimated
the time required for the meetings.
These methods are based on the requirements for an Assurance HAZOP, i.e. a study
completed once all information is available and the design is well developed and
Approved for Construction. Studies undertaken at earlier stages (e.g. FEED) may
proceed more quickly as there is usually not as much detail to discuss. It is assumed
that all drawings and other information is correct and up to date.
The estimate should be carried out by the HAZOP Team Leader, aided by someone
with a good overall knowledge of the process and knowledge of the capabilities of the
team members. Without this experience then there is a serious risk of an erroneous
estimate being made which will either result in management concern due too high
unreal costs being estimated or an underestimate of time and therefore costs
resulting in an over-run on the project.
It is important to emphasise the following
The HAZOP team must have the knowledge, skills and experience to
proceed efficiently and at speed.
The Team Leader needs to be well experienced in the HAZOP technique

and efficient at motivating the team (see Appendix D).
The more actions that need to be generated, then the longer the study time
required (as they generate the most argument!).
The HAZOP team must not short circuit the study so as to keep to an
estimated time schedule.
In estimating the time required for a study common sense dictates that you should
apply all three methods, modifying them as necessary and take a mean. In addition,
this estimation can help you gauge the thoroughness of your study if you estimate
10 hours to complete a drawing and it takes you 30 minutes to study, thats a good
clue that your team hasnt been thorough enough. On the other hand, if you estimate
30 minutes and it takes an hour you cannot claim that as evidence that you have
been extremely thorough. You cant win!
For batch processes double any of these estimates.
Method 1 - Drawings
33
This is the simplest approach and involves counting the number of drawings and
based on experience estimating an average of 4 - 5 hours per drawing. This
approximate rule of thumb approach has proved to be quite accurate.
It is sometimes the case that certain drawings are extremely simple and require
significantly less than the above average time quoted above. Similarly it is also often
found that one or more drawings may be significantly more complicated than all of
the others and consequently much longer than the average time per drawing is
required to complete the HAZOP study of these.
Method 2 Major Plant Items
Based on experience 2-3 hours study time is allocated to each plant item e.g. reactor,
furnace, distillation column, boiler etc.
Method 3- Drawing Complexity
Again the main plant items are identified and a study time allocation of an average of
at least 20 minutes is made for each process line entering or leaving each such plant
item.
34
Appendix D: Keeping the teams attention and support
The Leaders focus, is on completing the HAZOP
Be willing to say you dont understand something or ask a seemingly stupid

question.
Make sure that the team understands what we are doing.
Dont waste time by spending too long discussing one issue. If the team has
not reached a conclusion within 5-10 minutes, its time for an Action.
Give team members opportunities and time to speak.
Ensure everyone is paying attention and is contributing.
Make sure as you go that the team reaches consensus on all cases.
Stop the team trying to redesign the process.
Use the record to focus your teams attention. A record is easy to refer to
whereas a verbal description can be lost.
Summarise at the end of each day.
35
Layer of Protection Analysis

Simplified form of Quantitative Risk Assessment
Particular application in Instrumented Process Control and Safety
Systems
Layer of Protection Analysis:
Overview
Historical Perspective
A New (2000) Concept for Safety Related Control
systems
LOPA, SIS, SIL

Where does LOPA fit?
by Richard Gowland
Section 1
Overview of LOPA
LOPA tools
The 7 steps in LOPA
Other methods
Competent authority position
by Richard Gowland
Historical Perspective
Emerging Standards / Practices start

picking up momentum
IEC 61508 / 61511

CCPS Safe Process Automation (1993)
ISA SP - 84.01 (1997) now SPA 4
CCPS Layers of Protection Analysis (2001) Guidance published
U.K. Buncefield PSLG guidance published (Dec 2009)
by Richard Gowland
A New Concept...
Combine traditional Protection Layers with Safety
Instrumented Systems in a new Analysis tool to

determine Safety Integrity Level requirements for
Safety Related Instrument systems
Incorporate LOPA Tolerance Criteria or Target
Factors that meets the target risk tolerance into the
methodology
by Richard Gowland
That is addressing .
Have I defined my risk tolerance criteria or target?

Does my system ensure my criteria are met?
Do I need a Safety Instrumented System?
Are there Alternatives ?
Testing Intervals
Redundancy
Reliability / False Shutdowns
Software programming
Global Consistency & Industry Standards
Internal Requirements for risk management
Competent Authority/Regulator Requirements
by Richard Gowland
While Keeping It Simple
Complex Mathematical
terms & Systems
Simple
Tools
T1
PFD ODU MTTR ODD MTTR
2
1 + 1 + 2 = 4 or
0.1x0.01x0.07=0.00007
by Richard Gowland
Applying LOPA compatibility withthe bow tie

Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
Common Terms & Acronyms we shall be using

Layer of Protection Analysis (LOPA) - A process of
evaluating the effectiveness of Independent Protection Layers
in reducing the likelihood or (possibly) severity of an
undesirable event to meet organizational needs.
BPCS Protective Function Any action, initiated by
Instrumentation, a BPCS, equipment failure or human response, which is
intended to achieve or maintain a safe state of the process in respect to a
specific hazardous event. This includes all instrumented non- "Safety
Instrumented Functions" identified in LOPA
Safety Instrumented Function (SIF) - The complete action
which the SIS is designed to perform from sensing to the final
control element
Safety Related Protective System Function - The complete
action which the Safety Related Protection System (SRPS) is
designed to perform from sensing to the final control element
by Richard Gowland
How does it work?

Community Emergency Response
The LOPA Onion
Plant Emergency Response

Physical Protection e.g. Relief Devices
Safety Instrumented System preventative action
Critical Alarms and Operator intervention
Basic Process Control System,
Operating Discipline / Supervision
Plant Design
Integrity
by Richard Gowland
The LOPA Onion as published by CCPS

Independent
Protection
Layers
COMMUNITY EMERGENCY
REPSONSE
COMMUNITY
EMERGENCY
RESPONSE
PLANT EMERGENCY
EMERGENCY REPSONSE
PLANT
RESPONSE
PHYSICAL PROTECTION (DIKES)
PHYSICAL PROTECTION (RELIEF DEVICES)

AUTOMATIC ACTION SIS OR ESD
CRITICAL ALARMS, OPERATOR
SUPERVISION, AND MANUAL INTERVENTION
BASIC CONTROLS, PROCESS ALARMS,
AND OPERATOR SUPERVISION
PROCESS
PLANT
DESIGN
DESIGN
LAH
1
by Richard Gowland
Protection Layer Concept

IPL1
IPL2
IPL3
Impact Event
Occurs
PFD3 = y3
PFD2 = y2
Impact Event
Frequency,
f3 = x * y 1 * y 2 * y 3
f2=x * y1 * y2
PFD1 = y1
success
f1= x * y 1
Initiating Event
Estimated
Frequency
fi = x
Safe Outcome
success
Safe Outcome
success
Key:
Arrow represents
severity and frequency of
the Impact Event if later
IPLs are not successful
Safe Outcome
Impact
Event
Severity
IPL
- Independent Protection Layer
PFD - Probability of Failure on Demand
f
- frequency, /yr
by Richard Gowland
Frequency
Reproducing an event tree example in a tabular form

(basic classic LOPA)
TOLERATED EVENT
FREQUENCY
PER YEAR
SINGLE FATALITY (e.g.)
10-5
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
10-1
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
Quantity, M.I.E., site

factors
10-1
PROBABILITY OF
EXPOSURE
PROBABILITY
100%
10-0
INDEPENDENT LAYER OF
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
10-1
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS?
by Richard Gowland
In integer form basic classic LOPA

TOLERATED EVENT
FREQUENCY
PER YEAR
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
Quantity, M.I.E., site

factors
PROBABILITY OF
EXPOSURE (e.g.)
PROBABILITY
100%
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS OR SOMETHING
ELSE?
by Richard Gowland
What Does All This Mean??
by Richard Gowland
The jargon and definitions
Hazardous Scenario = a hazardous event e.g. fire or explosion causing

injury or fatality to an exposed individual
LOPA Target factor = a number based on the tolerated frequency for a
scenario. E.g. single fatality frequency of 1 in 100,000 years (1E-05 per
year)
Initiating Event Frequency = the frequency of a single failure which
can initiate a hazardous scenario
Enabling Event = a factor which affects the overall frequency of the
hazardous event occurring. e.g. proportion of the year when the
hazard s present or the proportion of time when a person is exposed
to a hazardous scenario.
Conditional Modifier = a factor which affects the scale of the event.
E.g. probability of ignition of flammable release.
Independent Protection Layer (IPL) = a protective system which is
designed to function on demand and prevent the hazardous scenario
from proceeding (defined later)
Probability of Failure on Demand (PFD) = the probability that a device
will fail when actuated.
IPL credit factor = a factor directly related to the probability that an IPL
will fail to function as designed.
by Richard Gowland
The jargon and definitions
Basic Process Control System (BPCS) = the system which is

controlling the normal production process e.g. DCS or conventional
instrument control or Programmable Logic Computer (PLC)
Safety Related Protection System (SRPS) = a non instrumented
system (such as a relief valve) which is designed to protect against an
event.
Safety Instrumented System (SIS) = an independent system of sensor,
logic solver and final process element designed and operated in
conformance with IEC 61511 to prevent a scenario.
Safety Instrumented Function (SIF) = the complete function of a SIS
from sensing to the final process element. E.g. senses high level, acts
through the SIS logic solver to close an inlet valve.
Safety Integrity Level (SIL) = factor directly related to the probability of
failure on demand of a SIS
Safety Instrumented Programming = the protected software program
which controls the action of the SIS.
by Richard Gowland
Factors and Credits in classic LOPA (based on order of magnitude approach as in U.S.)
Most useful for screening work
Initiating Events
Initiating Event Factor = integer of initiating event frequency (e.g.
failure frequency of 1 per 10 years, IEF = 1) LOPA Target Factor
(TF) = integer of tolerated event frequency (e.g. 1 event in 100000
years TF = 5)
Enabling Events
EE Credit Factor = integer of e.g. time at risk 1%, 10%, 100%
Factors are 2,1 or 0
Conditional modifiers
CM Credit Factor= integer of e.g. probability of ignition 1%, 10%,
100% factors are 2, 1 or 0
IPL = Independent Layer of Protection
IPL Credit Factor = integer of Probability of Failure on demand (PFD
of 0.01 gives Credit Factor of 2)
Each case is treated individually without attempting to allow for the
fact that a single scenario may have more than one Initiating Event
by Richard Gowland
Factors and Credits in advanced LOPA (based on PSLG final report recommendations for LOPA on fuel
storage sites)
LOPA Target Factor (TF) = integer of tolerated event frequency

(e.g. 1 event in 100000 years TF = 5)
Initiating Events
Initiating Event Factor = initiating event frequency (e.g. failure
frequency of 3.3 per 10 years, IEF = 3.3E-01)
Enabling Events
EE Credit Factor = factor (probability) of e.g. time at risk . (for a tank
which is being filled 12% of the time EEF = 1.2E-01)
Conditional modifiers
CM Credit Factor= factor (probability) of e.g. probability of ignition
(where it is estimated that P.o.I is 33% the CM factor is 3.3E-01)
IPL = Independent Layer of Protection
IPL Credit Factor = integer of Probability of Failure on demand ( e.g.
PFD of 0.007 gives Credit Factor of 7.0E-03)
Additionally, the LOPA should address the cumulative/aggregation
of accounting for the fact that a single scenario may have more
than 1 Initiating Event
by Richard Gowland
Its A Simple Analysis Process
1 Use Layer Of Protection Analysis to

determine if Safety Instrumented System are
required and if yes, the needed Safety
Integrity Levels (1 - 3)
2 Use result and desired Reliability Levels
(Fault Tolerance) & SILs to determine
needed sensor, logic solver, and final
element configuration and the necessary
testing intervals
by Richard Gowland
INDEPENDENCE
Independent Layer of Protection
(IPL)
A layer of protection that will prevent an

unsafe scenario from progressing
regardless of the initiating event or the
performance of another layer of protection.
Must be
effective,
testable
auditable
by Richard Gowland
Classis LOPA - Closing the Protection Gap

TOLERATED EVENT
FREQUENCY
PER YEAR
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
PROBABILITY OF
EXPOSURE (e.g.)
PROBABILITY
100%
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS OR SOMETHING
ELSE?
by Richard Gowland
Concept of closing the Protection Gap
Tools
Paper Worksheets
Excel workbooks
Examples follow:
by Richard Gowland
Scenari
o No.
P&ID/Equ
ipment
No.
Scenario Description:
Reasoning/Justification
Overflow of large gasoline store leads

to large fire or explosion on site
Large fire on site as a result of

overflow at pump in rate 300600M3/hr
Study team
Consequence
Description/Category:
Frequency/yr
Risk Tolerance Criteria
Initiating Event
Frequency
ATG Fails
1.00E-05
BPCS Control Loop

failure
1.00E-01
Description Select from

drop down
ENABLING EVENT OR CONDITION
Conditional Modifiers
Fatality on site
Probability of Ignition (POI) (Fire or

Explosion events only
large quantity released certain to

find a source of ignition outside
classified area
e POI > 5000kg released
1.00E+00
Probability that ignition leads to

explosion
Confined or unconfined
1.00E+00
Probability that personnel will be

EXPOSED in affected area
Operator on patrol
0.1 Probability of
Exposure
1.00E-01
Others (e.g. time when risk is present)
Tank being filled 7% of year
0.07
7.00E-02
FREQUENCY OF UNMITIGATED CONSEQUENCES
7.00E-04
PFD (read cell
comments)
INDEPENDENT PROTECTION LAYERS
BPCS actions with trip
by Richard Gowland
Probability
(read cell
comments)
HH High level trip shuts off

incoming gasoline flow
BPCS Trip Independent of

Initiating event
1.00E-01
LOPA workbooks
Or you can plot Horizontally

Show Excel workbook
by Richard Gowland
The steps in LOPA
1. ScenarioA definitionor
2. Assign severity and
B
1. Scenario
definition
2. Assign severity and
target frequency
3. Initiating events
4. Enabling events
5. Conditional Modifiers
6. Independent Layers of
protection
7. Output result
target frequency
3. Initiating events
4. Enabling events
5. Independent Layers of
protection
6. Conditional Modifiers
7. Output result
This is a choice where CMs may be left until last or dealt with before IPLs
by Richard Gowland
Select Tank for study
Decide whether considering Harm to

People or Harm to Environment and determine the severity of the harm for the scenario being
assessed.
Systematically identify all initiating events and related enabling events/conditions that could (if
all other measures fail) lead to the harm being considered and document the scenarios for
each.
For each initiating event list those risk reducing measures (prevention and mitigation
protection layers, conditional modifiers etc.) that relate to that initiating event, including any
existing or proposed high level Safety Instrumented Function.
See sections 3 & 4
See section 5
See sections 6 & 7
Conduct LOPA to calculate the frequency of harm for that initiating event
Repeat for all relevant initiating events
Sum the frequency of harm from all initiating events
Compare this total with target frequency for the level of severity
Yes
No
Has harm both to people and

to the environment been
evaluated?
See section 4
Reassess the total frequency of

harm
No
Is the risk
ALARP?
Yes
Identify further risk reduction

measures and the required
performance of any measure
including the SIL if the additional
measure is a SIS
Finish
by Richard Gowland
Starting
Develop a Scenario (e.g. Consequences in
HAZOP - details later)

Estimate consequences
Determine the Risk Tolerance
Criteria (Target) - a frequency
Identify Cause-Consequence pairs
Record in the system of your choice
by Richard Gowland

E x a m p le T a r g e t F r e q u e n c y
T a rg e t F re q u e n c y
R e t u r n t o A n a ly s is W o r k s h e e t '
T a rg e t F a c to r
Im p a c t o n P e o p le
O n - s it e
O f f - s it e
1 . 0 0 E -0 3
A m i n o r i n j u r y w i th n o p e r m a e n t
h e a l th d a m a g e
N u isa n c e c o m p la in t
1 . 0 0 E -0 4
S e rio u s p e rm a n e n t in ju ry - o n e o r
m o re p e rso n s
A n e v e n t re q u irin g n e ig h b o u rs
b e i n g to l d to t a k e s h e l te r i n d o o r s .
1 . 0 0 E -0 5
S i n g l e fa ta l i ty
1 . 0 0 E -0 6
M u l ti p l e fa ta l i ti e s
1 . 0 0 E -0 7
n e ig h b o u r in ju ry
1 . 0 0 E -0 8
n e i g h b o u r fa ta l i ty
1 . 0 0 E -0 9
C a ta s tr o p h i c e v e n t - m a n y f a ta l i ti e s .
A n e v e n t l e a d i n g to th e n e e d to
e v a c u a te n e ig h b o u r s.
M u l ti p l e fa ta l i ti e s to n e i g h b o u r s .
by Richard Gowland

Risk Tolerability
10-4/yr - 10-5/yr
Tolerable if ALARP
Tolerable if ALARP
Tolerable if ALARP
10-5/yr - 10-6/yr
Broadly acceptable
Tolerable if ALARP
Tolerable if ALARP
10-6/yr - 10-7/yr
Broadly acceptable
Broadly acceptable
Tolerable if ALARP
Broadly acceptable
Broadly acceptable
Broadly acceptable
2-10
11-50
10-7/yr - 10-8/yr
Fatalities (n)
Risk matrix for scenario-based safety assessments (Buncefield PSLG Final report)
by Richard Gowland
Environmental
Category
Acceptable if frequency less than
Acceptable if Reduced as Reasonably Practical and

frequency between
Unacceptable if frequency
above
10-6 per year
10-4 to 10-6 per year
10-4 per year
Catastrophic
Major
10-6 per year
10-4 per year
Severe
10-6 per year
10-2 per year
Significant
10-4 per year
10-1 per year
Noticeable
10-2 per year
~ 10+1 to 10-2 per year
~10+1 per year
All shown as acceptable
1
Minor
PSLG Final report :

For the purposes of this guidance, the categories from Table 3 have been aligned to COMAH
terminology as follows,
Acceptable if frequency less than equates to the Broadly Acceptable region
Acceptable if Reduced as Reasonably Practical and frequency between equates to the
Tolerable if ALARP region
Unacceptable if frequency above equates to the Intolerable region
by Richard Gowland
Category
Definitions
Catastrophic
Major airborne release with serious offsite effects

Site shutdown
Serious contamination of groundwater or watercourse with extensive loss of aquatic life
Major
Evacuation of local populace

Temporary disabling and hospitalisation
Serious toxic effect on beneficial or protected species
Widespread but not persistent damage to land
Significant fish kill over 5 mile range
Severe
Hospital treatment required

Public warning and off-site emergency plan invoked
Hazardous substance releases into water course with mile effect
Significant
Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance
Major breach of Permitted emissions limits with possibility of prosecution
Numerous public complaints
Noticeable
Noticeable nuisance off-site e.g. discernible odours

Minor breach of Permitted emission limits, but no environmental harm
One or two complaints from the public
Minor
Nuisance on site only (no off-site effects)
No outside complaint
by Richard Gowland
You can consider losses if you wish
Then consider all the initiating events in turn

and populate your documentation
U.S. Dupont is following this approach
by Richard Gowland
Step 2 - Initiating events - (e.g. cause from HAZOP)

Initiating Event Frequencies for Layers of Protection Analysis
Initiating Event
Initiating Event Initiating

Frequency (per
Event
year)
Factor
BPCS Instrument Loop Failure

BPCS has single sensor which fails
Control Valve Fails
Regulator Failure
1.E-01
1.E-01
1.E-01
1.E-01
1
1
1
1
Pump Failure
Pump Seal Failure
Cooling Water Failure
Loss of electrical power
General Utility Failure
1.E-01
1.E-01
1.E-01
1.E-01
1.E-01
1
1
1
1
1
3rd Party Intervention (external impact by digger, vehicle, etc.)
1.E-02
Example failure rates used by my former employer - use

your own, industry sources or Competent Authorities
by Richard Gowland
Basic Rules for Initiating Events
Process control software should not be an initiating
event. Testing and simulation must be in place to

eliminate as a source. Management of Change must
be robust enough to avoid corrupting the operating
program.
An Independent Protection Layer cannot be the
initiating event. The only exceptions are failed
elements of BPCS and Alarms - if they can create
the scenario.
Initiating events are single events, but may be
modified by the probability of a Conditional Modifier
occurring (e.g., an ignition occurring).
If you want to consider more than 1 initiating event
per scenario it can be done see later advanced
LOPA
by Richard Gowland
Justifying Initiating Events
Basic traditional Classic
LOPA uses
orders of magnitude
You need to justify the data used
Explanatory notes in IEC 61511 should be
used with care.
E.g. lower limits stated in IEC 61511-1 8.2.2
cannot be assumed. Need to justify
Human error rates need to be formulated
properly
by Richard Gowland
Enabling Events (e.g.Time at risk)
The scenario can only happen during

specific operating conditions.
Example:
Toxic release in a batch plant that makes the
toxic product during 1 month per year.
A tank can only overflow when a liquid is
being fed into it
Do not apply this for startup and shutdown
since these are higher risk operations.
by Richard Gowland
Conditions which must be true for the hazard

scenario to fully develop e.g.
Probability of ignition
Probability of exposure
Not applicable for many (very large) scenarios
Time at risk
And when you are sure - move on to
Independent Protection Layers
by Richard Gowland
Conditional Modifiers - Basic Rules

For flammable events.
Need to consider hazardous phenomenon e.g. pool fire,
flash fire, explosion.
thus:
a)consider probability of ignition and then
b) consider probability that the result is the
phenomenon of interest
for a) Enter a value of 1 or 2 (100%, 10% , 1% as a
probability, depending on the flammability of the
chemical and the quantity released.
For b) take into account conditions favouring the
phenomenon of interest (weather, topography etc.)
For other (e.g. toxic exposure) events the
value is 0
(100%) - no ignition needed
by Richard Gowland
Examples
C o n d itio n a l M o d ifie r E n a b lin g e v e n t fo r L a y e r o f

P r o te c tio n A n a ly s is
R e tu rn to A n a ly s is W
P r o b a b ility o f Ig n itio n
O rd in a ry H y d ro c a rb o n s L o w M .I.E (< 0 .3 m J )
m a te ria ls
A m o u n t o f F la m m a b le M a te ria l
R e le a s e d , k g
P r o b a b il i ty o f
I g n i ti o n
E n a b li n g
F a c to r
P r o b a b il i ty
o f I g n i ti o n
E n a b lin g
F a c to r
5 - 50
51 - 501
1 . 0 E -0 2
1 . 0 E -0 2
2
2
1 . 0 E -0 2
1 . 0 E -0 1
2
1
501 - 5000
1 . 0 E -0 1
by Richard Gowland
Now Probability that someone will be exposed

to a hazard.
(Valid only for scenarios involving personnel
injury)
by Richard Gowland
Probability of Exposure Examples

Probability of Exposure
Conditional
Modifier
Probability
Conditional
Modifier LOPA
factor
Probability of Exposure allowed for processes/process steps

in operation for less than 5 weeks/yr
1x10-1
Probability of Exposure allowed for processes/process steps

in operation for less than 3 days/yr
1x10-2
Probability that persons will be in the area of consequence

and exposed to it. (e.g. rarely visited or occupied areas such
as remote tank farms).
1x10-1 or 1X10-2
1 or 2
by Richard Gowland
Independent Protection Layers (IPLs)
Identify BPCS protective function, If any

List any Alarms and the operator response
(written procedure etc. required)
Record qualifying pressure relief devices
Document Other Safety Related Systems
Management Practices
Machine Protection Systems
by Richard Gowland
General Rule of Independence
(the rule which is most commonly broken)

To be Independent, a layer of protection shall
prevent an unsafe scenario from progressing
regardless of the initiating event or the
performance of another layer of protection.
Given events A and B, A is independent of B if, and only
if, the probability of A is unchanged by the occurrence of
B.
Two events (A and B) are independent if the probability
that they both occur is the product of their separate
probabilities: P(A and B) = P(A) * P(B).
by Richard Gowland
Values of Typical Independent Layers of Protection

Pressure Relief Device
1.E-02
SIS - SIL 1
1.E-01
SIS - SIL 2
1.E-02
SIS - SIL 3
1.E-03
BPCS, when independent of

initiating event
1.E-01
Credits are zero (0) if unrestricted

change allowed
1E-1 to 1E-2
1 to 2
Value chosen depends on

verification by vendor and testing
frequency.
1.E-01
Internal mechanical safety trips that

are independent of the SIS or BPCS
Operator response to Alarms and

procedures, low stress, recognized
event
Needs to be carefully controlled

by Richard Gowland
Typical Basic Rules for BPCS and Alarms

If a BPCS (whole loop) is an Initiating Event, no credit is taken for the BPCS or Alarm IPL unless they are
completely separate systems.
If BPCS and Alarm IPLs use the same sensor, you can take credit for one IPL only.
The Alarm IPL requires a formally recorded and auditable operator action to prevent the scenario.
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid credits if they require the failed sensor
to function.
If a final element failure is the Initiating Event, BPCS and Operator action on Alarm IPL are not valid credits if they
require the failed final element to function. (most common could be a control valve.)
If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS or Alarm IPL, unless the Alarm IPL is a
completely separate system.
If an Alarm is an IPL, the operator must have time to prevent the scenario. No credit shall be taken if the operator
has less than 10 minutes to respond. May be able to take credit if this is a recognized case in the Emergency
Response plan.
Maximum of only one (1) BPCS and one (1) Alarm IPL credit are allowed for a case.
Sharing of BPCS and SIS elements may be allowed when there is evidence of adequate independence. (see rules for
sharing SIS elements by the BPCS)
Mechanical safety devices such as over-speed trips are not Instrumented IPLs. However, they may qualify as an
Independent Safety Related Protection System under the Other Safety Related Protection System column.
by Richard Gowland
Other non SIS IPLs
Relief devices
Flares
Containment
Other Safety Related Protection Systems
(SRPS - see later)
Then go on to consider Safety Instrumented Systems

if you still have protection gaps
by Richard Gowland
Rules for Pressure Relief Devices

The Pressure Relief Device either protects or it
doesnt. Partial credit is not allowed.
2 If the Pressure Relief Device discharges to the
atmosphere creating a 2nd hazard (to people, the
environment or equipment), no credit is allowed.
If the release to the atmosphere has an acceptable
risk, credit may be taken
3 If the Pressure Relief Device discharges to a flare,
tank, or scrubber, credit is taken
4 LOPA is is not a tool for deciding No
Overpressure Protection Device Needed.
1
by Richard Gowland
Rules for Other Safety Related Protection Systems

Systems that are not Pressure Relief Devices and are
not instrumented systems are considered in this column.
2 Dikes and Bunds are not an IPL for safety cases - no
credit allowed since they may only reduce the
consequences (and are thus already accounted for in the
scenario). For a business case involving an
environmental scenario, dikes and bunds may reduce the
frequency of environmental damage - credit allowed.
3 Includes containment buildings or enclosures, if
present.
4 Unlisted systems need a lot of care and approvals.
These rules come from one company we might like to debate

by Richard Gowland
Technical Issues
Multiple sensors in the BPCS help testing but

dont change risk levels much
SIS sensors shared with the BPCS - rules needed
Care is needed when accounting sharing the
logic solver in a BPCS loop failure and a layer of
protection which still relies on the BPCS
by Richard Gowland
Closing the Protection Gap (re-cap)

TOLERATED EVENT
FREQUENCY
PER YEAR
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
PROBABAILITY OF
EXPOSURE (e.g.)
PROBABILITY
100%
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS OR SOMETHING
ELSE?
by Richard Gowland
Concept of closing the Protection Gap
Safety Instrumented Systems (SIS)

A combination of sensors, logic solver and final
elements that detects an out-of-limit (abnormal)
condition and brings it to a safe condition without
human intervention. (Note that IEC 61511 does allow
operator involvement in a SIS, but this is not common
practice)
It protects against specific hazards.

It performs a required safety function.
It has a defined reliability.
It is independent from other protection
or mitigation systems.
It cannot cause or initiate a hazardous
scenario
by Richard Gowland
More New Terms
Safety Integrity Levels (SIL)

A reliability criteria for a SIS defining the
probability of the system failing to
perform its function on demand.
Safety Instrumented Systems PFD

1E-01 >SIL 1>= 1E-02
1E-02>SIL 2>= 1E-03
1E-03>SIL 3>= 1E-04
by Richard Gowland
BPCS and SIS are Different.
BPCS keeps the plant within defined
operating parameters
BPCS and SIS may both act as IPLs
A BPCS is very unlikely to meet > SIL1
PFD or Fault requirements (May even be
prevented unless certified as a SIS or
proven in use)
Certification requirements are different
Documentation requirements are different
Testing requirements are different
by Richard Gowland
address SIS needs
List Safety Instrumented Functions if
required. The SIL of the SIF is the numerical

value needed to Close the Protection Gap.
by Richard Gowland
Basic Rules for SIS

1
2
3
4
5
6
SIS entries are considered last and then only if necessary to

close the protection gap
A non-zero, positive value in the Protection Gap column indicates
a SIS is needed.
The required SIL of the SIS is the value which closes the
Protection Gap
A SIL value greater than 3 should not be allowed. Additional nonSIS IPLs are required. - or there is something wrong with the
process
A zero or negative value in the Protection Gap column indicates a
SIS is not needed.
A SIS with a SIL of 2 or 3 can be replaced with a combination of
lower SIL provided they are independent from each other.
SIL 1 + SIL 1 = SIL 2 ; SIL 1 + SIL 2 = SIL 3

7 Two (2) SIS IPLs used in the same case require separate
sensors, logic solver and final element. Independent paths
through the same SIS logic solver must be used.
by Richard Gowland
Then
Completely document scenario, Initiating
event, conditional modifiers, IPLs. Justify and

address Uncertainties and Sensitivities.
Document the SIS requirements AND the
requirements for the other Safety Related
Protection Systems (see section 10)
Make sure that you communicate all
requirements to Instrumentation Design an
Maintenance function
by Richard Gowland
Weve Now Completed our Analysis
by Richard Gowland
Matrices and other methods

Common alternatives to LOPA
DIN 19250
DIN V 19250
C1
W3
W1
AK1
AK2
AK1 No SIS requirements
AK4
AK2
F2
AK5
AK3
F1
AK6
AK4
F2
AK7
AK5
AK8
AK6
C2
C4
No SIS required
AK3
F1
C3
IEC61511
SIL 1
SIL 2
SIL 3
SIL 4
by Richard Gowland
Step 1: Describe the parameter being controlled by

instrumentation
Step 2: Describe the protective function of the instrument
system and the automatic or manual actions it carries out
or initiates when needed and the independent layers of
protection provided.
Step 3: Describe the direct and certain consequence
scenario for a failure of the instrument control system to
act as described in step 2 (e.g. independent layer of
protection is activated)
Step 4: Compare the description from step 3 with the
descriptions of Hazard Classes C1 to C4 below:
C1 A minor injury as a result of exposure, a Reportable
Medical Treatment Case (RMTC) or a Day Away from Work
Case [DAWC] with full rehabilitation.
An environmental incident where contamination is confined
to the site and where recovery is complete in 1 year.
C2 A fatality on or off site, or a serious irreversible injury
or an accident that could result in hospitalization to a
member of the public off site. An environmental incident
that involves on site cleanup or which could contaminate
ground water.
Any incident resulting in the local public being told to take
shelter indoors.
by Richard Gowland
C3 Multiple fatalities on or off site. An environmental incident

resulting in a cleanup off site**.Any event leading to the need to
evacuate members of the general public.
C4 Catastrophic effect, very many fatalities.
Step 5: If Step 4 leads to C1 as a result, go to step 7, if C2, C3 or
C4, go to step 6.
Step 6: For cases C2, C3 or C4 estimate the frequency of persons
being exposed to hazard if it occurs and choose a description F 1
or F 2 from below:
F1 Seldom to often or no people involved (e.g. environmental
consequences only)
People are in the area intermittently only (e.g. a technician on
outside rounds or doing routine sampling)
F2 more frequent to permanent
People are in the area for longer periods (extended exposure of
several hours or more at a time
Step 7: Estimate the frequency of the system being required to
function totally (e.g. complete with trip or emergency action) and
choose from the descriptions W1 or W3 below.
W1 Very low, remote, few occurrences (requires multiple
initiators/failures to occur)
W3 Relatively high, frequent occurrences
Step 8: Use the combination of C (C1,C2,C3 or C4), F (F1 or F2) and
W (W1 or W3) in the Table 3 to arrive at the required SIL.
by Richard Gowland
Matrix example from HSE
by Richard Gowland
Risk Graph or Matrices

Advantages
Used by some
Competent
Authorities
Simple Qualitative
Does not demand
much data
by Richard Gowland
Disadvantages
Do not find scenarios
Imprecise
Subjective
Does not allow easy
ALARP evaluation
Cumulative risk from
several scenarios
difficult to evaluate
Multiple initiators
problems
Independence of
protection is not clear
LOPA
Advantages
Opportunity to
quantify
assistance in QRA
Clear indication of
most cost effective
way to close gaps
Easy to mandate a
corporate method to
gain consistency
Disadvantages
Demand for reliability
data
time consuming
Does not find
scenarios
Lots of arguments
Too many easy
targets for experts?
Multiple initiators problems
by Richard Gowland
And now were done...
Unless you are interested in ALARP
by Richard Gowland
And Now Its Your Turn
Lets Discuss
by Richard Gowland
Conventional Control & Safety Systems
Sensor
BPCS
Output
(CV)
Sensor
Logic
Solver
Output
(ROSOV)
Control/Safety System
Sensor
Sensor
by Richard Gowland
Control o
i
u
n
t
SIP
CV
ROSOV
Competent Authority position

As I understand it!
Which Authorities accept LOPA? at least in principle
OSHA
U.K.H.S.E.
U.K. Environment Agency
Belgium (Flanders anyway)
Netherlands
France
Germany agrees it is equivalent and alternative to
risk graph
by Richard Gowland
Buncefield aftermath
LOPA is suggested as Best Practice but
work still needed:

Poor examples in documentation
Lack of justification of numbers used
Independence of IPLs not always achieved
Conformance with IEC 61511 not always
apparent
LOPA best practice goes further than
classic LOPA
by Richard Gowland
Layer of Protection Analysis

(LOPA) section 2
Scenarios
LOPA target frequency
Frequencies for Initiating Events
The LOPA Process

E VALUATING
F URTHER R ISK
R EDUCTION
S UGGESTIONS
STEP 1:
IDENTIFY
SCENARIO OF
INTEREST
STEP 2:
STEP 6:
MAKE
RISK
DECISIONS
SELECT
THE NEXT
INITIATING
EVENT
CONSEQUENCES
STEP 5:
STEP 3:
ADD NEW
IDENTIFY
INITIATING
EVENTS
IPLS IF
NEEDED
STEP 4:
IDENTIFY
EXISTING
IPLS
by Richard Gowland
IDENTIFY
What is a hazardous scenario?
Is it:
event consequence
by Richard Gowland
What is a scenario?
or:
initiating cause
event consequence
Recommend this as the description of a

hazardous scenario for LOPA
by Richard Gowland
What is a scenario? this is unduly complicated

event consequence
Is it:
initiating cause
event consequence
or:
initiating cause
event consequence
or:
enabling condition
initiating cause
or:
enabling condition
IPL1
fails
IPL2
fails
event consequence
by Richard Gowland
What is a scenario? Simplified.
Describe the ultimate consequence

injury, environmental effect etc.
Assuming:
Something can initiate it..
And
None of the safeguards work.
by Richard Gowland
Covered here
This section considers event
consequences
It sometimes brings in the initiating cause
Later sections will give more details on
causeconsequence pairs
enabling conditions (conditional modifiers)
independent protection layers
by Richard Gowland
Identifying scenarios
Get the right team together

x
x
x
x
x
x
Process knowledge
Control knowledge
Instrumentation knowledge
Other technical resources
Plant operating staff
LOPA Facilitator
Looks like a HAZOP team but more

emphasis on Control and
Instrumentation
by Richard Gowland
Developing scenarios
Team draws on:
Plant experiences
Existing hazard study reports
Industry experience
must know what consequence types are of
interest
must have an understanding of scenario
credibility and of tolerable risk
must estimate scale of consequences qualitative or semi-quantitative. May use
computer models
by Richard Gowland
Possible consequence types
by Richard Gowland
Identifying scenarios
Use previous qualitative hazard
studies such as HS2 and HS3 (typical

ICI)
Remember
The scenario is an input to LOPA and
must be developed before LOPA can
begin
LOPA is not a primary tool for the
identification of hazards
by Richard Gowland
Project hazard studies
Project may have 6 or more integrated hazard

studies
Study 1:
Concept stage hazard review
Study 2:
Project definition (or FEED)
Study 3:
Detailed design hazard study
Study 4:
Construction/design verification
Study 5:
review
Pre-commissioning safety
Study 6:
review
Project close-out/post start-up
by Richard Gowland
Timing of hazard studies

Project phase
Conceptual
Process
development
Project
sanction
Stage 1
Stage 2
Concept
Process
design
Design, engineer- Handover

ing, construction
Operation
Stage 3
Stage 4
Stage 5
Stage 6
Detailed
engineering
Construction
Precommiss
ioning
Post
commiss
ioning
Relationship of six stage process study system to project life cycle
by Richard Gowland
Hazard identification
Possibilities include:
HAZOP
Checklists
What-if
FMEA
FTA
Human factor analysis
Incidents (own and industry)
by Richard Gowland
HAZOP report is a good source of scenarios
Reports normally include the sequence:

Deviation-Cause-Consequence-Safeguards
Recommendation
Good recording will show:
Cause-consequences and safeguards
leading to an action
Cause-consequences where safeguards
were adequate
All significant consequences identified by
the team
by Richard Gowland
Key points
Develop scenarios as an input to LOPA

Get a good team together
Know what outcomes are of interest
Make use of the existing hazard studies
Remember that a scenario may have several
different initiating causes and an initiating
cause may lead to more than one scenario
The consequence estimation is normally
qualitative, at most semi-quantitative
Be realistic
by Richard Gowland
We shall study this case
A petrol storage tank
by Richard Gowland
Possible scenarios (split in 2 slides)
Major leak pool in bund. No ignition

Major leak pool in bund. Pool or tank fire
Minor overfill pool in bund. No ignition
Minor overfill pool in bund. Pool or tank fire
Major overfill liquid in bund, vapour cloud, no
ignition
Major overfill liquid in bund, vapour cloud, ignition
and tank fire
Major overfill liquid in bund, vapour cloud, ignition
and vapour cloud explosion and big fire
by Richard Gowland
Possible consequences
Severity of consequences must be considered for

each
Plant damage, disruption and consequential loss
Personnel on-site
Personnel off-site
Environment
Public reaction
Target levels from 2 to 6 are possible
by Richard Gowland
We have agreed the scenario but now

we need to define LOPA Target
Frequency
For the scenario

what frequency can we tolerate?
Exposures to people
Nuisance effects
Minor Injury
Disabling injury (e.g. exposure to
concentrations of a toxic gas > ERPG 2)

Single fatality
Multiple fatalities
ERPG = Emergency Response Planning Guideline

by Richard Gowland
Severity Estimation
Use the ones for Safety Studies for Seveso
2/COMAH
Simple estimation tools (e.g. EPA RMP COM,
Dow Fire and Explosion Index, Dow Chemical
Exposure Index)
TNO Multi Energy (Fires and explosions)
PHAST modelling (DNV)
by Richard Gowland
Consider on site and off site
Where to get data?

Own company standards.
Seveso guidance (Europe).
Competent Authority requirements
by Richard Gowland
Are other consequences of interest?
Monetary Loss through property damage and

or business interruption
Environmental
In these cases you may need to assign a cost

unless there are rules available
by Richard Gowland
What shall we use in course case studies? - a suggestion
Example Scenario Target Frequency

Target Frequency/yr
Target Factor
Impact on People
On-site
Off-site
Nuisance complaint
1.00E-03
A minor injury with no

permanent health damage
1.00E-04
Serious permanent injury one or more persons
1.00E-05
Single fatality
1.00E-06
2-5 fatalities
Neighbour injury
1.00E-07
6-20 fatalities
Neighbour fatality
1.00E-08
21-100 fatalities
2-10 neighbour fatalities
1.00E-09
Catastrophic event - many

fatalities.
Multiple (>10) fatalities to

neighbours
An event requiring
neighbours being told to take
shelter indoors.
An event leading to the need
to evacuate neighbours.
by Richard Gowland
From Buncefield LOPA Guidance Dec 2009

Risk Tolerability
10-4/yr - 10-5/yr
Tolerable if ALARP
Tolerable if ALARP
Tolerable if ALARP
10-5/yr - 10-6/yr
Broadly acceptable
Tolerable if ALARP
Tolerable if ALARP
10-6/yr - 10-7/yr
Broadly acceptable
Broadly acceptable
Tolerable if ALARP
10-7/yr - 10-8/yr
Broadly acceptable
Broadly acceptable
Broadly acceptable
Fatalities (n)
2-10
11-50
Table 2 Risk matrix for scenario-based safety assessments
by Richard Gowland
What shall we use in course case studies? - a suggestion
Example Scenario Target Frequency

Target Frequency/yr
Target Factor
Impact on People
On-site
Off-site
Nuisance complaint
1.00E-03
A minor injury with no

permanent health damage
1.00E-04
Serious permanent injury one or more persons
1.00E-05
Single fatality
1.00E-06
2-5 fatalities
Neighbour injury
1.00E-07
6-20 fatalities
Neighbour fatality
1.00E-08
21-100 fatalities
2-10 neighbour fatalities
1.00E-09

fatalities.
Multiple (>10) fatalities to

neighbours
An event requiring
neighbours being told to take
shelter indoors.
An event leading to the need
to evacuate neighbours.
by Richard Gowland
Relating to Individual Risk at a facility
The relationship between a scenario-based safety
risk assessment (i.e. the likelihood that a single MAH

results in a fatality) and the risk to a particular
individual (Individual Risk) is presented below. This
simplified approach can be used to determine the
Individual Risk at an establishment (the likelihood of
fatality for the most at risk individual).
Likelihood of fatality for a specific individual due to a
single MAH scenario (f), Percentage of year
individual is at work (t), Number of fatal MAH events
the individual is exposed to at work (n), Aggregate
likelihood of fatality for the specific individual
(Individual Risk).
by Richard Gowland
Individual Risk
Likelihood of fatality for
a specific individual
due to a single MAH
scenario (f)
Percentage of year
individual is at work (t)
Number of fatal MAH
events the individual is
exposed to at work (n)
Aggregate likelihood of
fatality for the specific
individual (Individual
Risk). (F)
tx

i 1
fi
by Richard Gowland
Typical Environmental Criteria
Category
Catastrophic
Major
Severe
Significant
Noticeable
Minor
Acceptable if frequency less than
Acceptable if Reduced as Reasonably Practical and

frequency between
Unacceptable if frequency
above
10-6 per year
10-4 per year
10-6 per year
10-4 per year
10-6 per year
10-2 per year
10-4 per year
10-1 per year
10-2 per year
~ 10+1 to 10-2 per year
~10+1 per year
All shown as acceptable
For the purposes of this guidance, the categories from Table 3 have been aligned to COMAH terminology as follows,
Acceptable if frequency less than equates to the Broadly Acceptable region
Acceptable if Reduced as Reasonably Practical and frequency between equates to the Tolerable if ALARP region
Unacceptable if frequency above equates to the Intolerable region
by Richard Gowland
Table from information in IPPC Document

Category
Definitions
Catastrophic
Major
Severe
Hospital treatment required

Public warning and off-site emergency plan invoked
Hazardous substance releases into water course with mile effect
Significant
Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance
Major breach of Permitted emissions limits with possibility of prosecution
Numerous public complaints
Noticeable
Noticeable nuisance off-site e.g. discernible odours

Minor breach of Permitted emission limits, but no environmental harm
One or two complaints from the public
Minor
Nuisance on site only (no off-site effects)

No outside complaint
Major airborne release with serious offsite effects

Site shutdown
Serious contamination of groundwater or watercourse with extensive loss of aquatic life
Evacuation of local populace
Temporary disabling and hospitalisation
Serious toxic effect on beneficial or protected species
Widespread but not persistent damage to land
Significant fish kill over 5 mile range
1 Heading and introduction from Section 3.7 in IPPC H1: Integrated Pollution Prevention and Control (IPPC) and
Environmental
Assessment and Appraisal of BAT, Version 6 July 2003.
2 For discussion & review
Table 3 Risk matrix for environmental risk
by Richard Gowland
BUT!
It is very important for a company to have an

idea of its risk tolerance criteria
Have you addressed this?
by Richard Gowland
Post Buncefield Comment from HSE on severity targets
Many terminal operators have ignored

societal risk in their risk tolerance criteria.
by Richard Gowland
Frequencies for initiating

events
by Richard Gowland
Types of event
External initiating events

Equipment related initiating
events
Human failure-related initiating
events
by Richard Gowland
External initiating events
Natural phenomena such as:
earthquake
floods
lightning strike
Third party activities, e.g.
domino effects from adjacent plant
crane or vehicle impact damage
contractors digging up power cables
Terrorism or sabotage
Not normally taken into LOPA
by Richard Gowland
Frequencies for external events
Look for historical data

Check that
it is relevant to the situation under analysis
and
the database is large enough to be
significant
If necessary, adjust for the local situation
Select an order of magnitude value for use
in LOPA analysis
by Richard Gowland
Equipment related failures
Mechanical systems, e.g.

Pump, valve, vessel, pipeline failures, etc
Causes include:
Wear, corrosion, vibration, wrong
choice of material, use outside design
range, poor/no maintenance, etc
Control systems
Component failures - whole or part loop
by Richard Gowland
Data for equipment failure rates
Company data the preferred source as it

refers to:
the specific type of equipment
in its actual operating environment
for the materials actually used
with the maintenance policy in use.
But will it be available and meaningful?
Might get good enough figures by seeking

maintenance records
by Richard Gowland
Industry sources
AIChemE Centre for Chemical Process
Safety (CCPS)
Guidelines for
Chemical Process Quantitative Risk Analysis
Process Equipment Reliability Data with Data
Tables
Improving Plant Performance through Data
Collection and Analysis
Layer of Protection Analysis: Simplified Risk
Assessment
Purple Book (CPR 18E) Guidelines for Quantitative

Risk Assessment (latest version 1999). NL
Authorities
by Richard Gowland
Industry sources
OREDA Offshore reliability data handbook

Oil industry based. Latest version 2002
Aims to provide quantitative and qualitative
information as basis for reliability, availability,
maintainability and safety analyses
FARADIP Failure rate data in perspective

failure rate ranges for items of electrical,
mechanical, pneumatic instrumentation and
protective devices
See websites for more information
by Richard Gowland
Selecting a failure rate
Select from the quoted range (typically

1 or 2 orders of magnitude)
Adjust to local conditions, reflecting
expert opinion
Be in accordance with the company
policy on risk-based decisions
Have a consistent degree of
conservatism
by Richard Gowland
Selecting a failure rate

Typical Initiating events
Pump failure, loss of flow

Double mechanical seal pump
Expansion joint fails
Heat exchanger tube leak
(<100 tubes)
Lightning strike
0.1 yr-1
0.01 yr-1
0.01 yr-1
0.01 yr-1
0.001 yr-1
by Richard Gowland
Human failure-related initiating events
Errors of omission or of commission

Steps not done properly
Steps done in the wrong sequence
Steps omitted
Failure to respond to alarms or other
plant condition indicators
by Richard Gowland
Human behaviour
Sources include:
CCPS Guidelines for preventing Human
Error in Process Safety
Human error, J T Reason, CUP, 1990
An engineers view of human error, T A
Kletz, IChemE, Rugby 1990
D E Embrey, Quantitative and qualitative
prediction of human error in safety
assessments, Major Hazards Onshore &
Offshore, IChemE Symp. Ser. 103, 1992
by Richard Gowland
Factors affecting human error rates
These include:
Information available to the operator

Operator familiarity with the problem
Selection and training of personnel
Ergonomics of the operating and control system
Time available for action and the actions required
Management attitudes to safety vs production
Other activities and stress level
by Richard Gowland
Failure to respond to an alarm
Consider, for each event, the steps in the
operation
Operator must
hear alarm or be alerted to the developing
problem
then correctly analyse what is wrong
then decide on a correct action
then carry out the action in time
This should enable you to make a reasonable
estimate of the failure rate
by Richard Gowland
Human error rates (probability)

From observations on nuclear and chemical plants
EVENT
Pfailure
Fails to act in 60 s of high stress event
1.0
Wrong valve setting missed during general inspection
0.5
New shift fails to check hardware state (no checklist)
0.1
Supervisor does not recognise error by operator

0.1
Failure to follow instructions
Human error of omission
Failure to notice an audible alarm
0.07
0.01
0.0003
(Taken from 2nd report of the study group on human factors,

1991)
byHSC,
Richard Gowland
Some typical human error rates
Task
Probability of
failure
Complex, non-routine
>1 in 4
(P>0.25)
Non-routine with other
simultaneous tasks
1 in 10
(P=0.1)
Routine needing care
1 in 100 (P=0.01)
Routine, simple
1 in 1000 (P=
0.001)
Simplest possible action 1 in 104 (P=0.0001)
by Richard Gowland
Some frequency values

Initiating event
value
Spurious opening of RV
Cooling water failure
Pump seal failure
Lightning strike
Range (yr-1)
Selected
1x10-2 to 10-4
1x10-0 to 10-2
1x10-1 to 10-2
1x10-3 to 10-4
1x10-2
1x10-1
1x10-1
1x10-3
Operator fails to execute

routine procedure
(per opportunity)
1x10-1 to 10-3
1x10-2
Taken from CCPS Layer of Protection Analysis,

2001
by Richard Gowland
Demand rates how to consider
The LOPA method in the course assumes low
demand rates on SIFs - normally less than 1 per

year
Special care needed for high demand rates see
later
by Richard Gowland
Overall summary
Need data for external, hardware and human

failure related events
Look at history and experience for guidance

on possible rates
Adjust to local conditions and to company

policy
Be consistent; be mildly cautious

Remember, LOPA starts as an order of
magnitude method
by Richard Gowland
Layer of Protection Analysis Section 3
Enabling events and Conditional modifiers

Section 3
Enabling events and Conditional modifiers

Safety Instrumented Systems
by Richard Gowland
Conditional Modifiers/Enabling Conditions
Conditional Modifier - An event or condition

that makes possible another event.
does not cause a scenario
must be present for the scenario to develop
usually expressed as a probability
May not be applicable for large releases of
volatile toxic materials - these already present
a problem to exposed people
by Richard Gowland
Examples of Enabling Events and

Probability of ignition - a gas release ignites

becoming a fire or explosion.
Unloading operation carried out infrequently
Event occurring in an infrequently occupied
area
A batch reaction can runaway from loss of
cooling only at the beginning of the batch
Other credible ..ideas?
by Richard Gowland
Enabling Event - Allowing for time at risk
Frequencies given as per year (1 yr = 8760
hours)
Initiating event (e.g. loss of cooling water) may
only matter in a short critical stage a few hours
per week
Suppose this is twice a week for an hour a time
so loss of cooling only matters for 1x2x52
hours per year
Fraction of time at risk is 1x2x52/8760=0.012
If frequency of cooling water loss is 1x10-1 yr-1
then frequency of the initiating event is 0.012x
1x10-1 yr-1 or, as a round number, 1x10-3 yr-1
Alternatively, treat criticality as an enabling
condition and bring the 0.012 factor there
by Richard Gowland
Time at risk
Be careful that you do not double count
time at risk when considering human error as

initiator.
If you assume that an action taken 100 times
per year has a probability of failure per
opportunity of 1 in 1000, the event frequency
is 1 in 10 years
Time at risk is already accounted for
by Richard Gowland
For infrequent operations
What do we think about an operation which

apparently poses a high risk during the
operation?
Are there other mechanisms to protect the
exposed person(s)?
How do you deal with this?
by Richard Gowland
Independent Layers of Protection

(IPLs)
Definition of an IPL:A layer of protection

that will prevent an unsafe scenario from
progressing regardless of the initiating
event or the performance of another layer
of protection.
Testing is also essential
Basic Process Control system (BPCS)

Interlocks
Alarms and Operator Intervention
Relief and containment Systems
Safety Instrumented Systems (SIS)
(SRPS)
There may be others (like gas detection or
diagnostic equipment for turbines and in
special cases non return valves may
qualify)
by Richard Gowland
Basic Process Control System -e.g.

conventional controller or DCS
Needs to be internally verified by user
proven reliability in use

Documentation on Safety Related function
wherever it performs this function
Safety trip or alarm loops must be tested.
(Not fit and forget)
by Richard Gowland
Alarms and Operator Intervention
Must be independent of the BPCS if the BPCS
already provides a trip (logic solver may be

shared if it has proven reliability and separated
channels)
Different loops
Different Power supplies
Written procedure
Operator must be trained
Procedure must interrupt chain of events
Operator must have time to respond concept
of Process Safety Time.
Audited - tested - recorded
by Richard Gowland
Process Safety Time:

The time between a hazardous deviation/Initiating
event (e.g. BPCS loop fails) and the hazardous event
(e.g. hazardous release) occurring if no protection
layers intervene.
EXAMPLE. :
Tank T912 has capacity of 6000M3
Tank T912 fills at 500M3 per hour
Level alarm on T912 is set at 90% full
Process Safety Time is (6000x0.1)/500 hrs =
1.2hrs
This is important for operator response and

for automated response where the protection
takes a significant time to act. e.g. a 36 inch
automated block valve closing time which
could be 35 seconds
by Richard Gowland
Operator Intervention, care needed,see PSLG Final Report App. 2

Probability of Failure to Make the Right Decision
10
0.1
Operator not well trained

0.01
0.001
Operator normally trained
0.0001
Operator well trained
0.00001
0.000001
1
10
100
1000
Time available to respond, minutes
In task analysis for response to alarms and comparison

with the Process Safety Time, this data is useful
by Richard Gowland
Some rules for BPCS and Alarms

1
2
3
4
5
6
If BPCS and Alarm IPLs use the same sensor, take credit for one IPL only
The Alarm IPL requires an operator action to prevent the scenario.
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid
credits if they require the failed sensor to function.
If a final element failure is the Initiating Event, BPCS and Operator action on
Alarm IPL are not valid credits if they require the failed final element to
function.
If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS
or Alarm IPL, unless the Alarm IPL is a completely separate system.
If an Alarm is an IPL, the operator must have time to prevent the scenario.
No credit should be taken if the operator has less than 10 minutes to
respond.
Only one (1) BPCS and one (1) Alarm IPL credit are allowed for a case.
8 Sharing of BPCS and SIS elements may be allowed when there is evidence
of adequate independence.
9 Mechanical safety devices such as over-speed trips are not Instrumented
IPLs. However the may qualify as an Independent Safety Related
by Protection
Richard Gowland System as Other Safety Related Protection Systems. (SRPS)
Relief Devices
Adequate for the scenario

Tested
Does not cause another event e.g. may
prevent vessel rupture, but if resulting

discharge can injure people it needs more
study
May be possible to get some credit for extra
devices whose performance (PFD) can be
estimated
by Richard Gowland
Safety Instrument Systems
Use of a SIS should be after all other IPLs

have been considered
Available for SIL 1,2 or 3 (4 is usually for
air-travel and nuclear)
Certification and documentation more
stringent than for BPCS etc.
Not available yet for many functions
SIL 3 and some SIL 2 systems present
problems with block valves (testing)
Rules needed on component sharing
by Richard Gowland
Safety Instrument Systems

1E-01 >SIL 1>= 1E-02
1E-02>SIL 2>= 1E-03
1E-03>SIL 3>= 1E-04
by Richard Gowland
Independent Layers of Protection - what about..?
Un-contained relief
Dikes or bunds
Automatic Fire protection
Emergency Plans
Be wary, these may provide mitigation and not
prevention and in some cases are not
quantifiable. All IPLs are safeguards but not
all safeguards are IPLs
by Richard Gowland

(IPLs) - remember!
Definition(s) of an IPL:
A layer of protection that will prevent an
unsafe scenario from progressing regardless of
the initiating event or the performance of
another layer of protection.
Functional test possible
Other Safety Related Protection

Systems
What may we include?
Other Safety related Protection Systems
Management Systems
Inspection
Buddy system to reduce frequency of
initiating event or use as a Conditional
Modifier (choice of where to use it)
Mechanical devices
In all cases they need to be credible,
effective, actionable and auditable. It may

not be possible to fully test
by Richard Gowland
Other possible Safety related Protection Systems
Emergency Response
Shelter in place
Procedures
Personal Protective Equipment (e.g. Cl2
respirators)
But they may only mitigate effects and are

not necessarily available to all exposed
population. Consider adjusting severity
estimate if you have confidence in
effectiveness.
by Richard Gowland
Internal discipline
To have credibility remember:

Independence requirement
Adequacy requirement
and
Realistic testing
by Richard Gowland
Layer of Protection Analysis section 4

ALARP
Uncertainties and Sensitivities
Cumulative initiators
Section 4
ALARP
Uncertainties and Sensitivities
by Richard Gowland
ALARP issue
When have you done enough? Is the

Final predicted frequency of the scenario
as low as reasonably practicable (ALARP)?
The ALARP triangle
Unacceptable
region
Tolerable
region
Broadly acceptable
region
by Richard Gowland
What seems to be important
Need to demonstrate ALARP when risk tolerance
criteria are met

Need to demonstrate even when we believe that we
are in the Broadly Acceptable Region (ex R2 P2 from
HSE)
Need to justify data used
Need to reduce sensitivity and uncertainty
by Richard Gowland
Can we produce a simple means of evaluating value of

added IPLs?
Cost = Capital +
by Richard Gowland
maintenance over life of

plant
Value = Value of risk
reduction
If Cost >>>Value it may
prove to be grossly
disproportionate
EXAMPLE where Risk Tolerance criteria =>1e-07
Consideration of other layers of protection - only to be used if gap is closed and

you need to do cost benefit on further IPLs! (e.g.test for ALARP)
Description
Independent Trip of steam supply with block valve linked to

independent temperature loop
Total Capital Cost of extra IPL ()
200
Cost of maintaining extra IPL/yr ()
50
1.00E+01
Risk Reduction anticipated (enter 10 , 100 or 1000 fold reduction in frequency)
Anticipated future life of plant (yrs)
50
"Value" of Risk Reduction (000's)
1000
Cost of added IPL over life of plant ()
3500
Incremental reduction in frequency per year
9.0000000E-08
Value of risk reduction over life of plant ()
4.500000
Ratio of Cost of extra IPL/Value of Risk Reduction
778
by Richard Gowland
EXAMPLE where Risk Tolerance criteria =>1e-05
Consideration of other layers of protection - only to be used if gap is closed and you need to do cost benefit on further
IPLs! (e.g.test for ALARP)
Description
Independent Trip of steam supply with block valve linked to independent temperature loop.

by Richard Gowland
200
50
1.00E+01
50
1000
3500
9.0000000E-06
450.000000
7.78
Uncertainty and Sensitivity
The more precision you attempt, the greater the
questions of uncertainty and sensitivity

Reliability and failure data are emerging, but the
challenge is to justify the information you use
There are no easy answers but in the end.. I believe
that the biggest potential failures are the scenarios we
may have missed
The conclusion of a LOPA study should make some
qualitative judgement - which assumptions have the
biggest negative effect if wrong?
by Richard Gowland
UNCERTAINTIES AND SENSITIVITY

IN A LOPA STUDY
UNCERTAINTIES
Uncertainty:
Where in the study have we

uncertain knowledge of (e.g.) frequencies or
probabilities or effectiveness which might
affect the outcome?
by Richard Gowland
SENSITIVITIES
Sensitivity:
Which items in the study have

the biggest impact if we have inaccurate
information? Usually, these are items which
are expected to have very low failure rates.
by Richard Gowland
It is suggested that each study case includes statements

about both the Uncertainty and Sensitivity:
UNCERTAINTY
Case
Scenario
Initiating Event
Conditional
Modifier
IPL
Action
1.0
R 101
rupture due
to runaway
reaction
Failure rate data of

Temperature Control
loop well known and
documented
Capacity of
facility will
always dictate
that the hazard
is present <10%
of the time
Recent history
of fouling on
Relief Valve
places a doubt
on PFD
Modify entry to
relief section to
ensure
incoming
solvent cleans
nozzle every
batch. Add
quarterly
inspection.
by Richard Gowland
SENSITIVITY
Case
Scenario
Initiating Event
Conditional
Modifier
IPL
Action
1.0
R 101 rupture
due to
runaway
reaction
Failure rate data

of Temperature
Control loop
well known and
documented
Capacity of
facility will
always
dictate that
the hazard is
present <10%
of the time
Relief Valve
action PFD
is 1e-02
indicates
that there is
a heavy
reliance on
this IPL.
Failure to
function on
demand has
a major
effect on
frequency of
top event
Modify entry
to relief
section to
ensure
incoming
solvent
cleans
nozzle every
batch. Add
quarterly
inspection.
by Richard Gowland
Advice
The team should have a clear idea of where
the sensitivity and uncertainty arise in each

case - so
Record it if significant
by Richard Gowland
Conservatism
Initiating events are dangerous failures. In a

properly designed system these should have
been minimised
IPL PFDs are normally conservative if all
rules on design, independence and testing
are observed
Using bottom of range of SIL ratings is
conservative
All this is particularly important if a single

scenario has multiple possible initiators
by Richard Gowland
Can/should LOPA consider multiple initiators?
mimic bow tie
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
Conventional or classic LOPA
Each case considers:

Tolerated Risk Frequency
Initiating event frequency
Probability of Failure on Demand of each
relevant Independent Layer of Protection
One initiating event considered for each

case
by Richard Gowland
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
Case 1
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Consequence A
Release
Initiating Event 3
Consequence B
3c
3a 3b
Consequence C
Case 2 considers I.E. 2 + Release

4a
Initiating Event 4
by Richard Gowland
Case 2
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C

Case 3
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Consequence A
Release
Initiating Event 3
Consequence B
3c
3a 3b
Consequence C

4a
Initiating Event 4
by Richard Gowland
Case 4
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C

Several Initiators for the same scenario
Conventional classic LOPA deals with each
in separate cases no cumulative

frequencies
Conventional LOPA normally uses
conservative - generic data
Conventional LOPA produces conservative
results believed to compensate for
potential increased in apparent frequency
caused by multiple initiators.
LOPA and its tools can be readily adapted to
consider the additive effects of more than 1
initiating event
by Richard Gowland
LOPA and its tools can be readily adapted to consider the

additive effects of more than 1 initiating event
Implies greater accuracy

If more accurate as a system,
should more
specific and (hopefully) more accurate failure
frequencies be used?
Alternative version of simple software can
accommodate this
by Richard Gowland
Suggestion
If it is desired to assign a single case with
several (additive) initiators, recommend that

care is needed to make sure that
unrealistically high generic failure frequencies
are not used
If there are many initiating events for the same
hazardous phenomenon this challenges the
design and Inherent Safety of the process
under control.
by Richard Gowland
Section 5
The LOPA study session
Recommendations
The LOPA study session

The team
Process control
Instrumentation
Technology or Chemistry expertise
Operations
Operator
Shift Leader
Programmer
Safety Contact
Trained LOPA facilitator
IEC 61511 knowledgeable person somewhere in this list (spot

potential violations of standard)
Materials/resources
Piping and Instrument Diagrams
Process Flow sheets
Process Conditions (Flow, pressure, phase, temperature
etc.)
Normal operating envelope for process
Equipment data (Max. allowable working pressure,
Pressure Safety Devices set pressures, temperature
limitations)
Trip and alarm settings
List of loops and systems which are bypassed
Previous hazard study reports (e.g. HAZOP)
Procedure 1
Systematic examination of each process unit
(Column, pump, reactor, storage vessel, heat
exchanger, receiver, rotating equipment, filter
etc.
For each process unit, list hazardous scenarios
of interest
One member to follow proceedings with the
HAZOP report (if available) keep them honest
and dont miss anything already evaluated
Procedure 2
Log equipment tag and scenario in workbook
Assign severity target to scenario enter in
workbook
Consider first initiating event which can cause
the scenario (usually failure of a control system)
- enter in workbook
Consider conditional modifiers (ignition,
probability of exposure) enter in workbook
Procedure 3 (IPLs)
Consider action of Basic Process Control System
trip (if any) remember the rules of
independence - enter in work book
Consider alarm and response remember the
rules on independence and operator ability to
respond enter in workbook
Consider Pressure Safety Devices (overpressure
scenarios only) enter in workbook
Consider other Safety Related Protection
Systems remember rules on qualification
enter in workbook
Procedure 4 (SISs)
If protection gap exists or there is already a SIS
enter in the workbook

Observe protection gap is it zero or less?
If > zero what additional measures are possible?
Consider Uncertainty and Sensitivity and
describe in remarks column of workbook
For same scenario, repeat for other initiating
events (e.g. human error)
Alternative Procedure possible

but has drawbacks
Starting with a list of all loops:
Address what events each loop can initiate
List these as scenarios and carry out
procedure as described earlier
Drawback:
Many loops may not influence hazardous
events you might lose your team!
Hand over to Instrumentation

Design and Operations
LOPA Workbook
Decisions on SISs
Confirmation of other Safety Related Layers of
Protection required (Qualified, recorded, in
test/inspection/audit regime)
Safety Instrumented Function complete
description
Safety Related Protection System Function
complete description
Unresolved issues
Initiating Events where care is

needed
Piping failures
Vessel failures (pressure
vessel and storage tanks)

Heat exchanger tube
failures
Maintenance Failures
Corrosion
Some human errors
(particularly under stress)
What have I advised?

Do the scenario case with
these initiating events (pipe

failure etc.)
credit all true IPLs (which stop
the scenario)
Assess if there are gaps
remaining
Add Mitigating systems (not
true IPLs) back into the
equation
Study and improve Mitigation
systems to establish
confidence in effectiveness
(and a testing regime)
Finally - caution
Be very careful that the credits taken for
conditional modifiers do not change with
time or plant capacity. E.g. if you assume
that the operation is taking place less than
10% of the time, what happens if the
plant doubles its utilisation. Is the credit
still true, or is the time at risk greater?
Controversial areas
The BPCS as a Layer of protection
Need to pay attention to requirements in BS
EN 61511
Controversial areas
Operator Response as a layer of
protection:
Can an operator be part of a SIS?

IEC 61511(1) 3.2.72 note 5 says yes but
does not give guidance (although it says it
does)
Dont make excessive claims for the operator.
Prefer a completely automatic system as a
SIS
Recommendations
If you choose LOPA
Make sure you train your facilitators

Ensure that company target tolerated severity
frequencies are the same for all cases
Ensure they all use the same company (Process
Safety Expertise) tools and spreadsheets (with
common Initiating Event types and frequencies and
IPL PFDs)
If possible specify default scenarios for specific
technologies/businesses
MAKE YOUR RULES WORK!
If you do these things you will achieve a high

degree of consistency
Final warning
Dont massage the numbers to get the
answer you want.
LOPA is like a spy

You can torture it until it tells you what
you want to hear
Servo level
Indicator (ATG)

LSHH 912
atmos. vents
Vented ullage
Funnel for dip

Int. floating
roof
Flow In/out
Gasoline
Case 1 Large Storage tank
A petrol storage tank
Case 2 PADDING/INERTING
Nitrogen Control valve
Set +5 mbar (vac)
+ 20 mbar press
N2 at 10mbar
N2 at 2 bar
Vent
Pressure/Vacuum relief
Fill
T-25
LT
MAWP = fill +30mbar
LSL
Storage of Xylene
f.c.
Case no 3
f.o.
Vent to scrubber
FT
Pyridine compound
f.c.
NaOH
000
flow
VV 201
Conservation
vent
PSV 201
water
f.c.
A 201
amps
alarm
CV 201
R 201
T
weigh
f.c.= fail closed

f.o. = fail open
TE 201b
P 201
To Esterification
section
TE 201a
Condensate out
V 201
T
Steam in
Case 4
What scenarios can occur?
To Mixing unit
V 301
Standard Centrifugal pump,

Rated at 3KW.
Operating at 55 C on a
Thermally Sensitive material
P 301
Case 5 Recent Example

Condenser
Vent Relief system
Heat Ex product
out heats feed in
Condensate
Atmospheric
Blowdown
stack
Product out
PAH
Dist.
Column
o
Feed
Hydrocarbon
in
LAH
LAH
Furnace
c
LAH
Overflow
to sewer
PSV 207a (10 in x 12 in) set press. 15 Barg
VE 206
Op. press. 25 Barg
M.A.W.Press. 30 Barg
L.P.G. feed
P
To flare
FCV 206
8 in.
VE206
Overheads
to C 207
stm
LIC206
E 206
LIC206a
VE 207
Op. press. 12 Barg
FIC 206
P
FCV 206 (6 in) VE207
BV 206
stm
E 207
Flowsheet for Case 6
LIC 207
Case:
FIC 207
To VE 208
FCV 207(6 in)
VE 206
Op. press. 25 Barg
L.P.G. feed
P
To flare
FCV 206
8 in.
VE206
Overheads
to C 207
stm
LIC206
E 206
LIC206a
VE 207
Op. press. 12 Barg
FIC 206
P
FCV 206 (6 in) VE207
BV 206
stm
Case: Low level in VE 206 opens
up FCV 206 and admits high
pressure gas into VE 207
E 207
LIC 207
FIC 207
P
To VE 208
FCV 207(6 in)
L.P.G. feed
24-25 barg
VE 206
Op. press. 25 Barg

To flare
FCV 206
8 in.
VE206
Overheads
to C 207
stm
LIC206
E 206
LIC206a
VE 207
Op. press. 12 Barg
FIC 206
P
FCV 206 (6in) VE207
BV 206
stm
Is there adequate protection
Against loss of level in VE 206?
Possible solution?
E 207
LIC 207
FIC 207
P
To VE 208
FCV 207(6 in)
Case study 1: a large gasoline tank.
Servo level
Indicator (ATG)

LSHH 912
atmos. vents
Vented ullage
Funnel for dip

Int. floating
roof
Flow In/out
Gasoline
Case 1 Large Storage tank

The 6000 M3 tank is filled from a pipeline with remote pumps at a rate
between 500 and 900 M3/hr. The level is managed by an operator who
uses the Automatic Tank Gauge (ATG) to tell him the level in the tank. He
can arrange that the remote feed pump is stopped when the desired level
is reached. A second operator is normally employed on the site and will be
on patrol in the 4 tank farms which have about 30 tanks in total. All
contain flammable materials. There are 4 tanks in a common bund with
T912. This bund is tested periodically for leaks. The site is on the edge of
a town and the nearest neighbours are office developments and light
manufacturing. These are occupied during the hours 08.00 18.00.
The ATG is fitted with a high level alarm set at 90% of tank capacity. If the
level rises beyond this, a second protection is provided by LSHH 912 set at
95% tank capacity. This is independent of the ATG and is designed to give
a separate alarm and trip the inlet valve on the feed to stop flow into the
tank. If this fails to function, liquid will spill onto the tank roof and cascade
to the bund floor. The capacity of the bund is 9000M3.
The tank is lined up and filled approximately 29 times per year and the
period of the year when it is being filled is 23% of the year.
Now define the hazardous scenarios and possible consequences
1
No.
Hazardous
phenomenon
Possible consequence
(fire, explosion, toxic
exposure, environmental
accident)
Hazard (injury,
fatality,
environment
severity)
Initiating Events:
Control failures
Human Factor Errors
Case study 2: Xylene Storage tank

Case 2 PADDING/INERTING
Nitrogen Control valve
vac Set + 5 mbar
Press Set + 20 mbar
N2 at 10mbar
N2 at 2 bar
Vent
Pressure/Vacuum relief
Fill
T-25
LT
LSL
MAWP = Hyd fill + 30 mbar

Storage of Xylene
Xylene is offloaded from road tankers into an inerted storage tank (Max
All. W.P. 30 mbar hyd full. When unloading takes place the tanker pump
is connected (rated at 150 l/min at 250 kpa) to the fill line and the vent
line from the tank is connected to the vapour space on the road tanker.
When filling is complete, the vent line and the fill line are closed off so that
the tanker may be disconnected safely.
The xylene is then used in the manufacturing process. It is transferred
using the pump located outside the tank bund/dike.
The nitrogen inert gas is provided from a service main via a self acting
spring control valve which is set to produce a pressure of 100mm w.g. If
pressure rises above 200 mm w.g. the Pressure/Vacuum control valve
relieves to atmosphere. If the pressure in the tank drops below 50 mm
w.g. the Pressure/vacuum relief valve opens to allow nitrogen from the
padding supply to enter the tank.
The tank is in a diked area capable of taking 110% of the tank volume.
The bund area is classed as zone 2 above grade. All below grade areas
(Drains etc.) are zone 1.

No.
Hazardous
phenomenon
accident)
Hazard (injury,
fatality,
environment
severity)
Initiating Events:
Control failures
Human Factor Errors
Case study 3: A batch reactor.

4
Use the provided description to

(a) List possible scenarios for analysis by LOPA
(b) For each significant scenario, list possible initiating events
(c)
For the most likely events, complete the LOPA analysis.
Identify those cases that have gaps and suggest measures to
close these.
Overall process description.
The plant drawing below shows a section of a batch plant that is dedicated
to a single production process. The stage carried out in the reactor, R201,
generates a solution of a sodium pyridinate by the controlled addition of a
chlorinated pyridine (Cl-Py) to a 20% caustic soda (NaOH) solution. The
process is exothermic and has to be carried out with care to avoid
excessive temperature and pressure build-up in the reactor as heat is
released from the reaction.
f.c.
Case no 2
f.o.
Pyridine compound 00
f.c.
NaO
H
water
f.c.
Vent to scrubber
FT
flow
VV 201
Conservation
vent
PSV 201
A 201
amps
alarm
CV 201
R201
Steam in
V201
weigh
TE 201a
Condensate out
f.c.= fail closed
f.o. = fail open
TE 201b
P 201
To Esterification
section
The plant is housed in a production building in which there are several

other process units. The process is manually controlled by an operator
from a strengthened protected control room within the production building
- there is always one operator present in the reactor building where there
are other unit operations. For this particular system, all the main control
valves can be directed from the control room; the vessel temperature is
displayed (from TE201a) and the display from the weigh cells on R201 is
used by the operator to control the additions. The flow rate for addition of
Cl-Py is also displayed. There is a current amperage monitor on the
agitator shaft with alarm which is available during the reaction stages. All
these signals are channelled though the process controller (Basic Process
Control System).
The temperature sensor, TE201b, provides an independent,
hardwired alarm; it is set at 165 oC for this process. Pressure relief is from
a single 4 relief valve, PSV201, to a containment vessel, V201. The relief
pressure is set at 7 barg, the reactor design pressure. The steam to the
jacket is taken from a 7 barg (170 oC) supply. There is no cooling water
supply to the jacket. This is because the product plates out on cold
surfaces and thus reduces heat transfer. A batch card is used to record the
essentials details of each batch.
Detailed process steps
1
Check the vessel is clean and empty and is at less than 110 oC.
Check vessel settings (All inlet line valves closed; vent open;
P201 off and valved off; agitator off; steam off.)
2
Add 2000 kg of water; start agitator once blades are covered.
3
Pass steam to the vessel jacket with the temperature controller
set for 150 oC.
4
Add 1250 kg of 50% caustic soda solution. The vent to scrubber
line should be closed when the temperature reaches 110 oC.
5
The steam line is closed when the temperature reaches 150 oC
(when the system pressure will be about 3.5 barg). Immediate
addition of Cl-Py is started, causing the system temperature to
rise due to reaction exothermicity.
6
2400 kg of Cl-Py is added under flow control from TE201a, set to
maintain the system at 160 oC (when the pressure will be about
4.8 barg). The initial addition is at the maximum possible rate (40
kg/min) but will quickly throttle back to around 20 kg/min as the
set temperature is approached.
7
When the addition is complete the mixture is stirred for a further
15 minutes to ensure complete reaction.
8
Cool vessel contents to 120 C by opening up vent condenser
9
Stop the agitator transfer the reaction mixture to the
esterification section using pump P201.
10
When the vessel has cooled to below 110 oC, start another batch
at step 1. (water addition)
6
Each batch takes about 4 hours and normally 5 to 6 batches are done each
day on about 330 days per year.
Material and reaction properties
There are no flammable or vapour toxic hazards of concern. The caustic
soda solutions are very corrosive to the skin. Both Cl-Py and the sodium
chloro-pyridinate salt are mildly toxic. There is a risk of thermal burns
from the reaction system and also from the Cl-Py lines which are heated to
100 oC by steam tracing.
All the raw materials are thermally stable to at least 400 oC.
Kinetic studies and adiabatic calorimetry have confirmed that the normal
reaction is fast at the temperatures used (>150 oC) and that no other
exothermic reactions occur. Under adiabatic conditions, the maximum
attainable mixture temperature is 375 oC.
If the concentration of sodium hydroxide exceeds 20% at the
beginning of the reaction stage, the exotherm will be slow to start with but
will run faster at higher temperatures. Thus a significant shortage or
absence of the water charge risks a reaction rate which could greatly
exceed normal temperature limits.
The vessel, lines etc are constructed from suitable materials and there are
no corrosion problems.
Basis for safe operation
The main hazard is a runaway reaction in the vessel leading to
overpressure and possible vessel rupture. This could occur by
accumulation of unreacted Cl-Py in the reactor followed by uncontrolled
mixing and reaction or by starting the Cl-Py addition without any water
present i.e. sodium hydroxide concentration would be too high. In the
latter case the initial reaction would be very slow, with little temperature
rise, so the Cl-Py addition would continue at the high initial rate.
These situations are prevented by:
1
2
3
4
The presence of water. This acts as a heat sink and ensures the
correct sodium hydroxide concentration
Continuous agitation with an amperage alarm on the agitator.
Maintaining the mixture temperature at 150 oC to 160 oC to
ensure rapid reaction; this temperature is maintained by the
exotherm without additional heating
A maximum possible addition rate for Cl-Py of 40 kg/min.
Uncontrolled addition at this rate will take the temperature to
about 180 oC when the pressure in the reactor will cause the relief
valve to lift. The relief valve is sized for this event with relief
7
directed to a containment vessel and the vessel will not be

overpressurised.
There are quality/yield issues if there is an imbalance in the required
amounts of sodium hydroxide and Cl-Py but these do not give an injury
hazard.
Tip: When considering the protection available: Is the protection valid for
all possible initiating events or process deviations?

No.
Hazardous
phenomenon
accident)
Hazard (injury,
fatality,
environment
severity)
Initiating Events:
Control failures
Human Factor Errors
10
Process Safety Performance Metrics

Incidents and Key Performance Indicators (KPIs)
Key issues = Process Safety Indicators and KPIs
Responsible Care codes in North America have always

included a crude measure of Process Safety performance
EPSC member companies have been providing Process Safety
performance results as part of their North America Responsible
Care programs (or reported performance results based on
own metrics)
You can see from the following U.S.data that:
The trend indicates some challenges
There have been changes in the definitions which are aimed to capture more
meaningful data
The industry is committed to disclosure of its performance
by Richard Gowland
Process Safety
A process safety incident as defined by the Center for Chemical
Process Safety is an unplanned event arising
from the manufacturing process that results in a product spill,
fire, explosion, or injury. By managing, tracking and reporting
process safety incidents, Responsible Care
companies can benchmark their performance and set goals for
improvement. Responsible Care companies
publicly report process safety incidents on an annual basis,
surpassing government requirements.
Responsible Care companies are working to make the industry
even safer for our employees and communities.
ACC member companies operate 1,500 facilities nationwide
and reported 254 process safety incidents in 2010,
down from 531 in 1995. More than half of ACC members had
no process safety incidents in 2010. In addition,
of the reported 254 incidences in 2010, only 4 percent of
incidents warranted a Severity Level of 1, according
to ACCs Severity Rating Index.
by Richard Gowland
New metrics
system starts
here
by Richard Gowland
Strengths, weaknesses and necessary changes
Major strength:
Good participation
Mandatory for American Chemistry Council members
Major Weakness:
Reporting was simply based on numbers of incidents which met the

standard definition
Changes:
Adjustments to thresholds for reporting

Severity assessment and reporting
Endorsed by American Petroleum Institute and Center for Chemical
Process Safety (Bodies which did the work of upgrade)
Published as a standard ANSI/API 754
Some early results show up in the previous graph and analysis
follows.
by Richard Gowland
US Data from ACC
by Richard Gowland
Sample of public reporting in U.S. (ACC website)
Total # Incidents
Negligible Incidents
Level 4 Incidents
Level 3 Incidents
Level 2 Incidents
Level 1 Incidents
2010
2010
2010
2010
2010
2010
3M
Afton Chemical Corporation
Air Liquide USA LLC
Air Products and Chemicals, Inc.
Akzo Nobel Chemicals Inc.
Albemarle Corporation
Anderson Development Company
Arch Chemicals, Inc.
Company Name
Aristech Acrylics LLC
Arkema Inc.
by Richard Gowland
Now in Europe
CEFIC has produced recommendations on collecting and

reporting Process Safety Incidents as a Process Safety
Performance Indicator; CEFIC took specific European context
into account (e.g. GHS, Seveso) and although the approach is
in principle quite similar to the US approach, the reporting
thresholds differ and results in one approach may not be
compared with results in the other approach; EPSC expects to
see efforts and progress towards future alignment
EPSC has produced a workbook tool (FERRET) which records
and classifies incidents to the:
CEFIC definitions
API definitions
Optionally to own company definitions
EPSC working group Process Safety Indicators is a platform

for developing and sharing company experience; focuses now
shifted from lagging to leading indicators;
In 2012 (Jan. 31st/Feb. 1st) a joint CEFIC/EPSC Experience
Exchange event will be organized
by Richard Gowland
Key Performance Indicators
Not just about measuring incidents

Can we find events or conditions which are
precursors or potential causes of incidents?

E.g.
Near misses and consequent learning experiences

Deviations outside normal operating conditions
Non conformance versus requirements and standards audit results
%overdues on inspections and maintenance schedules
Process specific measures
Training and Competence assurance
Excellent Guidance in HSG 254 from U.K. Health and

Safety Executive (part of course resources)
by Richard Gowland
Human Factors and Changing

perspectives
If this was March 22nd 2005 the day

before the explosion and I was
standing here addressing this audience
the day before the explosion, my
remarks to you would have been much
different.
Changing perspectives (2)
my confidence in the BP Groups safety
culture, safety standards, safety management

systems and safety audit programmes would
have been evident.
Id have pointed to some statistics for
example, how in the previous five years the
company had reduced its OSHA recordable
injury rate by almost 70 percent and its fatality
rate by 75 percent.
Id have argued that this positive trend
reflected a concerted, systematic

approach to safety.
Im sure Id have mentioned how
everyone working in a BP facility is
empowered and expected to raise
safety concerns and to stop work if they
think conditions are unsafe.
.. I would have described our efforts to

continuously drive up safety standards
regardless of our improving record.
on March 23rd 2005 it became clear that
none of this was enough.
John Mogford, 24 April 2006, Senior Group Vice
President, Safety & Operations, BP, CCPS Congress
Methods for Human Error Assessment
The U.K. Health and Safety Executive has

identified more than 70 methods
32 are relevant to Major Hazards
The next page lists some common ones and
then we move into one of the simple
accepted methods
Common methods for Human Factor

(error) Assessment
Human Error Assessment and Reduction

Technique (HEART)
Technique for Human Error Rate Prediction
(THERP)
Success Likelihood Index Method (SLIM)
Tecnica Empirica Stima Errori Operatori
(TESEO)
HRA Assessment
Using the Human Error Assessment
and Reduction Technique (HEART)

Pre-processed HRA method
First published 1985
One of 40 or so other HRA methods
Based on Human Factors literature
HRA accuracies achieved so far
60-87% of all predictions within factor of 10 of

true value over range 0.00001 to 1.0
Average 72% within factor of 10
Average 38% within factor of 3
Kirwan (1997)
cf. for Systems Reliability Assessments,
64% of predictions within factor of two,
93% within factor of four (Snaith, 1981)
After Kirwan, 1997
Understanding the method
Generic Task Types (GTT)

Human reliability is dependent on
the nature of the task being
performed
Under perfect conditions the
associated level of reliability is fairly
consistent
Error Producing Conditions (EPC)
May degrade reliability
Generic Task Types (GTTs)

For example
(A) Totally unfamiliar task, performed at speed
with no real idea of the likely consequences of
actions taken (0.55)
(E) Routine, highly-practised, rapid task
involving relatively low level of skill(0.02)
(M) Miscellaneous task for which no description
can be found(0.03)
Error Producing Conditions (EPCs)
38 EPCs described in HEART

Examples
Unfamiliarity (x17)
Time shortage (x11)
Operator inexperience (x3)
Unreliable instrumentation (x1.6)
Assessment of how important each is
Human Failure Scenario to Assess

Part of a procedure to establish the start
up of a piece of plant:
Failure of Operator to establish rundown to
tankage (set Splitter tower level control to
Auto with 50% set point) prior to adding
heat to Splitter
Human Reliability Assessments
Under normal conditions

Under conditions that can degrade
human reliability
Failure to establish rundown

(normal situation)
Generic Task Type
Task F: Restore or shift a system to
original or new state following
procedures, with some checking this
task is mission oriented and could
include up to five discrete elements or
actions, but would normally only involve
one basic activity

(normal situation)
Generic Task
Task F
Nominal Human
Unreliability
0.003

(Conditions affecting human reliability)
Not following procedures

No independent checking (e.g. supervisor)
Unreliable instrumentation
Impoverished quality of information (e.g. shift handover)
Unclear allocation of function and responsibility
Disruption of normal sleep cycles
Operator inexperience
Low workforce morale

Conditions affecting human reliability
Generic Task
Nominal Human Unreliability
Task F
0.003
Error Producing Conditions

Factor
Total HEART
Affect
Assessed Proportion
of Affect (from 0-1)
Procedures
x2
0.8
(2-1) x 0.8 + 1 = 1.8
Checking
x3
0.8
(3-1) x 0.8 + 1 = 2.6
Instrumentation
x1.6
0.4
(1.6-1) x 0.4 + 1 = 1.24
Impoverished info.
x3
0.2
(3-1) x 0.2 + 1 = 1.4
Assessed nominal likelihood of failure

0.003 x 1.8 x 2.6 x 1.24 x 1.4 = 0.024
Assessed
Affect
Conditions affecting human reliability

Uncertainty bounds
Generic Task
Task F
Nominal Human Unreliability

0.003
Uncertainty Bounds
0.0008 0.007
Assessed nominal likelihood of failure

0.003 x 1.8 x 2.6 x 1.24 x 1.4 = 0.024
Uncertainty Bounds
0.0065 0.057
A fundamental need
Task Analysis is a very important part of

understanding the potential for HUMAN
ERROR.
RG opinion suggests that the potential for
most error reduction can be achieved by
actually understanding what the operator
needs to do
Make the right way the easy way
reducing the incentive to do it wrong, take
short cuts
Texas City
Error Reduction
Can GTT be changed?
Relative importance of assessed proportion

of affect of the EPCs
Cost-effective measures
Error Reduction
Inexperienced
operator
Low morale
Checking
Sleep cycles
Unclear roles
Instrumentation
Procedures
Impoverished
information
Summary
Explained why Human Reliability
Assessment (HRA) is important

Explained how Human Error
Assessment and Reduction Technique
(HEART) works
Outlined key principles and evidence
Worked through some scenarios to aid
understanding
HRA contribution from the HSL
Julie Bell and Jerry Williams

Health and Safety Laboratory
Harpur Hill
Buxton, SK17
julie.bell@hsl.gov.uk
Human Factors in PHA
Comments from a Refinery in U.K.
Re-engineering cut 150 jobs in early 1990s to reduce

maintenance and other costs
Inadequate process safety metrics so cut into the bone
Risk taking culture but insufficient safeguards in Process
Safety Management (PSM) systems and the Asset Integrity
organisation
After 2002 new Asset Integrity & PSM
by Richard Gowland
groups
Why human factors?
Increasing recognition of the significance of human
factors in major incidents

UK HSE: 80% incidents due to human error
It is a matter of survival to avoid this happening
again
by Richard Gowland
Comments on human factors in a refining operation in the U.K.
PHAs/HAZOPs run by Engineers some of whom do not

appreciate human factors!
Many techniques developed in sectors such as nuclear and air
where consequences higher but complexity lower
We have 5000 operating proc docs
That is equiv to > 300,000 procedure steps
Estimated cost of over 10 million to apply detailed human
factors techniques
by Richard Gowland
The OSHA PSM Elements
Process Safety Information

Process Hazards Analysis
Operating Procedures
Employee Training
MOC
Contractors
Hot Work Permits

Employee Participation
Emergency Planning and
Response
Incident Investigation
Compliance Audits
Trade Secrets
by Richard Gowland
HAZOP
Human error scenarios
HuFs Review
Safety critical tasks
Pre-screen risk ranking
PHA risk ranking of scenarios

PHA
PRA
Preliminary Risk Assessment
LOPA
Layers of Protection Analysis
QRA
by Richard Gowland
post
PHA
Human Factors in HAZOP
Human error for initiating event e.g. closing valve
leading to no flow
Human error reducing effectiveness of safeguards
e.g. not responding to an alarm
Ultimate credible consequence no safeguards
Frequency by order of magnitude calculation
by Richard Gowland
How does it work?

The LOPA Onion

Plant Design
Integrity
by Richard Gowland
What is acceptable?
HIGH
Consequence 4 : single on-site

fatality
unacceptable
10-3
marginal
RISK
10-6
broadly
tolerable
LOW
by Richard Gowland
HAZOP
Human error scenarios
HuFs Review
Safety critical tasks
Pre-screen risk ranking
PHA risk ranking of scenarios

PHA
PRA
Preliminary Risk Assessment
LOPA
Layers of Protection Analysis
QRA
by Richard Gowland
post
PHA
PHA Human factors review of safety critical tasks
Human factors review identifies safety critical tasks in different

modes of operation
Risk with existing safeguards is assessed
Ultimate consequence (3,2,1) U (3 = severe)
Assessment of safeguards (3,2,1) - S
3 poor system few safeguards & significant incidents
2 system not fully documented but mainly ok
1 well documented and robust system no incidents
Pre-screened risk is U x S
So a risk which is severe (3) and has poor safeguards gets a
score of 9 and is high priority
by Richard Gowland
Lessons From the

Columbia Disaster
Safety & Organizational
Culture
2005 American Institute of Chemical Engineers

Presentation Rev_newv4_final as of 11_15_05
FEB 1, 2003 8:59 EST

Space shuttle Columbia,
re-entering Earths
atmosphere at 10,000
mph, disintegrates
All 7 astronauts are killed
$4 billion spacecraft is
destroyed
Debris scattered over
2000 sq-miles of Texas
NASA grounds shuttle
fleet for 2-1/2 years
Columbia- The Physical Cause

z Insulating foam separates
from external tank 81
seconds after lift-off
z Foam strikes underside of
left wing, breaches
thermal protection system
(TPS) tiles
z Superheated air enters
wing during re-entry,
melting aluminum struts
z Aerodynamic stresses
destroy weakened wing
A Flawed Decision Process

z Foam strike detected in
launch videos on Day 2
z Engineers requested
inspection by crew or
remote photo imagery
to check for damage
z Mission managers
discounted foam strike
significance
z No actions were taken to
confirm shuttle integrity or
prepare contingency plans
Seventeen Years Earlier

z January 28, 1986, the
shuttle Challenger
explodes 73 seconds
into its launch, killing all
seven crew members
z Investigation reveals
that a solid rocket
booster (SRB) joint
failed, allowing flames
to impinge on the
external fuel tank
Challenger
z Liquid hydrogen tank explodes, ruptures liquid
oxygen tank
z Resulting massive explosion destroys the shuttle
The Legacy of Challenger

z The Rogers Commission, which
investigated the incident, determined:
The SRB joint failed when jet flames
burned through both o-rings in the joint
NASA had long known about recurrent
damage to o-rings
Increasing levels of o-ring damage had
been tolerated over time
Based upon the rationale that
nothing bad has happened yet
The Legacy continued

z The Commission also determined that:
SRB experts had expressed concerns about the
safety of the Challenger launch
NASAs culture prevented these concerns from
reaching top decision-makers
Past successes had created an environment of
over-confidence within NASA
Extreme pressures to maintain launch schedules
may have prompted flawed decision-making
z The Commissions recommendations addressed an
number of organizational, communications, and safety
oversight issues
Columbia- The Organizational Causes

z NASA had received painful
lessons about its culture from
the Challenger incident
z CAIB found disturbing
parallels remaining at the time
of the Columbia incident
these are the topic of this
presentation
In our view, the NASA organizational
culture had as much to do with this
accident as the foam.
CAIB Report, Vol. 1, p. 97
Columbia Key Issues

z With little corroboration, management had become
convinced that a foam strike was not, and could not
be, a concern.
z Why were serious concerns about the integrity of
the shuttle, raised by experts within one day after
the launch, not acted upon in the two weeks prior
to return?
z Why had NASA not learned from the lessons of
Challenger?
10
Key Organizational Culture Findings

What NASA Did Not Do
1.
2.
3.
4.
5.
6.
Maintain Sense Of Vulnerability

Combat Normalization Of Deviance
Establish an Imperative for Safety
Perform Valid/Timely Hazard/Risk Assessments
Ensure Open and Frank Communications
Learn and Advance the Culture
11
Maintaining a Sense of Vulnerability

Let me assure you that, as of
yesterday afternoon, the Shuttle was
in excellent shape, there were no
major debris system problems
identified.
NASA official on Day 8
The Shuttle has become a mature

and reliable system about as safe
as todays technology will provide.
NASA official in 1995
12
Maintaining a Sense of Vulnerability

z NASAs successes (Apollo program, et al) had created
a can do attitude that minimized the consideration
of failure
z Near-misses were regarded as successes of a robust
system rather than near-failures
No disasters had resulted from prior foam strikes,
so strikes were no longer a safety-of-flight issue
Challenger parallel failure of the primary o-ring
demonstrated the adequacy of the secondary o-ring
to seal the joint
z A weak sense of vulnerability can lead to taking future
success for granted and to taking greater risks
13
Combating Normalization of Deviance

z After 113 shuttle missions,
foam shedding, debris
impacts, and TPS tile
damage came to be
regarded as only a routine
maintenance concern
No debris shall emanate
from the critical zone of the
External Tank on the launch
pad or during ascent
Ground System Specification Book
Shuttle Design Requirements
14
Combating Normalization of Deviance

z Each successful mission reinforced the perception that
foam shedding was unavoidableeither unlikely to
jeopardize safety or an acceptable risk
Foam shedding, which violated the shuttle design basis,
had been normalized
Challenger parallel tolerance of damage to the primary
o-ring led to tolerance of failure of the primary oring which led to the tolerance of damage to the
secondary o-ring which led to disaster
This history portrays an incremental
descent into poor judgment.
Diane Vaughan,
The Challenger Launch Decision
15
Establish An Imperative for Safety

z The shuttle safety organization, funded by the programs it
was to oversee, was not positioned to provide
independent safety analysis
z The technical staff for both Challenger and Columbia were
put in the position of having to prove that managements
intentions were unsafe
This reversed their normal role of having to prove
mission safety
16
When I ask for the budget to be cut,

Im told its going to impact safety on
the Space Shuttle I think thats a
bunch of crap.
Daniel S. Goldin,
NASA Administrator, 1994
Establish An Imperative for Safety

As with Challenger, future
NASA funding required
meeting an ambitious launch
schedule
Conditions/checks, once
critical, were now waived
A significant foam strike on
a recent mission was not
resolved prior to
Columbias launch
Priorities conflicted and
production won over safety
Desktop screensaver at NASA
International
Space Station
deadline
19 Feb 04
17
Perform Valid/Timely
Hazard/Risk Assessments
z NASA lacked consistent, structured approaches for
identifying hazards and assessing risks
z Many analyses were subjective, and many action items
from studies were not addressed
z In lieu of proper risk assessments, many identified
concerns were simply labeled as acceptable
z Invalid computer modeling of the foam strike was
conducted by green analysts
Any more activity today on the tile damage or are people just relegated to
crossing their fingers and hoping for the best?
Email Exchange at NASA
hazard analysis processes are applied inconsistently across systems,
subsystems, assemblies, and components.
18

z Management adopted a uniform mindset that foam
strikes were not a concern and was not open to
contrary opinions.
z The organizational culture
Did not encourage bad news

Encouraged 100% consensus
Emphasized only chain of command communications
Allowed rank and status to trump expertise
I must emphasize (again) that severe enough
damage could present potentially grave hazards
Remember the NASA safety posters everywhere
around stating, If its not safe, say so? Yes, its that
serious.
Memo that was composed but never sent
19
z Lateral communications between some NASA sites

were also dysfunctional
Technical experts conducted considerable
analysis of the situation, sharing opinions within
their own groups, but this information was not
shared between organizations within NASA
As similar point was addressed by the Rogers
Commission on the Challenger incident
z Management pushback can discourage, even
intimidate, those seeking to share concerns.
20

z CAIB determined that NASA had not learned from the
lessons of Challenger
z Communications problems still existed
Experts with divergent opinions still had difficulty
getting heard
z Normalization of deviance was still occurring

z Schedules often still dominated over safety concerns
z Hazard/risk assessments were still shallow
z Abnormal events were not studied in sufficient detail,
or trended to maximize learnings
21
An Epilog
z Shuttle Discovery was launched
on 7/26/05
z NASA had formed an
independent Return To Flight
(RTF) panel to monitor its
preparations
z 7 of the 26 RTF panel members
issued a minority report prior to
the launch
Expressing concerns about
NASAs efforts
Questioning if Columbias
lessons had been learned
22
An Epilog
z During launch, a large piece of foam separated from the
external fuel tank, but fortunately did not strike the
shuttle, which landed safely 14 days later
z The shuttle fleet was once again grounded, pending
resolution of the problem with the external fuel tank
insulating foam
23
Turning Inward
- Our Industry -
Piper Alpha
z On 7/6/1988, a series of
explosions and fires
destroyed the Piper Alpha
oil platform
z 165 platform workers and
2 emergency responders
were killed
61 workers survived
by jumping into the
North Sea
25
The Physical Cause

z It is believed that a pump
had been returned to
service with its discharge
relief valve removed for
testing
z The light hydrocarbon
(condensate) that was
released formed a vapor
cloud and ignited
z The resulting vapor cloud
explosion ruptured oil
export lines and ignited
fires on the platform
26
The Physical Cause

z Other interconnected
platforms continued
production, feeding the
leaks on Piper Alpha
z Ensuing fires breached
high pressure natural
gas inlet lines on the
platform
z The enormity of the
resulting conflagration
prevented any organized
evacuation
27
The Organizational Causes
z The official investigation report, written by Lord

Cullen, faulted the companys management of safety
on Piper Alpha
z The confusion leading to restarting the condensate
pump resulted from failures to adhere to the permit to
work (PTW) system
Daily monitoring and periodic audits had failed to
identify the continuing dysfunction of the system
28

z Inadequate shift turnovers failed to communicate
the status of the pump to the oncoming shift
Inadequate communications (and PTW system
problems) had contributed to a fatality, and a
civil conviction for the company, but remedial
action had not been taken
z The diesel fire pumps were in manual and, after the
explosion, could not be reached by staff seeking to
start them
A prior audit recommendation to stop this
practice had not been implemented
29

z Even if fire water had been available, many deluge
nozzles were plugged
The company had been trying to resolve this
problem for at least four years, but repairs were
behind schedule
z One year earlier, an engineering study had concluded
that the gas risers were vulnerable and that a massive
gas release could prevent successful evacuation of
the platform
Management had discounted the study results
30

z Other problems that audits and management reviews had
failed to identify and/or resolve included:
Emergency response training given to workers new to the
platform was cursory and often omitted. Some workers
had not been shown the location of their life boat.
Platform managers had not been trained on how to
respond to emergencies on other platforms (e.g., when to
stop production)
Evacuation and emergency shutdown drills on Piper Alpha
were not conducted according to schedule
31
Parallels to NASA and Columbia

z Each Piper Alpha
organizational cause can be
mapped to one or more of
the NASA lessons
Maintain Sense Of
Vulnerability
Combat Normalization Of
Deviance
Establish an Imperative for
Safety
Ensure Open and Frank
Communications
Learn and Advance the
Culture
32
Flixborough
z On 6/1/1974, a massive
vapor cloud explosion
(VCE) destroyed a UK
chemical plant
z Consequences:
28 employees died
and 36 were injured
Hundreds of off-site
injuries
Approx. 1800 homes
and 170 businesses
damaged
33
The Physical Cause

z Approx. 30 tons of boiling cyclohexane released from
reactor system
z Most likely release cause was the failure of a
temporary piping modification
Installed between two reactors
Was a bypass for reactor removed for repairs
6
2020-inch
bypass
34
125 psi
The Physical Cause
z Bellows not designed

for 38-ton thrust
z Design standards for
bellows ignored
z Inadequate pressure
test of installation
z Inadequate vertical and
lateral support for
jumper
35
z No qualified mechanical
engineer on-site
z Inadequate concern with
the cause of the reactor
failure
z Jumper connection
considered a routine
plumbing job
No detailed design
for jumper
36
z Hurry up
attitude of management
Overworked staff
did not take time to
properly analyze
their actions
37

z Each Flixborough
organizational cause
can be mapped to one
or more of the following
NASA lessons
Maintain Sense Of
Vulnerability
Establish an
Imperative for Safety
Hazard/Risk
Assessments
38
Could this happen to us?

z Complacency due to our superior safety performance
z Normalizing our safety critical requirements
z Ineffective Risk Assessments of our systems
z Reversing the Burden of Proof when evaluating safety
of operations
z Employees Not Speaking Freely of their safety
concerns
z Business Pressures at odds with safety priorities
z Failure to Learn and apply learnings to improving our
culture
Optional: Paste
Company logo
here
39
Title for Relevant Company Event

z Use this section to briefly
summarize key aspects
of the event
Do not addresses
causes here
Add additional slides
if required
z Paste photo related to
event in space at right, if
desired
JPG files at 300 dpi,
provide adequate
resolution
If photo is not
provided, drag right
border over to
expand this text box
40
Optional: Paste
Company logo
here
The Physical Cause

z Briefly describe the
factors that caused the
event
Do not address
organizational
factors here
Add additional
slides if required
z Add photo to the right,
or expand the text box
as desired/needed
Optional: Paste
Company logo
here
41

z Describe the organizational causes of the event
Where feasible, lay a basis for parallels to the 6
NASA organizational culture findings
Maintain Sense Of Vulnerability

Combat Normalization Of Deviance
Establish an Imperative for Safety
Perform Appropriate and Timely Hazard/Risk
Assessments
Optional: Paste
Company logo
here
42

z If you feel that this
would add to the
emphasis of the
message, include one or
more slides that
emphasize how your
organizational causes
relate to the underlying
themes from Columbia
Alternatively, you
may want to leave
this as an individual
or group exercise
for the audience
Optional: Paste
Company logo
here
43
Indicators Of Organizational
Culture Weaknesses
The following slides provide
examples of indicators that
your organization is
NOT Maintaining a
Sense of Vulnerability
z Safety performance has been good and you do not

recall the last time you asked But what if?
z You assume your safety systems are good enough
z You treat critical alarms as operating indicators
z You allow backlogs in preventative maintenance of
critical equipment
z Actions are not taken when trends of similar
deficiencies are identified.
45
NOT Preventing
Normalization of Deviance
z You allow operations outside established safe

operating limits without detailed risk assessment
z Willful, conscious, violation of an established
procedure is tolerated without investigation, or without
consequences for the persons involved
z Staff cannot be counted on to strictly adhere to safety
policies and practices when supervision is not around
to monitor compliance
z You are tolerating practices or conditions that would
have been deemed unacceptable a year or two ago
46
NOT Establishing An
Imperative for Safety
z Staff monitoring safety related decisions are not
technically qualified or sufficiently independent
z Key process safety management positions have been
downgraded over time or left vacant
z Recommendations for safety improvements are
resisted on the grounds of cost or schedule impact
z No system is in place to ensure an independent review
of major safety-related decisions
z Audits are weak, not conducted on schedule, or are
regarded as negative or punitive and, therefore, are
resisted
47
NOT Performing Valid/Timely

z Availability of experienced resources for hazard or risk
assessments is limited
z Assessments are not conducted according to schedule
z Assessments are done in a perfunctory fashion, or
seldom find problems
z Recommendations are not meaningful and/or are not
implemented in a timely manner
z Bases for rejecting risk assessment recommendations are
mostly subjective judgments or are based upon previous
experience and observation.
48
NOT Ensuring Open and

Frank Communications
z The bearer of bad news is viewed as not a team
player
z Safety-related questioning rewarded by requiring the
suggested to prove he / she is correct
z Communications get altered, with the message
softened, as they move up or down the management
chain
z Safety-critical information is not moving laterally
between work groups
z Employees can not speak freely, to anyone else, about
their honest safety concerns, without fear of career
reprisals.
49
NOT Learning and Advancing

the Culture
z Recurrent problems are not investigated, trended, and

resolved
z Investigations reveal the same causes recurring time and
again
z Staff expresses concerns that standards of performance
are eroding
z Concepts, once regarded as organizational values, are
now subject to expedient reconsideration
50
Engineering By View Graph

z The CAIB faulted shuttle project staff for trying to
summarize too much important information on too
few PowerPoint slides
z We risk the same criticism here
z This presentation introduces the concept of
organizational effectiveness and safety culture, as
exemplified by the case studies presented
z This is only the beginning
When engineering analyses and risk assessments are condensed to fit
on a standard form or overhead slide, information is inevitably lost
the priority assigned to information can be easily misrepresented by its
placement on a chart and the language that is used.
51
Culture:General issues applying to Process Safety.:

The degree to which the workforce feels empowered as to Process Safety and
ownership of Process Safety;
The extent to which the workforce feels free to report safety related
incidents, near misses, and concerns without fear of retaliation;
o What is the near miss reporting system?
The Process Safety awareness, knowledge and competency of the
workforce;
o Is there a formal competency requirement for operators with a
requirement for periodic revalidation?
Relationships and trust between different constituencies, including
management and the workforce, management and contractors and
contractors and the workforce
Whether deviations from policies are tolerated
The extent to which safety related information flows freely among all levels
of the facility.
o To what extent are operations people involved in the actual formal
study of risk
Whether the workforce has a shared belief that safety comes first,
regardless of financial, scheduling or cost objectives
The extent to which the workforce is vigilant about process safety risks,
continuously tries to reduce them and seeks to learn from incidents and
near misses.
o Does the workforce understand the process risks and the role they
have in managing them or what can go wrong if they make a
mistake?
Identifiable Safety Values

Supervisory involvement
Procedures and equipment
Worker professionalism/empowerment
Permit to work
Safe Operating Procedures
Corporate
requirements for
Process Safety
Process Safety
Technical standards for

equipment design and
maintenance
Process Safety Management
System
Corporate risk criteria
(severity/frequency)
Process Hazard Analysis
Management
System
Process Safety
Training
Process Safety
Incident or issue
reporting: Generally
there are legal
requirements for
reporting hazardous
events and injuries.
These do not always
include releases or
events where there
were no reportable
injuries or
environmental
insults.
Self Assessment
and Audit process
A process for establishing

Worst Case and Most
Credible scenarios and their
severity
Assessment of likelihood or
frequencies for Worst Case
and Most Credible scenarios
Reactive Chemicals
Fire
Explosion
Toxic release
Static Electricity
Electrical Hazard Zones
Electrical Area Classification
Process Safety Reporting system:

Lagging indicators
Leading Indicators
Incident follow up and closure
Self Assessment of facility practices

versus Process Safety
Requirements
Training which is
graduated to be
able to address
needs at each
operational level in
the company. Is
there a means of
determining
competence?
CCPS or API
reporting systems
designed to meet
requirements of
Responsible Care
Regulator expectations meeting legal

requirements e.g. Seveso 2
The safety report should show what measures are

in place to ensure adequate performance by
human operators, .. ;
by Richard Gowland
Esso Longford Accident - What the judge

said in his final judgement
"The ultimate cause of the accident on September 25

was the failure of Esso to equip its employees with
appropriate knowledge to deal with the events which
occurred,"
by Richard Gowland
Where competence fits
Identification of safety critical

tasks
Refresher training
Selection
Competent trainers
Training needs analysis.
Competence assessment
by Richard Gowland
Why competence assessment?
Esso Longford Explosion - $1billion class

action
"The ultimate cause of the accident on
September 25 was the failure of Esso to
equip its employees with appropriate
knowledge to deal with the events which
occurred,"
by Richard Gowland
Why competence assessment?
Is training effective?
What have people learnt from experience?
Have skills eroded?
Have we been lucky so far? - lack of competence
has not yet led to an accident?

Accidents waiting to happen?
It is just a matter of time!
by Richard Gowland
Regulatory inspector concerns
Fail to identify safety critical tasks;

Assume person is competent because
theyre trained or experienced;
Assessment focused on personal safety;
Rely on unstructured on the job assessment;
No criteria for assessing competence;
Reliance on National Vocational
Qualifications (NVQs)
Classroom based
No updating
Lack of ongoing assessment;

Reliance on untrained assessors.
by Richard Gowland
What is competence assessment?
Collecting evidence of abilities & performance

Training and qualifications do not guarantee
ability
Ability = ability to apply knowledge & skills
correctly
by Richard Gowland
Examples from life

Real world and how it needs to change
Poorer examples
No method for identifying safety critical tasks;

No distinction between training and assessment;
Reliance on on-the-job observation (without criteria);
No re-assessment beyond annual line manager review;
Rely on NVQs;
No link to major accident prevention.
by Richard Gowland
Better examples
Systematic identification of tasks, eg task
inventories;
Operator technicians write operating
instructions to be validated by technical
supervision
Measurable performance standards, eg
simulations of process deviations;
Mix of simulation, tests & on the job review;
Scheduled re-assessment, eg re-assess every 3
years;
Trained assessors;
Active involvement in PHAs, Self Assessments,
Audits, HAZOPs, LOPAs
by Richard Gowland
Lessons from other sectors

Nuclear sector
Competence assessment managed within Suitably Qualified &
Experienced Personnel process
Each role has:

Grade & purpose of post;
Duties & performance criteria;
Underpinning knowledge, non-technical competencies & medical
needs;
Training & reassessment frequency
Specified level of supervision for persons with lower competence
Assessment covers task performance & knowledge
Assessed as competent or not yet competent
by Richard Gowland
Lessons from other sectors

Aviation
Aircraft specific licensing;
Knowledge tests;
6 monthly simulation tests
Crew Resource Management

Measurable standards for interpersonal & cognitive
competencies;
Assessment using behavioural markers by
experienced assessors
by Richard Gowland
A generic
Competence assessment
framework for hazardous
installations
A framework
Identify safety critical tasks
Define measurable
performance standards
Monitor
performance
outcomes &
modify
assessment
Select assessment method
Assessor needs
Re-assessment needs
by Richard Gowland
Identifying safety critical tasks

Could sub-standard performance contribute to a
major accident?
Fail to detect a fault wrong batch setting . Wrong
seal on a pump slow response to a leak
Techniques
Task analysis,
What if & HAZOP
Review of major accident scenarios
by Richard Gowland
Define competencies & performance standards

A competence standard needs to:
Provide a testable statement / description of a competence;
Define measureable criteria for judging performance;
Specify what level of performance evidence is required for a role,
taking account of the individuals status (eg a supervised fitter versus
an unsupervised technician);
Reflect the type of competence in question, specifically skills versus
knowledge versus behaviours.
by Richard Gowland
Define competencies & performance standards

Skills
Able to recall & follow a prescribed procedure
3 times without error
Knowledge
Able to explain a P&ID & state operating
safety limits
Attitudes & behaviours
Acts on evidence of unsafe behaviours
by Richard Gowland
The role of NVQs
A systematic method of collating on the job

experience.
But:
Too generic?
What about rare tasks?
Is level of assessment proportionate to risk?
by Richard Gowland
Select assessment method & level

The type of assessment method to be applied should take into
account:
The nature of the competencies for example are they
manual skills or do they entail a high level of decision
making?
The complexity of the task and associated competencies;
Whether the execution of the task is observable eg the
thinking entailed in the diagnosis of a process upset cannot
be directly observed?
Whether it is safe to assess performance on the job.
by Richard Gowland
Level of assessment
Factors
Task complexity
Process vulnerability to error
Degree of supervision
Degree of assessment
Highest: Licensing/certification
Moderate: Tests, qualifications & observation
Lowest: On the job observation
by Richard Gowland
Ongoing re-assessment
Frequency
Safety criticality;
Rate of skill erosion;
People change;
Learning Experiences
Frequency of equipment / procedural change
by Richard Gowland
Example of a competence profile for Process Safety

Role
Training
Trainer
As part
of initial
training
Duration/
frequency
Operator
Process Safety
Management
System basics.
x The PSM
x Risk
Matrix
x HAZOP
x LOPA
Worst Case
Scenarios and
safeguards for
their process
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus 3
year
refresh
2 hours, 3
yearly
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus
refresh
every
year
1 hour,
annual
Process
Safety
Activities
Extract from who does what in Process Safety?

see Course resources
by Richard Gowland
Example of a competence profile for Process Safety

Production
support
Engineer
Process Safety
Management System
basics.
x The PSM
x PHA
x Risk Matrix
x HAZOP
x LOPA
x Fire
x Explosion
x Hazardous
vapour
dispersion
x Mechanical
Integrity
x Process Safety
Audit
Process
Safety
Specialist
Yes plus
refresh
every 3
years
1 day every 3
years
First level estimate of Fire,

Explosion and Toxic
vapour dispersion for
consequence ranking
Lead HAZOP studies
Lead LOPA studies
(verification by PSM
specialist)
Above on PSM system
requirement frequency (35 years)
Lead self Assessment of
PSM at plant
Extract from who does what in Process Safety?

see Course resources
by Richard Gowland
Role
Training
Trainer
As part
of initial
training
Duration/
frequency
Operator
Process Safety
Management
System basics.
The PSM
Risk
Matrix
HAZOP
LOPA
Worst Case
Scenarios and
safeguards for
their process
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus 3
year
refresh
2 hours, 3
yearly
Process
Support
Engineer
or
Process
Safety
Specialist
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus
refresh
every
year
1 hour,
annual
Yes
plus
refresh
every
year
1 hour,
annual
Most Credible
Case scenarios
and safeguards
for their process
Productio
n support
Engineer
Incident and KPI

reporting and
follow up system
(root cause)
Process
Support
Engineer
Yes
plus
refresh
every
year
1 hour
annual
Process Safety
Management
System basics.
Process
Safety
Specialist
Yes
plus
refresh
1 day
every 3
years
Process
Safety
Activities
Member of
HAZOP study
teams
Job Safety
Analysis
writing
Reporting
incidents,
unsafe
conditions,
deviations
and near
misses as
KPIs
Member of
Root Cause
Investigations
First level
estimate of
every 3
years
The PSM
PHA
Risk
Matrix
HAZOP
LOPA
Fire
Explosion
Hazardou
s vapour
dispersio
n
Mechanic
al
Integrity
Process
Safety
Audit
Fire,
Explosion and
Toxic vapour
dispersion for
consequence
ranking
Lead HAZOP
studies
Lead LOPA
studies
(verification by
PSM
specialist)
Above on
PSM system
requirement
frequency (3-5
years)
Lead self
Assessment of
PSM at plant
Process
Safety
Worst Case
Scenarios and
safeguards for
their process
Technolo
gy
Specialist
Most Credible
Case scenarios
and safeguards
for their process
Technolo
gy
Specialist
Incident and KPI

reporting and
follow up system
Process
Safety
Specialist
Electrical Area
Classification
Process
Safety
Specialist
Process Safety
Management
Process
Safety
Yes
plus
refresh
every 3
years
Yes
plus
refresh
every 3
years
Yes
plus
refresh
every 3
years
Yes
plus
refresh
every 3
years
Yes
plus
1 hour
1 hour
1 hour
Coach users
in the system
2 hours
Carry out
hazardous
area
classifications
Profession
al
Validate
those
Specialist
System
elements and
tools.
The PSM
PHA
Risk
Matrix
HAZOP
LOPA
Fire
Explosion
Hazardou
s vapour
dispersio
n (e.g.
DNV
PHAST
Hazardou
s Area
Classifica
tion
Mechanic
al
Integrity
Process
Safety
(PSM)
audits
Leader
for
company
plus
internal
and
external
Subject
Matter
Experts.
refresh developme
as a
nt plan
professi
onal
develop
ment
plan
Process Safety Specialist Competence:

Experience:
3 years in one or more of the following
roles:
Production support Engineer
Process Engineer
Process Control Engineer
Technology Specialist
items
carried out
by
Production
support
Engineers.
(Fire,
Explosion,
Vapour
dispersion)
Facilitate
HAZOPs
and
LOPAs
Lead or
carry out
more
sophisticat
ed activity
(vapour
dispersion,
frequency
assignmen
t, risk
quantificati
on)
Technical
detail of
PSM audit
Lead
selected
PSM
audits
Project Engineer
Production Manager
Educational Qualification
Bachelor degree in one of the
following:
Chemical Engineering
Mechanical Engineering
Control Engineering
Electronic or Electrical
Engineering
Chemistry
Technical Expertise:
Legal framework for Operation (Major
Hazard Legislation)
System elements and tools.
The PSM
PHA
Risk Matrix
HAZOP
LOPA
Fire
Explosion
Hazardous vapour dispersion
(e.g. DNV PHAST
Hazardous Area Classification
Process Safety (PSM) audits
Auditing Process Safety

Why we do it and ways of doing it.
Why do we audit?
We know from experience that a systematic approach

to auditing is required to ensure the adequate safety,
health and environmental protection of operations in
the process industries. We have also learned from
experience that a management system, as any control
system, will tend to deteriorate with time or become
obsolete as a result of changing standards, practices,
or organisation structure. To avoid degradation, a
system must be monitored and verified on a
systematic basis. A robust management system
should therefore contain those checking functions as
vital specific elements, see for example in figure 1
by Richard Gowland
by Richard Gowland
Figure 1 Management Auditing System
Questions
The effectiveness of follow up and
resolution/correction of faults found
by Richard Gowland
What is an audit?
A process of independent, systematic examination
to assess the extent of conformance with defined

standards and recognised good practice, to thereby
identify opportunities for improvement.
Important aspects are:
independent - those carrying out the audit should be independent from
those carrying out the audited activity. The degree of independence will
be discussed later.
conformance with defined standards - it has to be clear what are the
standards against which an activity is being audited.
assess - in some types of auditing the examination
is clear cut and essentially requires answers to

yes/no questions (e.g. as for much of financial
auditing) but for much of SHE auditing the issues are
not black and white and audits are really
assessments of the extent of conformance, with
gradations on a scale from zero to full.
by Richard Gowland
principles
What we actually do (i.e. what is done on a day to
day basis to operate the unit).

What we say we do (i.e. the procedures for
operation of the unit).
What we should do (i.e. the relevant standards,
guidelines and other good practice).
by Richard Gowland
Visual principle
by Richard Gowland
Auditing Process Safety
A complete process safety management system has

many elements ranging from initial design and
planning, to daily maintenance tasks, each of which
can be a complex subject in its own right.
The skill set of an auditing team is of high
importance when dealing with a complex system
such as these. Familiarity with the tasks and
methods of process safety management will allow
an understanding of the purpose of the audited
standards, and so allow a more effective audit.
by Richard Gowland
Process Safety Auditing..
The audit can address everything in the

Requirements for the Process Safety
Management System
Or
The audit can take account of other
structured, validated and disciplined
procedures
Such as:
Inspections
Competent Authority Inspections (e.g. Seveso 2)
Formal Self Assessments against requirements
by Richard Gowland
Self Assessment and Audit Pyramid
External
Review
3 year Cycle for normal
Operations.
May vary by risk or performance
Rolling programme
To achieve annual
Self Assessment
By Third party or regulator
Audit to validate
Self Assessment
Deep drill key items.
Self Assessment of conformance

Assurance that baseline activities
Are being carried out
By Audit Team
independent of the facility
By trained Operations
Self Assessors in
facility
Daily or weekly checks of key items by Operations,

Permit to Work, Management of Change, Job Safety
Analysis, Task Observation programme, critical equipment
Inspection and testing, training.
by Richard Gowland
By Operations
What is the scope of the audit?
Needs to be stated:
Occupational Safety
Environmental
Occupational Health/Industrial Hygiene
Process Safety
Security
..
May be combined within a single EH&S Audit (Common with
organisations which have sufficient resources to handle a big
audit programme e.g. all done in one week)
May be separated (common where a smaller organisation may
need to break the programme into manageable sections)
by Richard Gowland
Typical Protocol for an audit

Prepare:
3 months: Agree Audit dates with audited facility
leadership
2 month: Select the Audit Team leader
2 month: Select Audit team to meet scope of audit
1 month: Receive preparatory material for audit team
(For Process Safety) e.g. Process Description,
Process Hazard Analysis, Self Assessment Results
..
Activity for Audit Team familiarise with
documentation and information from facility
by Richard Gowland
Audit team meets the audited facility for introduction
Production Process explained

All hazards discussed
History of incidents
EH&S Management explained
Major Projects since last audit
Document review
Previous Audit results and actions

Self Assessment status
Process Hazard Analysis (PHA) and equivalent for other topics in audit
Training
Inspect the facility to become familiar with it
by Richard Gowland
Specialist Auditors:
Document review
Verification of any self assessments done
deep drill subjects of
High Hazard
Impression gained from facility inspection
Recent incidents
Company initiatives
Agree true status of detail findings with the facility specialist
Interview the operators and maintenance team! (verification of what really
happens)
Audit team meets to share initial findings
Positive impressions and features

Non conformances versus company requirements
Potential corrective actions
Recommendations
Lead Auditor prepares findings report for communication to

audited facility leadership team
by Richard Gowland
Audit result communication meeting with facility

leadership
Led by Audit Team Leader

Opportunity for response from facility leadership
May lead to agreed amendments
No surprises later
Outline Action Plan
what is to be done from audit findings
Schedule proposed by facility leadership
Follow up and progress method
Final Audit report to facility leadership and senior

management within 2 weeks
by Richard Gowland
Auditor skills
Lead auditor: needs to be trained in audit

techniques.
This is available
Sometimes internally
Sometimes from specialist companies e.g.A.D. Little, ABB
Audit Team members: need to have specialist

knowledge in the topic(s) audited.
General technical competence in Process Safety

Basic knowledge of legal requirements
Detailed knowledge of the company requirements for Process Safety
Not normally involved in delivering Process Safety service to the audited
facility
by Richard Gowland
IAEA-TECDOC-743
ASCOT Guidelines
Guidelines for organizational self-assessment of safety culture
and for reviews by the
Assessment of Safety Culture in Organizations Team
INTERNATIONAL ATOMIC ENERGY AGENCY
The IAEA does not normally maintain stocks of reports in this series.
However, microfiche copies of these reports can be obtained from
INIS Clearinghouse
International Atomic Energy Agency
Wagramerstrasse 5
P.O. Box 100
A-1400 Vienna, Austria
Orders should be accompanied by prepayment of Austrian Schillings 100,in the form of a cheque or in the form of IAEA microfiche service coupons
which may be ordered separately from the INIS Clearinghouse.
The originating Section of this document in the IAEA was:

Safety Assessment Section
Wagramerstrasse 5
P.O. Box 100
A-1400 Vienna, Austria
ASCOT GUIDELINES
IAEA, VIENNA, 1994
lAEA-TECDOC-743
ISSN 1011-4289
Printed by the IAEA in Austria
May 1994
FOREWORD
In 1991 a Safety Series report on Safety Culture of the International Nuclear Safety
Advisory Group (INSAG) was published as 75-INSAG-4. This document represents probably
the most complete description so far of the safety culture concept along with its definition,
features and tangible manifestations.
Very soon after the publication of 75-INSAG-4, interest was expressed as to whether
it was possible to make an assessment of safety culture in a particular organization.
Difficulties of performing such review should not be underestimated, since so much of the
required characteristics lie below the surface. Certainly any comprehensive checks on
equipment, documentation and procedures would not necessarily reveal the strength of safety
culture.
In order to properly assess safety culture, it is necessary to consider the contribution

of all organizations which have an impact on it. Therefore, while assessing the safety culture
in an operating organization it is necessary to address at least its interfaces with the local
regulatory agency, utility corporate headquarters and supporting organizations.
These guidelines describe an approach used in conducting an ASCOT (Assessment of
Safety Culture in Organizations Team) review. They are intended to assist the team members
in conducting their reviews and at the same time provide guidance to hosts preparing to
receive an ASCOT review. They may also be used by any organization wishing to conduct
their own self-assessment of safety culture, independent of an ASCOT review.
EDITORIAL NOTE
In preparing this document for press, staff of the IAEA have made up the pages from the
original manuscript (s). The views expressed do not necessarily reflect those of the governments of the
nominating Member States or of the nominating organizations.
The use of particular designations of countries or territories does not imply any judgement by
the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and
institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as registered)
does not imply any intention to infringe proprietary rights, nor should it be construed as an
endorsement or recommendation on the part of the IAEA.
CONTENTS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.
1.2.
1.3.
1.4.
1.5.
1.6.
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
Options for an ASCOT review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Objectives of ASCOT reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Assessment method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Review schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Structure and application of ASCOT Guidelines . . . . . . . . . . . . . . . . . . 12
2. CONCEPTS AND ASSESSMENT OF SAFETY CULTURE . . . . . . . . . . . . .
14
2.1. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2. Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3. ASCOT GUIDELINES: SAFETY CULTURE INDICATORS
AND QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1. Government and its organizations . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.1.1. Government commitment to safety . . . . . . . . . . . . . . . . . . . . .
3.1.2. Regulatory agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2. Operating organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.1. Corporate level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.1.1. Safety policy at the corporate level . . . . . . . . . . . . . .
3.2.1.2. Safety practices at the corporate level . . . . . . . . . . . . .
3.2.2. Plant level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.2.1. Highlighting safety . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.2.2. Definition of responsibilities . . . . . . . . . . . . . . . . . . .
3.2.2.3. Selection of managers . . . . . . . . . . . . . . . . . . . . . .
3.2.2.4. Relations between plant management and regulators . . . . .
3.2.2.5. Review of safety performance . . . . . . . . . . . . . . . . . .
3.2.2.6. Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.2.7. Local practices . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.2.8. Field supervision by management . . . . . . . . . . . . . . . .
3.2.2.9. Work-load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.2.10. Attitudes of managers . . . . . . . . . . . . . . . . . . . . . . .
3.2.2.11. Attitudes of individuals . . . . . . . . . . . . . . . . . . . . . .
3.3. Research organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.1. Research input to safety analyses . . . . . . . . . . . . . . . . . . . . . .
3.4. Design organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.1. Codes for safety aspects of design . . . . . . . . . . . . . . . . . . . . . .
3.4.2. Design review process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPENDIX I: CONTENTS OF AN ASCOT REVIEW REPORT
16
16
16
18
22
22
22
24
25
26
27
28
29
30
33
40
41
42
42
50
56
56
59
59
60
. . . . . . . . . . .
61
APPENDIX II: ASCOT ADVISORY SERVICE . . . . . . . . . . . . . . . . . . . . . . .
63
CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . . . .
67
1. INTRODUCTION
1.1. BACKGROUND
The International Nuclear Safety Advisory Group (INSAG), in its publication Safety
Series No. 75-INSAG-4, defines safety culture as follows:
"Safety Culture is that assembly of characteristics and attitudes in

organizations and individuals which establishes that, as an overriding
priority, nuclear plant safety issues receive the attention warranted by their
significance".
Safety culture was considered by INSAG to have two major components in its
manifestation: the framework created within which individuals work, and the attitude and
response of individuals.
INSAG took the view that although such matters as style and attitude are generally
intangible, they do lead to tangible manifestations which might be used to test what is
underlying.
INSAG also took the view that sound procedures and good practices are not fully
adequate if merely practised mechanically. This led to the proposition: safety culture requires
all duties important to safety to be carried out correctly, with alertness, due thought and full
knowledge, sound judgement and a proper sense of accountability.
In order to properly assess safety culture, it is necessary to consider the contributions
of all organizations that influence it. Therefore, in assessing safety culture in different types
of organizations, governmental, operating and supporting, it is necessary to consider at least
the local regulatory agency, the utility's corporate headquarters and the nuclear facility itself.
The ASCOT review is based on tours of facilities and discussions with the hosts'
personnel, at least at the regulatory agency, utility headquarters and at the plant. Most of the
time, however, should be spent at the plant.
These guidelines are based strictly on the Appendix of Safety Series No. 75-INSAG-4.
All the questions proposed in this appendix are addressed and they appear in the guidelines
as Basic INSAG Questions. As mentioned in the reference INSAG document they can be
expanded and it has been done in this document through the Guide Questions. Key Indicators
that follow are intended to illustrate what is considered a sound safety culture.
In short it can be stated that the ASCOT Guidelines are intended to test the safety
culture in an organization merely against the principles layed down in 75-INSAG-4 and in
particular against indicators layed down in its appendix.
In a very few instances, the Basic INSAG Questions have been slightly modified, when
they were seen as promotion of the IAEA services. In all those cases changes have been
clearly marked by insertion into parentheses.
1.2. OPTIONS FOR AN ASCOT REVIEW
The form the ASCOT review can take depends very much on the desire of a host
country. Basically there are three options or forms of an ASCOT review:
(1)
The ASCOT review can be conducted as a stand-alone international service to a

Member State. The team would be composed of 3 experts, and would normally be of
1 week duration, so as not to be overly disruptive to the hosts' staff. During this time
period the review would interact with the majority of organizations contributing to
safety culture.
(2)
The ASCOT review can be combined with other IAEA services such as ASSETs
(Assessment of Safety Significant Events Teams) or SRMs (Safety Review Missions).
In this case an ASCOT representative would join the team. This expert would be
dedicated to drawing conclusions on safety culture aspects from his/her own review
plus from the findings of other team members who would, while performing their usual
parts of the review give additional attention to safety culture aspects.
(3)
In the case where the host country would like to become familiar with the ASCOT
approach and its basic principles in order to conduct a self-evaluation of its
organizations, the transfer of methodology can be accomplished through the ASCOT
Advisory Service. It is envisaged that this service would involve two ASCOT experts
for two days, who would present the ASCOT approach in a workshop through a series
of lectures, discussions and exercises. These presentations could be accompanied by
special lectures by another in-house (IAEA) or outside consultant on specially selected
topics, which the host country would preselect.
1.3. OBJECTIVES OF ASCOT REVIEWS

ASCOT reviews are intended to assess the effectiveness of safety culture in the host
country based on principles and recommendations of Safety Series No. 75-INSAG-4. At the
same tune the review will share experience or good practices and possibly offer suggestions
contributing to effective safety culture. This stand-alone ASCOT review is not an inspection
or an audit against set codes and standards but rather an opportunity to exchange experience
and views. It is at the same time an opportunity to disseminate good practices throughout the
nuclear community and to promote safety culture concepts.
If the ASCOT review is combined with another review (ASSET or SRM) the main
objective, which is reviewing the effectiveness of safety culture, would remain the same. The
conduct of the review would be altered to account for the fact that a single ASCOT
representative would co-ordinate the review of safety culture.
Where the Member State wants to conduct a self-assessment of the effectiveness of

safety culture, it is recommended that it requests the ASCOT Advisory Service. The main
objective of this service is to introduce and transfer to the individual country the ASCOT
methodology and share experience gained during ASCOT reviews and to provide other
information related to safety culture or the conduct of a self-assessment.
1.4. ASSESSMENT METHOD
The assessment method is based on consideration that safety culture is the assembly of
commendable attributes of any organization or individual contribution to nuclear plant safety.
The effectiveness can therefore best be assessed by addressing different groups of
organizations, governmental, operating and supporting.
The assessment of safety culture in a host country would normally begin with
discussions at the government/regulatory office. During these discussions, the
government/regulatory commitment to safety and their safety policy should be addressed. The
discussions at the government/regulatory offices will in general terms follow the questions
and items outlined in Section 3.1 of these guidelines.
After visiting the regulators, a visit to the corporate headquarters should be arranged,
where the corporate commitment to safety, its statement of safety policy and its interaction
with the plant are assessed. At the corporate level the discussion would be guided by the
questions outlined in Section 3.2.1.
The majority of the time is spent at the plant. The assessment begins with an initial
overview. Certain manifestations of safety culture are readily apparent on a walk-through of
the plant and an overview of the documentation. Plants which do not appear well kept are
likely to have areas where safety culture can be significantly improved. On the other hand,
a good overall impression from an initial walk-through may be a positive indication of
effective safety culture.
With these factors in mind, a practical assessment of safety culture should include an
initial walk-through and overview of documentation. The following list could be a starting
point:
Plant tour
Access control: efficiency, effectiveness,
General state of plant: leaks, lighting, labelling, etc.,
Housekeeping: rubbish, storage areas, cleanness,
Use of protective equipment: wearing of hard hats, ear protection and film badges, use
of warning notices, etc.,
Alert and watchful attitude of control room staff,
Availability of procedures and manuals: in control room and in plant.
Documentation overview
Log-books and associated documentation,
Records of operation and maintenance,
Number of plant defects and documentation amendments outstanding,
Existence of training programme for key safety related activities,
Availability of safety policies (company or corporate),
Consistency of safety policy with safety culture concept,
Plant policy on procedures and adherence to procedures,
Documents identifying key safety responsibilities,
Organizational charts,
Existence of corporate safety review committee including its agendas, its expertise and
the involvement of plant management.
Following the initial overview, the main conclusions on safety culture would be
established through discussions and interviews with personnel following the indicators and
questions underlined in the third part of this report.
The questions posed are deliberately open to invite discussion and explanation. The
actual question asked may need to be tailored to the job of the person being interviewed so
that it can be related to that person's practical experience. In each case notes are provided
to guide the reviewer so that supplementary questions can be asked if necessary. The key
indicators to safety culture are listed so that responses can be judged as indicative of safety
culture effectiveness. The guidelines avoid any type of scoring or numerical rating since the
objective is highlighting areas for improvement rather than comparing one plant with another.
The assessment team would concentrate their discussion and evaluation on individual
and collective attitudes and knowledge rather than the technical content of procedures and
systems.
In conducting interviews, the assessment team should keep in mind that the plant safety
culture should span conventional, radiological and reactor safety aspects. The respondents
might not always have these distinctions in mind; therefore the assessment team must use the
appropriate terminology to ensure that the respondent's answers cover all aspects of plant
safety.
Assessment report
At the end of an assessment the review team should prepare a concise report. The
contents of an ASCOT review report are outlined in Appendix I. The report will highlight
any areas in which safety culture could be strengthened. Where possible the report should
give specific suggestions that would guide the plant management in effecting such
improvements. The report should avoid any suggestion of grading, rating or comparison with
other plants since this is not seen as a constructive way of striving for improvement. On the
other hand the report should point out good practices which could be adopted by others to
achieve effective safety culture.
The ASCOT review should present and hand over to the host the draft report of the
assessment findings. The report will be treated as confidential until commented on by the
hosts, finalized by the ASCOT team and released by the host country.
1.5. REVIEW SCHEDULE
The schedule of the ASCOT review will be determined based on the option the member
country selects for the safety culture assessment.
Option 1: ASCOT review (stand alone)

To minimize disruption to the normal conduct of work of the organizations involved
the method takes into account a one week ASCOT review. During that period of time the
review typically addresses the approaches of all parties contributing to the safety culture of
the particular plant. A suggested work plan for the review would take the following form (not
necessarily in such order):
1/2-1 day:
1/2-1 day:
2-2 1/2 days:
1/2 day:
1/2 day:
10
Governmental organizations/activities directly associated with the plant.

Operating organization corporate level policy on nuclear safety and safety
culture.
Operating organization/power plant level introductory familiarization with
items related to safety culture, plant tour. Power plant level specific aspects
contributing to plant safety culture.
Individual discussions.
Finalizing the first draft of the report.
Final discussion with recipients of the review and exit meeting.
Presentation of the draft report.
The majority of activities and discussions will be conducted by the team as a whole.
To cover as many aspects as possible the specific items can be addressed by team members
individually. It is expected that following individual discussions the team members will
regularly exchange their findings and conclusions.
Option 2: ASCOT review combined with other IAEA reviews
In case where the safety culture review is combined with another IAEA review, the
duration is adjusted to the duration of that review (normally 2 or 3 weeks). The conduct of
the safety culture review would in that case be led by the ASCOT representative, who would
co-ordinate constant interactions with other team members. As information on safety culture
could be obtained directly or indirectly from each area of the other review, reviewers will
receive a briefing and training specific to the needs of safety culture assessment.
The specific areas of review in organizations which are not initially included in the
scope of the review activities will be covered by the ASCOT representative. In this context,
the ASCOT representative would in addition to the exchange of information with other
reviewers independently concentrate on interviews with, for example, corporate personnel,
and government or regulatory organizations.
Option 3: ASCOT Advisory Service
When a Member State decides to conduct a self-assessment of safety culture it is

recommended that it requests the Agency for assistance in the form of the ASCOT Advisory
Service.
In preparing for the ASCOT Advisory Service, the host country participants should be
provided with and have familiarized themselves with both IAEA Safety Series Report No.75INSAG-4 and the ASCOT Guidelines prior to the visit. Likewise, the ASCOT representative
should be familiar with any special aspects of the host country's regulatory system, the utility
and the utility's supporting organizations that might warrant special consideration during the
ensuing discussions.
The lectures, discussions and exercises would include the following topics:
(a)
Assessment of safety culture

-
(b)
Concept of safety culture,

Examples of safety culture good practices,
Creation of safety culture framework,
Assessment of safety culture,
Questions and key indicators.
Examples of subjects of special interest
Basic Safety Principles, International Nuclear Event Scale, ASSET Highlights, The
Safety of WWER and RBMK NPPs, Use of PS A for Safety Enhancement, etc.
Further details of these topics and their presentation are provided in the Appendix II.
11
1.6. STRUCTURE AND APPLICATION OF ASCOT GUIDELINES
In order to determine the effectiveness of safety culture at a plant it is necessary also

to cover those organizations which have a significant impact on the activities and decision
making in the utility. These include, but may not be restricted to, the governmental agencies,
corporate management and support organizations. No strict rules are set down for coverage
of these organizations; however, it is probable that responses from the utility will require that
corroboration or explanation be sought from them. It is likely that these bodies are located
at a considerable distance from the plant and in this event a representative from each may
be able to provide the required information during the reviewers' plant visit. Whichever way
the contacts are made, it is essential that a clear idea is formed by the team from sustained
discussions.
Bearing in mind that other IAEA services cover more tangible aspects of safety, the
ASCOT should examine those factors such as attitudes, morale, motivation and commitment
to safety which usually are not considered by direct examination. The objective of ASCOT
is to gain insight and understanding of perceptions and experiences contributing to or
detracting from optimum safety performance. To gather this type of information it is
necessary to collect a representative sample of opinions, facts and perceptions from the plant
staff and related entities. Care must be taken to select sufficient sources of information within
the time-scale set for the ASCOT. This requires full co-operation of all parties involved.
Once at the plant and following a site visit and documentation overview, team members
will schedule their time and commence structured discussions with nominated staff and
managers. The ASCOT Guidelines set out sample questions and suggested lines of enquiry
which are intended to lead the team members or other reviewers along the path to
determining attitudes and perceptions which influence safety culture.
Each section of questions in the guidelines is labelled with prefixes as per the following
table denoting the levels and organizations to be covered by specific areas of questioning:
I
M
C
R
S
Individual (applies to power plant only below managerial level).

Management (applies to power plant only above individual level).
Corporate (utility headquarters).
Regulator/Government (Licence regulator).
Supporting organizations (Research/design).
These are recommended areas of enquiry and may be permutated to suit the individual
ASCOT review.
ASCOT members must collect responses from each level and gather corroborative or
alternative information to construct an accurate impression of the situation. Questions are to
be developed ad hoc by the team to ensure that facts and statements are valid. During this
process appropriate notes must be taken. At regular intervals the team members will compare
notes and will then develop a strategy for covering outstanding areas of the assessment. The
team would further hold regular meetings with the hosts throughout the review to apprise
them of any salient points prior to the final draft report being presented.
Each section of the ASCOT specific guidelines contains a key indicators listing. These
are for the guidance of team members or other examiners in highlighting key areas of safety
culture assessment. The list is not exhaustive and has essentially been restricted to key words
or phrases indicative of effective safety culture. Successive reviews may add to these key
12
indicators with the aim of developing a more comprehensive set of references which will
assist in the strengthening of safety culture. Team members should avoid pursuing a narrow
line of questioning and must encourage free discussion and voluntary statements from those
being interviewed.
13
2. CONCEPTS AND ASSESSMENT OF SAFETY CULTURE

2.1. CONCEPTS
Safety Series No. 75-INSAG-4 identifies a multilayered approach to safety culture. It

is the assembly of characteristics and attitudes, from government right through to the
individual on the plant, that makes possible a culture which gives safety issues the attention
warranted by their significance. Government and Regulator provide the necessary statutory
safety framework. The organizations that designed and built the plant as well as those who
provide technical support also have a large impact on the safety performance of the plant in
operation. The operating utility will also formulate policy on safety matters. The plant must
then work within these externally set boundaries. 75-INSAG-4 makes it clear that safety
culture is mostly about the performance of individuals but within an environment which is
heavily influenced from outside the plant itself. Therefore an effective assessment of safety
culture must also consider the organizations external to the plant.
Safety culture is a necessary characteristic to achieve safety in nuclear installations and
as such it has to be possible to assess its status in order to improve it and maintain it at
optimum level. This assessment has to be consistent with the general trend in the operation
of a specific plant, in such a way that the existence of operational safety problems could be
traced back to safety culture problems. However, it is prudent to anticipate and try to identify
indicators that will give a warning before the problem occurs. These indicators will not
"measure" the safety culture of a specific organization but rather indicate the need for a
"fault finding" process to improve some of the different contributors to safety culture. This
process is very specific to each organization and should relate the different influences in a
similar way as described previously.
In order to obtain a methodology to assess or improve the knowledge of safety culture

at a specific plant, efforts have to be made to relate attributes and concepts to facts connected
with the operation of the plant. This correlation when feasible, will provide a basis for
judging the effectiveness of safety culture in specific cases. This will clearly benefit the
understanding of safety culture principles, which are generally not tangible.
2.2. ASSESSMENT
The biggest problem for anyone undertaking a review of safety culture is how to
identify, within a short period, the tangible evidence of an essentially intangible concept. It
can be done but needs careful scrutiny that goes beyond the mere checking of documentation
and review of management systems. It requires collection of information which can then be
related to the characteristics of safety culture listed in 75-INSAG-4. This relationship is not
easy to identify and often is not unique. For example an attribute or concept usually affects
several facts and it is difficult to establish the degree of influence that different concepts have
on a measurable fact.
Take for example the question of audits. This activity spans many of the layers
previously mentioned. Most plants have a technical audit programme. Usually, the
requirement for audits comes from corporate or even regulatory level. Audits are very often
concerned with checking safety related practices. At the purely documentary level, it is quite
straightforward to look at the audit programme, reports from audits done and clearance of
any corrective actions that have resulted. However, in terms of safety culture there are many
other aspects which can be assessed:
14
(1)
(2)
Do those being audited consider their auditors to be technically competent?

Do managers show support for the audit to their staff?
Do they explain the need for audits?
Do they make their own time available for briefings with the auditors?
(3) Is the audit report communicated to the relevant staff, particularly those who actively
participated?
(4) Are any corrective actions identified by the auditors keenly debated and, once accepted,
enthusiastically taken?
(5) Do auditors praise good practice and is such praise passed on?
By finding the answers to these questions it should be possible to get an understanding
of whether audits are mechanically carried out to fulfil policy or regulatory requirements; or
used in addition as a tool to stimulate interest and promote active participation in safety
matters. The latter would be a stronger indication of safety culture.
Another important safety culture indicator is the willingness to strive for improvements.
No plant management should consider that there is no scope for improvement when it comes
to safety; this would be complacency. The tendency to question current systems and seek
improvement, along with management support and commitment for the process, is an
indication of safety culture. The following is a list of possible areas which could be checked
for improvement programmes (the list is not exhaustive):
(1)
(2)
(3)
(4)
(5)
Training: Increasing the time allocated, number of people being trained. Improving the
quality of training or improving systems of qualification that are aimed at checking that
competence is the result of the training given.
Technical improvements: These could be improving the quality of procedures or
introducing new safety assessment methodologies.
Trying to anticipate problems: It is widely accepted that for every serious safety
incident there are a large number of 'near misses'. Programmes aimed at reporting and
learning 'from near misses' are good safety practice.
Plant and operational improvements: These can be very wide, ranging from actual plant
modifications (which should be strictly regulated) to improvements in the working
environment.
Development of indicators: It is often said that what cannot be measured, cannot be
managed. Many plants use a variety of indicators, some safety related. None of these
are perfect, but they can be used to indicate the trend in safety performance.
The question of audits and improvement programmes discussed above are examples to
show how ASCOT methodology can get real indications of safety culture that would not be
identified by checking on the existence of and adherence to procedures. These concepts and
methods should be borne in mind when posing the questions contained in the next section.
15
3. ASCOT GUIDELINES:
SAFETY CULTURE INDICATORS AND QUESTIONS
These guidelines are based on the Appendix of Safety Series No.75-INSAG-4. All the
questions proposed in this appendix are addressed but as mentioned in the reference
document they can be expanded. It could be difficult to use all these in the available time.
Selection of particularly significant items should be done through ASCOT team discussion.
3.1.
GOVERNMENT AND ITS ORGANIZATIONS
3.1.1. Government commitment to safety
Within the safety culture framework the influence of government and its legislation
forms a critical basis from which regulatory policy, funding and public notification are
determined. The following questions and key indicators provide a framework wherein an
understanding of the prevailing situation may be formed. Other areas of enquiry may present
themselves during the discussion with governmental representatives and these should be
pursued if they affect plant operation. Opportunity to corroborate or clarify information
gained elsewhere must be taken; however, the primary objective of highlighting good
practices and promoting plant safety must not be forgotten. It will be advantageous to request
and study the relevant legislation prior to the ASCOT review.
Ql (CMR)
Basic
INSAG Questions: Is the body of legislation satisfactory? Are there any undue impediments
to the necessary amendment of regulations? Do legislation and
government policy statements emphasize safety as a prerequisite for the
use of nuclear power? Are there any instances of undue interference in
technical matters with safety relevance?
Guide Questions:
16
What is the mechanism and how long does it take to make changes to
your nuclear legislation?
What is the scope of the government regarding the control and
administration of nuclear power? Is the authority and responsibility of
the regulatory agency clear and understood by all parties? Are
communication lines between government, regulatory agency and
utilities well defined?
What are the experience and qualifications of the regulatory agency
management? What are the selection criteria? Are periodic audits
considered?
What role of the regulatory agency in the construction and operation
of nuclear plants defined in the legislation?
What is the regulatory agency's responsibility for assessing design
safety standards and proposed designs as part of licensing procedure?
What is the process for granting a licence to build and operate an
NPP in your country?
How is the assessment of the safety level of nuclear plants carried
out?
What design and operational safety documentation is required by the
regulatory agency for its assessment as part of the licensing process?
How are the regulatory agency technical and administrative

requirements documented relative to the design, construction,
commissioning and operation of nuclear plants?
How are the regulatory agency's enforcement rights defined in the
legislation? In the case of a dispute between the regulator and the
utility what is the method of resolving matters? Has this happened?
What is the government's policy on safety versus electricity
production? What is the division of responsibility for these activities
in the country?
Key Indicators:
Clear, concise statements with adequate emphasis on safety as a

prerequisite.
Feedback from staff and regulators on non-interference with safety
matters.
There is an independent supervising regulatory agency with enough
manpower and with necessary enforcement rights, defined in the
legislation.
The regulatory agency has safety standards and/or instructions which
show its supervisory practices in sufficient detail.
The regulatory agency periodically assesses the safety of nuclear
plants against well defined safety standards.
Q2 (CMR)
Basic INSAG Qs: Have budgets for regulatory agencies kept pace with inflation, with the
growth of the industry and with other increased demands? Is funding
sufficient to allow the hiring of staff of adequate competence? Does the
government provide adequate funding for necessary safety research? Are
the research results made available to other countries?
Guide Questions:
Key Indicators:
- Do you have a full staff complement?

- What has been the pattern of budgets to actual allocations over the
past five years?
- How is your regulatory body funded?
- What happens to the funding allocation when unexpected events
demand more money from the government?
- Do you gather any funds from providing research results to other
countries?
- How does a change of government affect the regulatory body and the
nuclear legislation?
Adequate staffing levels and low turnover of qualified staff.
Documented research results and plans for concerted research into
areas of safety concern.
Positive trends of funding for research organizations.
Research and technical exchange visits with other countries or
agencies.
Q3 (R)
Basic INSAG Qs: How free is the exchange of safety information with other countries?
Does the country support relevant international activities [such as] the
17
IAEA Incident Reporting System (IRS), the Operational Safety Review

Teams (OSART) and Assessment of Safety Significant Events Teams
(ASSET) programmes?
Guide Questions:
Key Indicators:
- With whom do you exchange safety information around the world?

- How does the country support affiliation to international organizations
such as IAEA, INPO, WANO, owners' groups, etc.?
- Do you have access to nuclear industry information on a regular
basis?
- Which sources do you access?
- What restrictions are there on dissemination of nuclear power plant
data?
Participation in international programmes and established systems for
data collection and analysis.
Frequent visits to other countries.
Existence of exchange programmes.
Literary search facilities for staff.
Publications from research staff.
3.1.2. Regulatory agencies

Regulatory requirements vary significantly from country to country and it is difficult
to generalize; however, the following questions and key indicators are designed to elicit
responses which will assist the team in determining the effect of the regulator on the plants'
safety performance. Care must be taken not to evaluate or compare the regulatory style with
that in other countries. The safety culture should be well developed in the regulatory
organization and its staff and should be set out in its own policy statements. A strong
commitment to implement legislation and to act to promote plant safety and the protection
of individuals, the public and the environment are the essential attributes of a positive
regulatory safety culture. The influence of the regulator at corporate and plant levels of the
utility is to be determined within the constraints of questioning, discussion and overview of
documentation overview and not simply on intuitive feelings. Where the regulatory body is
being assessed separately from the plant, emphasis should be placed on the national and
social constraints governing the regulatory authority. Elements of the plant questions may
also be adapted to the regulatory body as a stand alone review, the objective still being the
same, to assess the safety culture.
Ql (RCM)
Basic INSAG Qs: Are regulatory safety objectives annunciated clearly, meaningfully and
so that they are neither too general nor too prescriptive? Do they permit
a proper balance between innovation and reliance on proven techniques?
Guide Questions:
18
- What problems have been experienced with the application of the

regulatory requirements?
- How are the authority and responsibility of the regulatory body
understood by the plant?
- How is the scope of activities defined?
- Do you feel they are too restrictive? Too loose?
- What changes would you like to see to the regulatory conditions?
Key Indicators:
- Clear understanding and acceptance by the plant staff of regulatory

requirements.
- Positive feedback from corporate and plant staff on application of
regulatory conditions.
Q2 (RCM)
Basic INSAG Qs: Are comments on regulatory requirements sought from competent
bodies? Have such comments been taken into account frequently enough
to encourage future comments?
Guide Questions:
- What system is there for gathering comments on regulatory issues?

- How often have you commented on regulatory requirements? To what
effect?
- What is the basis of the regulatory policy?
- How is it validated?
Key Indicators:
- Documented and established review system for comments and inputs

from other bodies.
Q3(R)
Basic INSAG Q:
Is there a predictable and logical process for dealing with issues that
require a consideration of both safety and economic factors?
Guide Questions:
- What is the process for handling issues of safety and commercial

considerations? Is it well understood? Where is it documented?
- Is the regulatory body able to halt production unilaterally if safety is
threatened? Has this ever happened?
Key Indicators:
- Regular third party review of regulatory requirements.

- Published comments on regulatory legislation.
Q4 (RCM)
Basic INSAG Q:
What is the record of project delays or loss of production due to lack of

clarity of regulatory requirements or lack of timely regulatory decisions?
Guide Questions:
- How many delays have been incurred at the plant due to regulatory
constraints?
- What avenues of appeal does the utility have in the event of delays by
the regulator?
Key Indicators:
- Positive feedback from utility staff on regulatory incurred delays.

- Effective regulatory policy on minimizing delays and reviewing
submissions.
- Regular meetings of utility and regulator to address safety issues.
- Site representation of regulator and established call-out system.
Q5 (R)
Basic INSAG Q:
Are regulatory practices generally consistent with the objectives of the

IAEA's Nuclear Safety Standards (NUSS) Programme?
19
Guide Questions:
- On which model did you base your regulatory system?

- What differences, if any, are there between your regulatory practices
and those of the IAEA (NUSS)?
Key Indicators:
- Good correlation between IAEA (NUSS) and regulatory requirements.
Q6(R)
Basic INSAG Q:
Is there an education and training programme for regulatory staff?
Guide Question:
- What is the recruitment programme content regarding qualifications

and experience for new regulatory body staff?
- What is the content and length of the training programme? Does it
address nuclear safety principles, plant knowledge, inspection skills,
on the job training?
- How do you keep your regulatory staff up to date with nuclear safety
and technology and plant experiences?
Key Indicators:
Established education and training programme.

Audited and regularly revised training standards for staff.
Availability and use of international documents, periodicals, etc.
Attendance at recognized courses, e.g. at the IAEA.
Q7(R)
Basic INSAG Q:
Does the regulatory agency participate actively in relevant international

activities?
Guide Questions:
- What is your programme for participation in international conferences

on nuclear matters?
- How are foreign visits planned, motivated and approved? Who is
allowed to go abroad?
- How is the regulatory body funded?
Key Indicators:
- High profile in international activities.

- Publication of papers and presentations at recognized meetings.
Participation in international safety reviews.
Q8 (RCM)
Basic INSAG Qs: Are reports on important safety problems published routinely by the
regulatory agency? Does the regulatory agency periodically publish a
summary review of the safety performance of plants?
Guide Questions:
20
- How do you ensure that important safety issues are made available to
other plants, countries and the public?
- What is the regulatory policy on the publishing of plant safety
performance data?
- What are the arrangements for timely notification and dissemination
of information in case of incidents and accidents?
Key Indicators:
- Regular safety reports published.

- Programmes established for gathering plant safety data and trending
of results for dissemination.
Q9 (RCMI)
Basic INSAG Qs: What is the nature of the relationship with licensees? Is there an
appropriate balance between formality and a direct professional
relationship?
Guide Questions:
- What would you consider to be the status of the regulator in the eyes
of the utility?
- What level of co-operation exists between the regulator and the plant?
- How could the regulatory body improve its image at the plant?
Key Indicators:
Positive feedback from plant staff on regulatory interfaces.

Regular interactive meetings established with utility staff.
Professional and informative reports available.
Acceptance of comment from the utility.
Q10 (RCMI)
Basic INSAG Qs: Is there mutual respect between the regulatory staff and the operating
organization based on a common level of competence? What proportion
of regulatory technical experts have practical operating or design
experience?
Guide Questions:
- Are you able to discuss matters at the plant on a common technical

basis?
- How is the opportunity to work for the regulatory body viewed by
plant staff?
Key Indicators:
- Positive feedback from plant staff on regulatory competence.

- High proportion of plant experienced staff and design personnel.
- Established and effective reviews by regulatory staff.
Qll (RCM)
Basic INSAG Q:
Is there regular joint discussion of the licensees' experience and

problems and the impact of regulatory activities on these?
Guide Questions:
- How often do the regulator and utility meet to discuss requests for
changes in regulatory requirements?
- At which stage do the regulator and utility meet to discuss requests
for changes in regulatory requirements? To what extent are
Emergency Planning and Accident Management issues adequately
considered as part of the Nuclear Safety Programme?
Key Indicators:
- Regular meetings on problems with the utility.

- Established group on licensing and regulatory activities.
- Recognized routes for plant/regulator interactions.
21
- Existence of an independent methodology for resolution of concerns

and safety issues.
Q12 (RCM)
Basic INSAG Q:
To what extent does the regulatory agency rely on the internal safety
processes of the operating organization?
Guide Questions:
- What is the philosophy of the regulatory body regarding the ability of

the utility to control its own safety?
- How much of the plant's information is readily available to the
regulator?
- How much control does the regulator impose on the utility?
- What are the scope and detail of inspection activities the regulatory
agency applies to nuclear plants?
Key Indicators:
- Regulatory requirements include adequate safety processes,

independent of the plant or operating organization.
- Establishment of regulatory controls to assure the adequacy of the
plants' internal safety processes.
- Regular on-site checks and evaluations of plant safety processes.
Q13 (RMI)
Basic INSAG Q:
What are the nature and extent of the regulators presence at the plant?
Guide Questions:
- How much does the plant see of the regulatory staff?

- What is the organizational relationship between regulatory and plant
staff?
- Is the regulatory presence on site viewed as a help or hinderance?
Key Indicators:
- Regular and effective regulatory presence on site.

- Participation in development of surveillance regimes for key safety
areas.
- Notification systems for activities and events out of hours.
- Positive feedback from plant staff on availability and effective
inspection programme for site inspectors.
- Regular participation in plant safety meetings and committees.
Assessment of reports from nuclear plants to implement preventive
and corrective actions.
3.2. OPERATING ORGANIZATION
3.2.1. Corporate level

3.2.1.1. Safety policy at the corporate level
Corporate level safety policy statements vary in both form and content. A safety policy
statement must, however, be clear and must be provided to all staff. It should declare a
commitment to excellent performance in all activities important for the safety of its nuclear
plants, making it plain that nuclear plant safety has the utmost priority, overriding if
22
necessary the demands of production or project schedules. Essential areas of enquiry are
indicated by the questions and key indicators which stress the importance of unequivocal
support for safety over all other considerations and the understanding of policy statements
by all levels of staff. Questions should be posed to discover the importance attached to the
corporate safety policy, how it is documented, disseminated, authorized, reviewed and
implemented. Key indicators are an unambiguous statement of safety above all else endorsed
by the highest corporate level and translated into 'ownership' by the corporate management.
It is very important to discern whether the corporate safety policy is understood and
supported at all levels of the national nuclear industry.
Ql(CMI)
Basic INSAG Qs: Has a safety policy statement been issued? Is it clear? Does the policy
express the overriding demand for nuclear safety? Is it brought to staff
attention from time to time? Is it consistent with the concept of safety
culture presented in the 75-INSAG-4 report?
Guide Question:
- Please explain what you know of any company or corporate safety

policy statements.
Key Indicators:
- An organization operating a nuclear plant should issue a safety policy

statement to all staff declaring its commitment to safety.
- Staff should be reminded about the statement from time to time.
- Safety policy statements will vary considerably in form and content.
- Staff should be aware of the following in an organization which has
a well established safety culture:
the responsibility of the operating organization for the safety of the
plant;
the commitment to excellent safety performance;
that safety is of the utmost priority, overriding if necessary
commercial considerations.
Q2 (CMI)
Basic INSAG Q:
Are managers and workers familiar with the safety policy and can staff
cite examples that illustrate its meaning?
Guide Questions:
- Have you ever quoted from the safety policy to highlight safety in a
meeting or discussion?
- What can you not do in terms of the safety policy statement?
- Who signs and takes responsibility for the policy statement on nuclear
safety at corporate level?
- Do you have a copy of the safety policy?
- Have you ever discussed this document with your staff/peers?
- What do you consider the advantages and disadvantages of the safety
policy?
- Does it need changing?
Key Indicators:
- Visibility and good knowledge of the current safety policy document.

- Examples of usage, demonstration of familiarity and agreement.
23
3.2.1.2. Safety practices at the corporate level

Policy statements and commitment to safety must be supplemented and effected by
corporate management involvement in safety matters. Confidence in the competency and
expertise at corporate level on nuclear safety matters enhances the plant's safety culture by
reinforcement of utility safety policy from the top down. Establishment of an effective and
credible nuclear safety review group at corporate level and the support of a designated senior
manager with prime responsibility for safety may seem obvious prerequisites for utilities.
However, quite often the utility delegates the nuclear safety portfolio to a minor level of the
corporate structure. Significantly, this may be the most difficult area of enquiry to pursue and
this may indirectly indicate an adverse influence on plant safety culture. Any evidence of a
gap between the corporate and plant staff's interpretations of safety responsibility must be
explored. Safety culture thrives on mutual support, agreement and a common understanding
of safety objectives.
Ql (CMI)
Basic INSAG Qs: Does the corporate board have expertise in nuclear plant safety?
Do formal meetings at this level include agenda items on safety?
Do operating staff attend to discuss the safety performance of plants?
Guide Questions:
- Who is responsible for nuclear plant safety at corporate level?

- Do you consider that there is adequate knowledge of plant safety at
the corporate level?
- Are nuclear safety matters given enough prominence at corporate level
meetings?
- Who attends corporate level nuclear safety review committee
meetings?
- To which levels are corporate nuclear safety minutes distributed?
Key Indicators:
- There is a clear line of reporting from the established nuclear safety

review committee to the corporate board or representative of the
board at the safety committee.
- The corporate board has expertise in nuclear plant safety.
- Inclusion of safety items on agendas: regular inclusion of plant staff
in meetings.
- Positive feedback from plant staff on corporate responses to plant
safety issues.
Q2 (CM)
Basic INSAG Q:
Is there an active nuclear safety review committee which reports its

findings at corporate level?
Guide Question:
- What is the relationship between the plant and corporate management

with respect to discussion of nuclear safety issues?
Key Indicators:
- Minutes and actions from corporate nuclear safety review committees.

- Plant confidence in corporate review groups.
- Corporate inputs to plant/regulatory safety issues.
24
Q3 (CM)
Basic INSAG Qs: Is there a senior manager with nuclear safety as a prime responsibility?
How is he supported and assisted in his duties? What is his standing
compared with that of the heads of other functions?
Do senior managers visit the plant regularly? Do they give attention to
safety matters?
Guide Questions:
- How often do the plant staff meet with corporate managers?

- Who has the highest responsibility for nuclear safety in the utility? Is
it considered effective?
Key Indicators:
- Job description and organizational confirmation of senior nuclear

manager responsible for nuclear safety.
- Positive perceptions by plant staff of senior managers' roles and
responsibilities.
- High level of visibility and interaction between plant and senior
managers.
- Willingness to submit all safety matters for senior manager review.
Q4 (CM)
Basic INSAG Qs: Are the resource requirements for the safety function reviewed
periodically at corporate level? With what results?
Guide Questions:
Key Indicators:
- Who reviews safety function resource requirements? How is it done?

- How often are the resource requirements for the safety function
upgraded?
- What criteria are used to determine the safety function resources and
funding?
Evidence of regular reviews of resources at corporate level.
Positive attention to upgrading and maintenance of corporate staff
ability and availability.
Recognized career paths for plant and corporate staff which include
nuclear safety management.
3.2.2. Plant level

This will undoubtedly form the bulk of the ASCOT reviewers' work and consequently
requires the allocation of areas and interviews to assure optimum coverage in the time
allotted. Plant activities have been divided into eleven (11) sections of assessment. These
cover the key areas encompassing those aspects important to safety culture. Questions are
presented as starting points from which the level of attainment of the key indicators can be
gauged. Several questions are repetitive or similar indicating their relative importance in
determining certain factors of attitude, commitment, safety practices and communications.
Questions should be further developed to suit the particular plant circumstances with a view
to establishing a picture of safety culture at the plant. The objective of the ASCOT review
is to assess an organization's safety culture through a vertical and horizontal review of
attitudes, communications and consistency in the implementation of safety throughout the
plant.
25
Team members must always look out for good practices and give examples of
improvements of safety culture. The accent should always be on positive aspects of
performance and the promotion of enhanced safety culture within the organization and
nuclear industry. However, where negative aspects exist these need to be brought out for
assessment.
3.2.2.1. Highlighting safety

Ql (CM)
Basic INSAG Qs: Does the plant manager hold periodic meetings with his senior staff that
are devoted solely to safety? Are there opportunities for nonmanagement staff to participate in meetings devoted to safety? Do these
meetings cover safety significant items at that plant? At other plants in
the company? At other plants in the country? At other plants in the
world?
Guide Questions:
Key Indicators:
- What means are there to promote safety culture amongst non-technical

staff?
- How familiar are non-technical staff with safety issues at the plant?
In the world?
- Where are safety priorities listed?
- How are suggestions and promotion of safety handled at the plant?
- Who attends the plant managers' safety meetings?
- What is discussed at these meetings? Are agendas circulated to staff?
Regular safety meetings.
Documented actions and close out.
Established protocols for meetings and actions.
Wide scope of agenda items.
Positive feedback from staff on the applicability and access to safety
meetings.
Circulation of safety meeting minutes and actions for review.
Q2 (CM)
Basic INSAG Q:
Has consideration been given to requesting (an independent peer review

such as for example) an OSART review or similar external review?
Guide Question:
- Would such safety

organization?
Key Indicators:
- One or more of peer safety reviews requested or held and with

positive follow-up.
- Evidence of self-appraisals.
- Technical safety reviews.
- Positive feedback from staff on proposals for external review.
review receive support throughout the
Q3 (MI)
Basic INSAG Qs: Is there a process by which more junior staff can report safety related
concerns directly to the plant manager? Is the process well known? Is
26
there a system for reporting individuals' errors? How is it made known

to staff? What mechanism is available to staff to report errors even when
they were immediately corrected or had no detectable effect? Do staff
make occasional use of the mechanism provided?
Guide Questions:
Key Indicators:
- How would a junior member of staff report a safety concern to the

plant manager?
- What system would you use to report minor safety concerns?
Documented system of direct reporting even to the plant manager.
Positive feedback from staff on past reporting experiences.
Management encouragement for safety reporting.
Documented policy statement on safety reporting.
Confidentiality provisions for reporting unsafe acts to plant, corporate
or regulatory bodies.
Q4 (CMI)
Basic INSAG Qs: Do systems of reward include factors relating to safety performances?
Are staff aware of the system of rewards and sanctions relating to
safety?
Guide Questions:
- To your knowledge do the safety records or attitudes to safety of

individuals have any effect on their promotion aspects? If so, do you
know of any examples of this? Would you expect the salaries/wages
of individuals to be linked to their safety performance? How do you
feel about this?
Note: The acceptance or rejection of safety considerations in the
assessment of remuneration or personal advancement influences the
attitudes of individuals to safety culture. A resentful attitude can lead
to misreporting of errors and the suppression of facts. A balanced
approach is accepted as an indicator of a well understood and fair
minded policy on reward and penalty for safety performance.
Key Indicators:
- No sanctions which are demotivating.

- Individuals are encouraged to express safety concerns, to report safety
related observations.
- A visible tendency for those who actively promote safety issues to be
more likely to be promoted.
3.2.2.2. Definition of responsibilities
Ql (RCMI)
Basic INSAG Qs: Has the assignment of safety responsibilities been clearly annunciated?
Has the responsibility of the plant manager for nuclear safety been
clearly stated and accepted?
Guide Question:
- Who is responsible for nuclear safety on the site?

Note: The delegated responsibility of the plant manager for safety is
a key element of safety culture. This concept needs to be understood
27
and accepted by the managers. Managers must assign individuals to

particular responsibilities and make sure that these assignments are
understood by those involved.
Key Indicators:
- Responses should contain the following key points:

the operating organization is responsible for nuclear safety;
this is delegated by the operating organization to the plant
manager;
there are clear, unambiguous and documented definitions of
responsibility of individuals;
safety responsibility included in job descriptions and reinforced at
training sessions;
an acceptance that everyone is at least responsible for safety in
their own sphere of work.
Q2 (MI)
Basic INSAG Qs: Are the documents that identify safety responsibilities kept up to date
and reviewed periodically? With what result?
(To be partly covered in the review of documentation)
Guide Questions:
- Who is responsible for reviewing safety responsibility documents?

How do changes of responsibilities get transmitted to the staff?
Key Indicators:
- Clear responsibilities for keeping documentation up to date.
5.2.2.3. Selection of managers
Ql (CMI)
Basic INSAG Qs:
Do the staff recognize that attitude to safety is important in the selection

and promotion of managers? How is this recognition fostered?
Guide Questions:
- What are the major criteria used to select managers?

- How could the selection of managers be improved?
Key Indicators:
- Documented and established criteria for the selection and promotion

of managers.
- Positive feedback from staff on the criteria application.
Q2 (CMI)
Basic INSAG Q:
Do annual performance appraisals include a specific section on attitude

to safety?
Guide Questions:
- Why would you expect annual performance appraisals to cover safety

attitudes?
- How can safety attitude be assessed throughout the year?
Key Indicators:
- Established mechanism for regular review of safety attitude of

individuals.
28
- Performance appraisal sheets show specific reference to safety:

documented criteria for managers to gauge safety performance.
Positive feedback from appraised staff: evidence of safety related
awards and sanctions system.
Q3 (CMI)
Basic INSAG Q:
Can cases be identified in which safety attitude was a significant factor

in approving or rejecting a promotion to management level?
Guide Questions:
- What would be considered an acceptable attitude to safety? Can you

quote an example?
- Has anyone, to your knowledge, ever been rejected for promotion
because of safety attitude problems? Is there an explicit example of
this?
Key Indicators:
- Current examples of promotion assessments.

- Documented and understood criteria for promotion.
- Positive evidence of safety attitude as a selection criterion.
3.2.2.4. Relations between plant management and regulators

Ql(RCMI)
Basic INSAG Qs: Is the relationship frank, open and yet adequately formal? What is the
nature of arrangements for access of regulators to documentation? To
facilities? To operating staff? Are required reports to the regulatory
agency made in a timely fashion? At what levels are the plant contacts
for the regulatory inspectors? Does the plant manager meet routinely
with regulatory staff?
Guide Question:
What is the nature of the relationship between the plant management and
the regulation agency?
Note: An open and constructive relationship with the regulator is in the
interests of safety. Staff may require guidance on how they should
respond to requests from regulatory inspectors for access and
information. There should be a continuing dialogue between the two so

that if a contentious issue arises there are adequate communication routes
available for the problem to be resolved in an atmosphere of mutual trust
and respect.
Key Indicators:
Desire for frank and open discussion.

Adequate formality.
Regular meetings at plant manager level.
Clear advice to staff to co-operate with regulatory inspectors.
Provision for informal contact with regulatory inspectors at all levels
of staff.
- Timely production of any reports required by regulators.
Guide Questions:
- What is the role of the regulator in the everyday running of the plant?
- Do you consider the regulator to be effective in monitoring activities?
29
- How often do you see the regulatory inspector? Do you discuss your
work?
Note: The regulator is expected to strike a balance between formality
and a direct professional relationship. Mutual respect between the
regulatory staff and the operating organization should be based on a
common level of competence. Regular joint discussions of the licensee's
problems and experience and the impact of the regulatory requirements
must take place. Individuals in the operating organization should be
aware of the mechanisms by which the regulator assures himself or
herself of the safety issues. Site inspectors should be technically credible
to the operator with a high degree of personal integrity. Regulatory
requirements should be clearly understood by all staff members at the
site and the safety objectives accepted at all levels.
Key Indicators:
- Respect for the professionalism and technical competence of the

regulator and their acceptance by management will indicate an
enhancement of safety culture.
- A willingness to contact the regulator for advice and judgement on
certain safety issues.
5.2.2.5. Review of safety performance

Ql(CM)
Basic INSAG Qs: Does senior management receive regular reviews of the safety
performance of the plant? Do these include comparisons with the
performance of other nuclear plants?
Guide Questions:
Who prepares reports on safety performance for senior management?

Are there any objectives set which would define internal safety goals?
What are considered to be the main safety indicators?
Where and when are the safety performances discussed with senior
management?
Key Indicators:
Records of safety information sent to senior management.

Documented system for reporting safety data to senior management.
Annual report information on safety issues.
Documented actions by senior management on negative trends in
safety.
Q2 (CM)
Basic INSAG Qs: Are the results of safety reviews acted on in a timely way? Is there
feedback to managers on the implementation of lessons learned? Can
managers identify changes that resulted from reviews?
Guide Questions:
30
- What is the average time it takes for safety items raised at review
meetings to be resolved?
- What benefits have been derived directly from safety review lessons
learned?
Documented action plans for resolution of safety issues.

Established mechanisms for feedback of completed actions.
Tracking system in place for monitoring safety issues status.
Authorized persons nominated specifically for addressing safety
issues.
Regular safety review meetings and close-out actions.
Positive feedback from staff on resolution of safety issues.
Key Indicators:
Q3 (CM)
Basic INSAG Qs: Are managers aware of how the safety of their plant compares with that
of others in the same company? In the country? In the world?
Guide Questions:
- What is the present comparative ranking of the plant in the national

and international tables?
- Is there an action plan derived from this data?
- What is the current trend of the plant safety performance?
Key Indicators:
Instituted system of utility ranking.

Annual report data on plant performances.
Regular bulletins on plant safety status.
Evidence of improvements as a result of inter-plant information
exchange.
Q4 (CMI)
Basic INSAG Q:
Do staff routinely read and understand reports on operating experience?
Key Indicators:
Good knowledge of operating experience across staff levels.

Review of modifications by staff.
Established system of experience feedback.
Positive feedback from staff on adequacy of reports and operating
information.
Q5 (RCMI)
Basic INSAG Qs: Is there a system of safety performance indicators with a programme for
the improvement of performance? Are the safety performance indicators
understood by staff?
Guide Question:
What do you know of any systems at the plant for measuring safety?
Note: The question is about the use and comprehension of safety
indicators as a means of judging the effectiveness of any improvement
initiative.
Key Indicators:
- A plant with an effective safety culture should produce safety

indicators and display them to staff with an explanation of their
meaning.
Such indicators might be:

number and severity of significant events;
unavailability of safety systems;
31
plant availability;
radiation exposure;
lost time accident rate;
number of unplanned trips;
pending work orders.
Another key indicator of safety culture is the ability to quote some
specific initiative at the plant aimed at improving safety, perhaps
using an indicator as an example of success.
Q6 (CM)
Basic INSAG Q:
Are managers aware of the trends of safety performance indicators and

the reasons for the trends?
Guide Question:
How does the management monitor and review the nuclear safety and
performance of the plant?
Note: There should be a range of monitoring measures and practices
which go beyond the traditional perception of Quality Assurance. For
anything to be effectively managed, it needs to be measured. Therefore
the establishment of safety indicators is expected. There should also be
a recognition that management needs to be seen by the staff to be giving
a high priority to safety matters. This might mean the establishment of
special reviews and meetings.
Key Indicators:
- Existence of regular safety management review meetings;

- Existence of safety indicators such as availability or unavailability of
safety related systems;
- Number of outstanding plant defects, etc.;
- The monitoring of trends in safety indicators and the taking of actions
to bring about improvements;
- The comparison of safety indicators with other similar plants.
Q7 (RMI)
Basic INSAG Qs: What arrangements exist for reporting safety related events at the plant?
Is there a formal means for evaluating such events and learning the
lessons? Is there a formal mechanism by which staff who were included
in a significant event are consulted on the final contents of a report?
Guide Questions:
- How do you know what sort of events need formal reporting?

- How are events followed up?
- Do the operators see or comment on reports of events?
Key Indicators:
- Clear instructions on what sort of events need formal reporting and

how and to whom;
- Events analysed for safety lessons;
- Use of human factor methods;
- Operations staff involved in the evaluation process;
- System for identifying adverse trends;
- Results of event analysed used in training programmes.
32
Q8 (MI)
Basic INSAG Qs: Is there a full time safety review group which reports directly to the
plant manager? Does the organization have effective safety information
links with operators of similar plants? Does the organization contribute
effectively to an international safety reporting system?
Guide Questions:
- What is the composition of the permanent safety review group? Does

it include outside experts?
- Does the review group meet regularly or on demand?
- What is the main task of the review group?
Key Indicators:
Well documented minutes of safety review group.

Established system of review with review group as a mandatory step.
Procedures including review group approvals.
Regular inter-plant meetings or data links.
Positive acceptance of review group by plant and regulatory staff.
Q9 (RCMI)
Basic INSAG Q:
What are the trends for the number of outstanding deficiencies,

temporary modifications or operating manuals in need of revision?
Guide Questions:
- Please describe the tracking system for monitoring outstanding

modifications and issues?
- What is the current situation on temporary modifications and
outstanding issues?
Key Indicators:
- Positive trends of outstanding deficiencies: declining number of

temporary modifications with short durations.
- Regular revision of manuals.
- Positive feedback from staff on numbers and status of procedures,
modifications, etc.
- Positive response to QA reports.
- Established and effective system for tracking safety related
documents.
3.2.2.6. Training
Basic INSAG Qs: Does all critical training and retraining culminate in formal assessment
and approval for duties? What is the success/failure record? What is the
proportion of operating staff's time devoted to training and how does
this compare with the practice of other nuclear plant operators?
Guide Questions:
- What kinds of job related training have you received since coming to
work at the plant?
- What specific training have you received in the areas of:
personnel/industrial safety practices;
radiological protection;
33
nuclear power plant safety;

job specific training for your craft/activity/function;
emergencies?
- What part of your training is required by the training programme and
what part is voluntary?
Note: The first question will establish whether personnel recognize
that they have or have not received instruction in the key areas and
will help to gauge the relative weights given to safety oriented training
versus production.
Key Indicators:
Staff should recognize the differences between:

- good industrial safety practices that would be expected in any
industrial setting;
- special radiological health practices and controls;
- rudiments of nuclear power plant principles of operation and safety
aspects;
- how their jobs relate to plant safety;
- what they are expected to do in an emergency.
Guide Questions:
- What sort of certification or licence do you receive for each kind of

training described? Are these internal certifications (i.e., by
plant/company, regulatory agency)?
- Are you required to, or do you have periodic retraining and
recertification for any or all of your job related training?
Note: The purpose of the questions is to determine the degree of
formalism and control in training beyond regulatory requirements and
establish whether the plant supports and requires retraining in all
safety areas.
Key Indicators:
One indicator of management commitment to supporting safety culture

is the provision of continuing reinforcement of training beyond the
mandatory requalification of control room operators, i.e. that other areas
of staff training are formalized and that all key personnel understand the
importance and extent of such training.
Q2 (CMI)
Basic INSAG Qs: What resources are allocated to training? How does this compare with
the allocations of other nuclear plant operators?
Guide Questions:
- On what is the allocation of resources for training based?

- Has the resource level been reviewed against similar plants elsewhere?
Key Indicators:
- Commitment at the management and corporate level to provide

adequate resources to allow effective training.
Q3 (CM)
Basic INSAG Q:
34
Is the quality of training programmes assessed at corporate and plant

management levels?
Guide Questions:
At what level is the quality of training programmes reviewed?

How often is the training programme reviewed?
What is the training programme reviewed against?
Key Indicators:
Existence of a satisfactory training policy, facilities, staff and budget.
Q4 (RMI)
Basic INSAG Qs: Is there a periodic review of the applicability, correctness and results of
training courses? Does this review take into account operating
experience feedback? Can training staff cite examples of operating errors
that have resulted in modifications to a training programme?
Guide Questions:
- How is content of training for your staff established? What portion is

dictated by regulatory requirements versus plant imposed safety
policy? Is there any inclusion of feedback of operational problems at
your plant?
- How often is content reviewed for currency? By you? By others (e.g.
senior management)?
- Who are the trainers and how are they selected? Are trainers required
to be retrained periodically? Is there an exchange of staff between
operations and training departments?
Note: The purpose of the questions is to clarify the manager's attitude
to providing sufficient training to support safety policy via a highly
skilled staff rather than just achieving the minimum required by
regulators.
Key Indicators:
- Training content is established and periodically reviewed for

relevance.
- Inclusion of plant experience.
- Maintaining relevance.
- Selection and qualification of trainers.
- Evidence that training is current and relevant, e.g. by rotation of
trainers through operations or spending time on shift.
- Ongoing evaluation sessions between instructors and students.
- Positive feedback from staff on operating experience discussion and
re-enactment.
Guide Questions:
- What is the schedule for your training to maintain your qualification

status?
- What kind of preparations do you have to make before you report for
a training session? For example, do you keep notes on issues that may
have come up on shift so that you could discuss them with the trainer?
Perhaps to arrange for practice ordemonstration?
Note: The purpose of these questions is to see if staff are active in
training and if they seek out training.
Key Indicators:
- Attitude of doing more than what is required, i.e. not just attending
because it is mandatory.
- Preparation - operational feedback - input.
- Influencing of content by staff.
- Training proposals included from staff performance appraisals.
35
Q5 (MI)
Basic INSAG Q:
How frequently are production requirements permitted to interfere with

scheduled training?
Guide Questions:
- How do you cope with an unforseen event requiring more staff at

short notice?
- What arrangements are there for staff to catch up on missed training?
- What input does the training department have into the planning of
production activities?
- How much of a problem is the rescheduling of your training because
of production pressures?
Key Indicators:
- Completed training schedules and contingency planning. Management

directives on maintenance of training in the event of production
conflicts.
- Positive feedback from plant staff on management commitments to
training despite production pressures.
- Plans for utilization of additional staff as instructors, e.g. shift
technical advisors, other plant staff, consultants.
- Evidence of completed shifts and training sessions.
- Adequate repetition of training courses to all staff.
Q6 (MI)
Basic INSAG Qs: Do staff understand the significance of the operating limits of the plant
in their areas of responsibility? Are the staff educated in the safety
consequences of the malfunction of plant items?
Guide Questions:
- What particular cautions or safety limits must you observe in your

job? (e.g. pressures, temperatures, tank levels that you must control
or be aware of?) What would happen if the limits were violated? Is
there anything of which you have to be careful so that you do not
accidentally cause limits to be exceeded?
- Has the plant, to your knowledge, ever been operated outside the
operating limits?
Note: The purpose of these questions is to explore the depth of
knowledge that the individual has regarding the relationship of job
activities to personal and plant safety.
Key Indicators:
Dialogue should elicit responses that cover:

- understanding of safety limits related to their job;
- personal mental model of plant and how their specific job relates to
plant safety;
- potential consequences to self and plant if they make an error in their
job, e.g. what would occur; how fast would a crisis develop;
- depth of understanding regarding the bases for operating limits and
safety margins.
36
07 (Ml)
Basic INSAG Qs: Are staff trained in the special importance of following procedures? Are
they regularly reminded? Are they trained in the safety basis of the
procedures?
Guide Questions:
- What kinds of written operating procedures do you use in your daily

work?
- Do you feel that you need to have the written procedures open in
front of you to perform the correct actions in the correct sequence?
For normal operations?
- How easy to use do you think the procedures are?
- What was your training on emergency operating procedures: how do
the trainers lead you through the bases? How much are you expected
to know by memory?
- What is management's policy on following procedures verbatim? In
all cases?
- Are you given authority to override procedures?
- Have you taken part in the procedure validation process? What was
the result?
- Have you or colleagues suggested improvements or spotted errors in
procedures?
Note: The basic premise is that well thought out and validated
procedures for operations will minimize the likelihood of operator errors
a nd operators should be trained to trust the procedures. However, the
training should impress upon the operators the need to continue to ask
questions, especially when situations vary from the expected evolutions.
Operators need to feel a sense of ownership of the procedures. These
questions should also be put to other key staff, i.e. in maintenance or
radiation protection, with suitable amendments.
Key Indicators:
- Knowledge of bases for procedures with a realization that procedures

may not cover all eventualities.
- Operator suggestions for procedure improvements are incorporated in
a timely way.
- Operators are involved in the procedure validation process.
- Clear understanding of policy on procedure adherence.
- Operator confidence in procedure accuracy and format.
Q8 (RMI)
Basic INSAG Qs: For control room operators, do retraining sessions on simulators take
into account the difficulties that staff have experienced and the questions
that they have raised? Are training simulator modifications made as soon
as the plant is modified?
Guide Questions:
- Please describe how you make use of control room simulators to

support the plant and corporate safety policy?
- Discuss the frequency and duration of simulator training for each
operator? What steps do you take to ensure that operators receive
simulator and other training when scheduled?
37
- What guidelines do you establish for the content of simulator training?

For example, how much time is spent on maintaining skills in
handling normal operational transients versus simulated accidents of
various types and probabilities? How do you make sure that operating
problems or operator concerns of your plant or similar plants are
addressed in the simulator?
- Are you able to attend and observe operator simulator training?
- What do you do during simulator sessions to help improve team
performance of operating crews, especially during accident scenarios?
- Are you able to keep the simulator model consistent with plant
modifications?
- What counterparts to the simulator are provided for plant equipment
operators; maintenance staff, etc.?
Note: The purpose of the questions is to determine the value and priority
placed on simulator and training aids by managers. Failure to ensure
timely and meaningful simulator training or continuing proof of
commitment will affect operators' attitudes toward simulator training.
The ideal would be to provide a plant specific simulator with very
frequent sessions but this may not be possible for all plants. Even if
operators and managers level travel to a simulator site only infrequently,
the management should provide as much simulator time as possible and
emphasize its importance by attending and observing.
Key Indicators:
Guide Questions:
- How often do you train on a simulator? Do you go as an individual

or with the rest of the shift?
- What kind of events do you cover, e.g. design basis accidents? Events
from other plants, beyond design basis accidents?
- If the simulator is not plant specific, are you able to use the current
procedures for your plant?
- Do you and colleagues have a say regarding events to be included,
e.g. based on operating experiences?
Note: The purpose of this area is to determine the resources and
priorities given to simulator training and the degree to which operators
value and contribute to training. The opportunity for team training
should be explored.
Key Indicators:
38
Frequency of simulator use.

Content; including feedback from operations and operator requests.
Keeping simulator current with plant.
Use of simulator sessions to improve team performance of operators.
Use of other training aids for equipment operators and maintenance
staff.
- Good scope of simulation and faults.
- Management involvement in training sessions.
Plant specific simulator is available to operators (own or elsewhere).

Frequency with which they attend.
Management commitment to training.
Balance between normal operations and emergency response.
Feeling of participation and ownership by operators.
Team/shift training.
Evaluation of training results by operators.
Q9 (MI)
Basic INSAG Q:
For maintenance personnel, do training sessions make use of mock-ups

and video recordings before a complex maintenance activity is
performed?
Guide Questions:
- What methods do maintenance staff use to prepare for complex work?

- How does the plant dose rate record compare with that of plants
worldwide?
- How much of the budget is allocated to special tools, mock-ups and
video equipment per year?
- Is there on the job training? How is it carried out?
- Do you get enough rehearsal time before a maintenance activity?
Key Indicators:
Training mock-ups and equipment in evidence and use.

Rehearsal time built into schedules of work.
Procedural references to preparatory training.
Feedback of event reports into work preparations.
Low dose rates recorded for maintenance work.
Ongoing video recording of maintenance work for future use.
Mock-ups replicate the plant and replacement components used for
training.
Safety reinforced in documentation and training sessions.
Q10 (MI)
Basic INSAG Q:
Do training programmes address safety culture?
Guide Questions:
- In addition to training staff to perform jobs correctly for production

purposes, how is knowledge of each individual's contribution to plant
safety communicated?
- Are your staff given specific training on potential consequences of an
error they might commit, e.g. exceeding a safety limit of the plant or
potentially harming themselves?
- Are there written procedures for your staff? Are they required to
follow them verbatim by regulators, plant policy or your policy? Are
the staff aware of the consequences of not following procedures, e.g.
would this lead to a violation of a safety limit?
Note: These questions should address managers' attitudes towards safety
related training for their staff.
Key Indicators:
- Relevance of operating limits reinforced.

- Consequences of error transmitted to all staff levels.
- Bases and use of written procedures stressed constantly in training and
operations.
- Specific safety culture promotion sessions.
- Total acceptance of validity of procedures.
- Acknowledgement by managers of good safety performance.
39
3.2.2.7. Local practices

Ql (CM)
Basic INSAG Q:
Has the plant manager instituted any safety related initiatives that go
beyond requirements set at the corporate level?
Guide Questions:
- What do you know of initiatives set out by the plant manager to

improve safety?
- How effective is the Plant manager's safety improvement programme?
- What systems are in place to recognize the contribution of plant
managers to safety? Is there a system of awards?
Key Indicators:
- Unique programmes on safety.

- Feedback from staff on new initiatives.
Q2 (RMI)
Basic INSAG Qs: Are records on the performance or maintenance of components and
systems easily retrievable? Complete? Understandable? Accurate? Up to
date? (to be partially covered by documentation review)
Guide Question:
Are maintenance records used to trend major equipment reliability?
Key Indicator:
Maintenance records used in a positive manner.
Q3
Basic INSAG Q:
What is the general state of the plant in terms of general appearance and
tidiness, steam and oil leaks, the tidiness of log-books and records? (to
be covered by a plant tour)
Q4 (CMI)
Basic INSAG Q:
What are the arrangements for supervising, reviewing and signing off
maintenance work carried out by supporting organizations?
Guide Questions:
- What special safety related problems are posed by the use of

contractors and how are these addressed?
- How many contractor related problems does the plant experience
annually?
Note: Contractors (and other supporting organizations) are not routinely
exposed to the safety culture which is fostered at the plant and therefore
special efforts are required to make sure that the work done and working
methods are satisfactory with respect to safety. The questioner should try
to find out what is done over and above normal commercial quality
assurance practice.
Key Indicators:
- Specific arrangements for safety briefing of contractor's staff before

they start work.
40
- Specific arrangement for supervising, reviewing and accepting work

done.
- Evaluation of the quality of contractors before the tendering process.
- Declining trend in contractor related problems.
- Regular meetings with external bodies to discuss safety issues.
- Penalty clauses related to safety built into contracts.
- Regulatory inspection programme of contract work.
- Availability of radiation protection records.
3.2.2.8. Field supervision by management

Ql (RMI)
Basic INSAG Qs: What is the working style of the senior supervisors on shift? Do they
seek information? Are they well informed? Do they visit routinely the
areas where safety related work is being done? Are they interested in the
problems or solely the schedules? What fraction of the tune of the senior
person on shift is spent on administrative duties?
Guide Questions:
- What training in leadership, time management and supervision does

a senior shift supervisors (SSS) receive?
- How do SSSs keep their plant knowledge up to date?
- What more could be done to make the SSS more effective?
- How often do staff seek out the SSS for advice and guidance?
- What would happen if the SSS spent long hours out of the control
room?
- How much knowledge does an SSS need to have?
- What differences are there between the various SSSs' ways of
working?
- How much authority does an SSS have on shift?
- Can anyone overrule a senior licensed operator on shift?
- Does the operations supervisor follow up the activities of the
SSS/operators and field operators?
Key Indicators:
- Shift logs and supporting documentation shows regular SSS
involvement and visits.

- Documented policy and job descriptions state duties, responsibilities
and safety accountability of SSS.
- Assistance provided for SSS on administrative duties.
- Selection criteria and training for SSS includes safety reinforcement
and questioning attitude.
Q2 (MI)
Basic INSAG Qs: Do middle managers often make first hand inspections of the conduct of
safety related work for which they are responsible?
Does the plant manager from tune to time inspect the conduct of safety
related work?
Do senior managers visit the plant regularly? Do they pay attention to
safety matters?
41
Guide Questions:
- How often do you see managers about the plant?

- Do managers ever come round on tours of inspection?
- Is seeing a manager at the work-place an indication of trouble?
Key Indicators:
- Management visibility around the work-place.

- Regular tours of inspection by managers, particularly looking for
problems related to safety.
3.2.2.9. Work-load
Ql (RCMI)
Basic INSAG Qs: Is there a clear policy on limits to overtime worked? To which staff does
it apply? How is overtime controlled, monitored and reported to the
plant manager and higher management?
Guide Questions:
- How do you get assurance that staff are fit for duty at the start of a
shift/day?
- Where are the limits for overtime stated?
Note: It is important that staff are not permitted to take up duties if they
are unfit to do so through tiredness, illness, drugs, alcohol, etc. In
addition to management controls, staff should be encouraged to develop
and follow codes of practice covering the above.
Key Indicators:
- Stated policy on maximum working hours and minimum time off

between shifts.
- Monitoring of hours worked.
- A system which requires a fitness for duty judgement at the start of
a shift.
- Codes of practice understood and accepted.
- Contingency plans for unforeseen demands on staff.
3.2.2.10. Attitudes of managers
Ql (CMI)
Basic INSAG Q:
When there is apparent conflict between safety and cost or between

safety and operation, do managers discuss with staff members how it is
resolved?
Guide Questions:
- When situations arise that require a decision between

commercial/production and safety considerations, who decides?
- Would you or your colleagues be consulted?
- If the plant were stopped owing to a faulty component and you had to
have a replacement part to complete the job and only a substitute of
a lower standard was available, what would you do to get the plant
back into production again with a minimum of delay?
Note: Managers' attitudes are demonstrated and staff attitudes are
influenced, by exchanges on nuclear safety matters. In particular, the
opportunity to demonstrate that safety will be placed before production
should be apparent to all individuals.
42
Key Indicators:
- Discussions with staff concerned about delays in restarting the plant

for reasons of safety.
- A clear commitment to safety is a primary objective.
- Involvement, discussion, reasons for decisions affecting safety.
- Examples of production delayed for safety reasons reinforces the
safety culture.
Q2 (RMI)
Basic INSAG Q:
Are the schedules and content of work for annual shutdowns examined
by an internal safety review process?
Guide Question:
How is the content of the outage work list arrived at?

Note: The aim is to reveal whether shutdown work lists are influenced
by previous experience both from the site and from other similar plants.
Also, to find out whether there is scrutiny of the work list by some third
party safety review process and whether this leads to amendments to the
list on the basis of safety considerations.
Key Indicators:
- A third party safety review process.

- Influence of operational feedback to amend list.
- Safety related spares and services provision prior to commencement
of work.
Q3 (MI)
Basic INSAG Q:
When safety considerations introduce a delay in the startup of a plant,

do managers use the occasion to illustrate that safety comes first?
Guide Question:
Is there a system for prioritizing maintenance work which is safety

significant?
Note: A system of assigning maintenance work is to be expected. The
questioner should seek to elicit whether the prioritization system clearly
puts safety first, above production issues. The questioners should also
try to find out within this question how a conflict of requirement
between safety and production is resolved. The question should be
expanded to cover amendments to documents.
Key Indicators:
- A prioritization system which affords significant safety related work

top priority should exist in all areas of activity. Conflict between
safety and production should be discussed with relevant plant staff.
Managers should use such times to highlight the overriding priority
given to safety. 'Stop work' authority to managers for safety issues
indicates a high regard for safety.
Q4 (MI)
Basic INSAG Q:
During periods of heavy work-load, do managers ensure that staff are

reminded that unnecessary haste and shortcuts are inappropriate?
Guide Questions:
- In periods of heavy work-load and high pressure, what would you and
your manager discuss regarding action plans and safety measures?
43
- Do you re-examine safety concerns? Are you reminded by

management of the need to be vigilant and to adhere strictly to
procedures and safety limits?
Note: The attitudes of individuals and managers can be examined and
impressions gained in exchanges with staff members at various levels to
support judgement of the effectiveness of safety culture. Examples may
be available from previous experience to illustrate the situation and these
should be sought from the individual. Procedures must be strictly
followed even when quicker methods are available.
Key Indicators:
- Regular discussions with staff on contingency planning.

- Control of contractors and external staff to ensure no safety problems
arise.
- Reference to safety policy by managers and staff in cases of dispute.
- Contacts with regulatory body to ensure clarity of requirements.
- Willingness to reschedule work because of safety constraints.
Q5 (CMI)
Basic INSAG Qs: Do managers explain their commitment to safety culture to their staff?
Do they regularly disseminate relevant information such as objectives,
expenditure, accomplishments and shortcomings? What practical steps
are taken to assist management commitment, such as establishing
professional codes of conduct? How often have directions from
management been aimed at the improvement of safety?
Guide Question:
How are staff encouraged to strive for excellence in matters affecting

safety?
Note: The aim of the question is to reveal management practices which
foster a good safety attitude among staff. Prompting on the specific areas
covered by the key indicators may be necessary.
Key Indicators:
If there is a bonus system, safety performance should be a factor.

Promotion prospects are visibly affected by safety attitude.
Attitude to safety is a specific factor in staff performance appraisal.
A scheme for staff to suggest safety improvements is in place.
The concept of safety culture is explained to staff regularly.
Initiatives are used to obtain improvements in specific areas.
Professional codes of conduct are instituted.
There are regular safety bulletins and safety forums.
Q6 (MI)
Basic INSAG Qs: Do managers disseminate to their staff the lessons learned from
experience at their own and similar plants? Is this a training topic?
Guide Question:
44
- How are the lessons learned from incidents on site and from other
plants disseminated?
Note: The question is posed to reveal the incident reporting and
operational feedback systems. The aim is to reveal the extent and
effectiveness of any systems which exist.
An on-site incident reporting and review procedure.

Positive actions taken in response to incidents.
Availability of incident reports from other plants and scrutiny of these
for relevance.
Encouragement of 'near miss' reporting.
Regulatory requirements modified in the light of external incidents.
Key Indicators:
07 (CMI)
Basic INSAG Qs: Is there a system for bringing safety related concerns or potential
improvements to the attention of higher management? Is its use
encouraged by managers? Do managers respond satisfactorily? Are
individuals who transmit such concerns rewarded and given public
recognition?
Guide Questions:
- How would a safety concern or improvement be brought to the

attention of management?
- What is the attitude of management to safety reporting?
- What mechanism is in place for highlighting safety suggestions?
- Can you cite a safety suggestion you have put forward?
Key Indicators:
The existence and regular use of a system for safety suggestions.

Satisfaction with the response to safety suggestions.
A reward system for valuable safety suggestions.
A system that gives safety reporting special priority over other work.
Awareness of how to use the plant's safety suggestion system.
Q8 (MI)
Basic INSAG Qs: What is the attitude of managers and staff to safety reviews and audits
affecting their activities? Do they discuss with their staff the results and
the means by which deficiencies may be corrected? How responsive are
they to improvements made as a result? What is the attitude of managers
to the application of quality assurance measures to their activities?
Guide Questions:
- Do you find audits and reviews to be helpful or a hindrance in the

way you do the job?
- How do you feel about QA measures such as inspections and tests?
- What is your understanding of why they are done and what is done
with the results?
- How do you think QA measures improve the safety factors of your
job?
Note: Managerial responsibilities include the implementation of a range
of monitoring practices, some of which go beyond the implementation
of traditional quality assurance measures. These include, for example,
regular reviews of training programmes, working practices, and
assessment activities. These practices depend on the activities of the
organization and may require the participation of groups and individuals
in adherence to principles and approved practices. By these means, the
working of safety management systems is checked by internal processes.
45
It is the responsibility of management and workers to strive for

excellence in the achievement of their safety goals. Questions should be
developed to explore the depth of commitment to and the understanding
of the processes of quality assurance.
Key Indicators:
Understanding and appreciation of the need to scrutinize changes to

operating parameters, maintenance requirements, modifications to plant,
and any non-routine operation of the plant.
Q9 (CMI)
Basic INSAG Qs: Does management regularly review the performance of personnel, with
assessment of their attitude to safety? Do managers give recognition to
staff members who take actions beneficial to safety?
Guide Questions:
- Do you think the station staff are qualified and have sufficient
experience to handle any abnormal situations?
- How would management reward exceptional safety actions by staff?
- For operating and maintenance staff particularly, what is the staff
turnover rate and are there any implications here for nuclear safety?
Note: The responses must be substantiated with questions regarding the
perceived level of experience needed in critical posts and the
contribution to safety. A high staff turnover rate can be an indication of
poor staff morale. Even when all training requirements are met, it is still
desirable to keep a balance of experience in all groups so that there are
some long serving members in each group.
Key Indicators:
- Low staff turnover, little movement of staff, promotion with perceived

merit, exposure to abnormal situations, adequate service in key jobs
and expressions of confidence in the group and management.
- Recognition for staff who contribute to safety and favourable comment
from staff on managers' ability and willingness to acknowledge safe
working.
- Awareness of the need for balance of experience in each group.
Awareness of staff turnover rate and reasons behind the particular
figure.
- Positive steps taken to arrest the problem before it becomes serious.
Q10 (RCMI)
Basic INSAG Q:
What is the response of management to safety infringements and

violations of safety related technical specifications?
Guide Questions:
- How do you feel about management's reaction to infringements or

violations of safety limits?
- Does the attitude of management to safety violations seem acceptable
to you?
- In your view, are violations properly investigated by management?
- Do you feel that management gets to the root cause of safety
violations?
Note: Staff have to understand that the management cannot condone any
infringement or violation of safety limits. Failure to take remedial action
46
will result in the staff becoming confused as to the importance of safety

requirements. All significant events that have occurred on site should be
analysed in close co-operation with the staff concerned to help all staff
evaluate their strengths and weaknesses. No ambiguity should exist over
the limits set or the systems by which the management deals with
transgressions. Examples should be requested of any such violations and
the action perceived by individuals.
Key Indicators:
- Acceptance of safety limits, understanding of the consequences of

violation.
- Confidence in the ability of management to act justly, examples of
previous cases of violation and management actions which
demonstrated a positive result.
- Expressions of resentment, unjust treatment of previous violators,
ineffective actions by management or perceptions of misplaced blame
would indicate a problem.
Qll (CMI)
Basic INSAG Qs: What systems exist to apprise managers of safety accomplishments or
shortcomings? How effective are they? Are managers alert to the need
to identify weaknesses in their staff, to specify training requirements or
to provide other support?
Guide Questions:
- How well do managers know the safety attitudes of their staff? How
can they measure them?
- How does a manager ensure that any extra training or support for
staff is put into effect?
Key Indicators:
- Managers are kept informed of the number of outstanding safety

related work orders.
- Regular managerial review of training delivered.
- Regular system of staff performance appraisals.
272 (CMI)
Basic INSAG Qs: Do managers participate in staff training courses at which safety policies
and procedures are explained? Do they present any of the training
material? Do they follow the training of their staff and are they aware
of their training status and levels of ability? Do they encourage staff
members to spend time as instructors? Do managers themselves undergo
retraining in safety matters?
Guide Questions:
- What training programmes exist for your staff? What are the critical
areas of training for your staff related to personnel and plant safety?
- Is any or all of the training required by regulations? Is any or all
required by the plant as a requirement for duty? As such, are records
kept and/or certificates or licences issued? Who determines standards
for passing?
- As a manager, what attention do you give to assessing the content and
results of training for your staff?
- Do you have any difficulties providing time or facilities for the
training you want?
47
- Do you attend training sessions to ensure that learning is taking place?

- Do you, yourself, go through retraining periodically? What kind? Is
this voluntary or required?
Note: For each manager interviewed, questions should attempt to
determine whether adequate attention, priority and resources are being
provided and if not, why? Managers should understand the objectives of
training efforts to support safety policy.
Key Indicators:
Formal (e.g. certificate or licence issues) training mandatory.

Records kept up to date and accurately.
Time spent by staff and manager on training.
Resources committed adequate and competent.
Potential conflict of training versus production resolved.
Managers receive training in management and communication skills.
Guide Questions:
- Who are the trainers? Do you feel they are able to help you improve
or maintain your skills?
- Do your supervisors or managers ever observe your training sessions
or take part in them?
- Do trainers and managers discuss the content or results of your
training with you?
- What kinds of results are discussed?
Note: As a further demonstration to staff of their commitment to safety
culture and related training, as well as being good management practice,
managers should periodically observe what is being taught and how
training is being received by staff. Managers should be open to
suggestions by staff for ways to improve training. If staff do not feel that
there is sufficient management interest in training, then staff will tend
to be less motivated.
Key Indicators:
Staff perceive that:

- managers regularly come to their training sessions;
- managers or trainers are open to staff input;
- managers emphasize results or regulatory requirements and expressed
needs of staff;
- staff comments on training content are taken into account;
- the training staff are respected and trusted;
- the managers' qualifications and experience are adequate.
Q13 (MI)
Basic INSAG Qs: Does the plant manager from time to time inspect the conduct of safety
related work? Do managers review regularly the assignment of their
staff's duties? Are the relevant documents up to date? Do managers
attend regularly at the work-place to review safety related activities? Do
middle managers often make first hand inspections of the conduct of
safety related work for which they are responsible?
Guide Questions:
48
- How often do you have a visit from your managers during the
working day/week/month?
- Do managers help you by their visits?
- Would you like to see these visits increased?

- Are you able to discuss all aspects of the job with your manager?
Note: The presence of managers at the work site provides opportunities
for them to emphasize directly the importance assigned to safety. It is
the task of managers to ensure that their staff respond to and benefit
from established practices and, by attitude and example, ensure that their
staff are continuously motivated towards high levels of personal
performance in their duties. It is essential that managers are visible and
worthy in the eyes of their workers as this fosters a spirit of concern for
the individual and the task in hand.
Key Indicators:
Non-appearance or infrequent attendance at the work site indicates a lack

of interest by managers. Low standing or unapproachability may
influence the individual to withhold safety concerns from management.
Regular visits and work reviews are favourable. Open discussion on
safety and allocation of duties. Advice sought and given by staff and
managers respectively.
Q14 (CMI)
Basic INSAG Q:
Do managers give attention to the physical working environment of their

staff?
Guide Question:
What could be improved in your physical working environment? Who

could change that? Why is it not changed? Have you requested
improvements to your working environment? Of whom? With what
result?
Note: The working environment is usually the area of most interest to
the individual and the environment created by the management can
condition the individual's attitude. Any shortcomings in physical
conditions may affect the performance of the worker and the safety
levels associated with the job. Management has a responsibility to
provide an environment conductive to safe working practices. Any
shortcoming in this area may be perceived by the individual as a deemphasis on safety and workers by management. Lowered self-esteem
and a strained atmosphere may result from a physical working
environment which is less than adequate. For staff to carry out their
duties with ease, satisfactory facilities must be provided, including: the
physical features of work locations, the suitability of controls,
instruments, tools and equipment; the availability of necessary
information; standards of housekeeping; and, of particular importance,
the work-loads of individuals.
Key Indicators:
- Positive factors are satisfaction with the work-place and the conditions
associated with carrying out tasks safely and efficiently.
- A feeling of confidence in management's interest and concern for the
workers' environment indicates a healthy situation.
- Some of the negative factors may be apparent from an on-site
inspection of the environment.
- Questions may then be forwarded to determine the attitudes of
individuals to any shortcomings.
49
- Acceptance of a poor physical environment and the lack of impetus to

improve it would indicate a deficiency in management/worker
relations and in the overall safety situation.
3.2.2.11. Attitudes of individuals

Ql (MI)
Basic INSAG Q:
Are staff aware of the management's commitment to safety culture?
Guide Questions:
- What do you understand by the term 'safety culture'?

- What is the nature of any company or corporate safety policy
statement and how is it implemented?
Note: If the plant management want good safety culture they should
communicate what they want effectively to the staff. An alternative way
of asking about this is to ask what it is that makes the particular plant
safe. A discussion from this angle might show an understanding of safety
culture without having come across the specific term. An organization
operating a nuclear plant should issue a safety policy statement declaring
the organization's objectives and corporate commitment to safety. The
key point is an understanding that safety is derived from an assembly of
measures and attitudes that ensures nuclear safety issues are given
sufficient attention. Management systems and controls are not fully
effective on their own; the questioning attitude, and a rigorous, prudent
and communicative approach of individual is also vital to the building
and maintenance of safety culture.

Key Indicators:
There should be a policy statement which:

- Declares the operating organization's responsibility for safety.
- Declares a commitment to excellent safety performance.
- Declares that safety is of the utmost importance and will if necessary
override commercial pressures.
- The policy statement should be made available to all staff and they
should be reminded of it from time to time.
- The policy should be implemented through a management structure
which assigns responsibility for key safety related activities on
the site.
Q2 (MI)
Basic INSAG Qs: Can personnel state ways in which safety might be prejudiced by their
own erroneous action? And by those of others working in related areas?
Do staff stop and think when facing an unforeseen situation? In such
cases are their actions 'safety inspired'?
Guide Questions:
50
- If you were required to work on/operate a plant

item/equipment/system and after the action you discovered that it was
the wrong item/equipment/system and you had made a mistake, what
would be your actions/attitude to your mistake actions of
management attitude of colleagues?
- Suppose you were expected to use a procedure for an operation/task
and half-way through the procedure you discovered an error in the
instructions, what would be your immediate actions and follow-up
actions?
Note: The phrasing of questions on behaviour and attitudes requires the

interviewer to adjust the context of the question to the job requirements
of individuals.
Responses should indicate the individuals' actions in their actual place
of work and their perceptions of the expected behaviours from
management, supervisors and colleagues. Responses to hypothetical
questions will have to be challenged by the interviewer with other,
appropriate questions regarding the individuals' feelings, reactions and
perceptions of consequence associated with the error situation. Errors,
when committed, should be seen less as a matter of concern than as a
source of experience from which benefit can be derived.
Individuals should be encouraged to identify, report and correct
imperfections in their own work in order to help others as well as
themselves to avert future problems. When necessary, they should be
assisted by management and colleagues to improve their subsequent
performance. Nevertheless, for a repeated deficiency or gross
negligence, individuals should expect and accept the management's
responsibility to effect adequate measures, since safety may otherwise
be prejudiced. The individuals' attitude to and experience of the
application of these measures should be explored during questioning to
determine whether it is seen to be effective or counterproductive.
Key Indicators:
Evidence of an honest approach, admittance of the error, no fear of

unwarranted reprisals and the recognition of the need to rectify the
situation personally and collectively.
Guide Question:
- What are the things that you would change if you could to help you
do your job even more safely than you do now and to make this a
safer plant?
Note: The individual should be able to relate the importance of his/her
job in the context of the safety of the plant as a whole. Each response
will have to be evaluated according to the influence it has on the safety
situation. The degree of importance will depend on the amount of
inhibition it exerts on the individuals' or group's performance. Examples
of suggestions on safety improvement initiated by the individual or group
may be stated; however, the results should be explored to determine the
reaction and attitude of management to these responses.
Key Indicators:
Positive actions for implementation.

Suggestions on safety improvements accepted by management.
A feeling of being a worthwhile and valued employee.
Willingness to admit mistakes.
Q3 (CMI)
Basic INSAG Qs: Can staff clearly enunciate their own responsibilities? Can they cite the
documents that define them?
Guide Question:
- What are your responsibilities and in particular what are they with
respect to safety?
51
Note: The understanding and acceptance of an individual's assigned

responsibilities is an essential part of a sound safety culture. For more
senior individuals the question could be expanded to see what is known
of immediate colleagues' responsibilities and how they are
complemented. The individual ought to be able to quickly refer to a
written statement of his responsibilities.
Key Indicators:
The individual ought to be able to state his/her responsibilities if there

is a good safety culture. In particular he or she ought to be clear about
what he or she may decide, may do and may advise on. Staff ought to
have an appreciation of the safety significance of their tasks and accept
that they are responsible for safety in their area.
Q4 (MI)
Basic INSAG Q:
Can operating and maintenance personnel list any recent violations of

operating limits of the plant, describe the way they happened and state
what has been done to prevent repetition?
Guide Questions:
- How often has the plant been operated outside the safety limits?
- Who is responsible for analysing and reporting on violations of safety
limits?
- Have you ever been involved in reviews of safety violations?
- Does your experience include an unforeseen event at the plant?
- Where were you at the time and what did you do?
- What was the outcome? Was it discussed later?
- How did you react at the time? Although you have not had such an
event yet, how do you think you would react?
Note: Reaction to unforeseen events is extremely difficult to assess prior
to an event. However, the reinforcement of procedural methods of
rectification and a clear understanding of the channels of communication
to be followed for unforeseen events will be necessary. Individuals must
be trained to alert supervisors and management to such events while also
taking actions to ensure plant safety. Experiences should be reviewed
regularly to ensure lessons are learned, the necessary corrective
measures identified and timely implementation pursued. The
thoroughness of reviews and the strength of corrective responses are
important safety culture indicators. The results of safety analyses,
including probabilistic safety analysis, should be consulted regularly to
support decisions as specific issues arise, as well as to provide staff with
the insight into the important safety features of plant design and
operation.
Key Indicators:
Confidence in an individual's ability to cope with any event in a safe and

controlled manner can be demonstrated by posing hypothetical situations.
Staff who respond confidently and without hesitation are usually sure of
the channels of communication to use despite not knowing what the
specific event may require to control it. Operators should exhibit
qualities of analytical behaviour to all events and be clear on the routes
of notification and sources of technical expertise to allay any safety
concerns.
52
Q5 (MI)
Basic INSAG Q:
Are laid down procedures followed strictly even when quicker methods
are available?
Guide Questions:
- Do the procedures frustrate the workers when production pressure is

applied? What would happen to a worker who ignored the procedures?
- How are modifications, special tests and defeat of interlocks
controlled? How strict is management or adherence to procedures?
Note: The strict control of these matters is considered important because
they are non-routine activities which can have a major effect on safety.
The seriousness of the control of these activities is a good indicator of
the safety consciousness of the plant management. Deviation from
procedures should not be tolerated and ambivalence towards procedures
shows poor safety culture.
Key Indicators:
- Procedures exist for all safety significant activities.

- Procedures should not be regarded as overburdening or without regard
for skills.
- There should be no unpermitted deviations from procedures.
- Modification and interlock defeat procedures which require
authorization at a level consistent with safety significance.
Q6 (RMI)
Basic INSAG Q:
How attentive are staff to the completeness and accuracy of records, logbooks and other documentation?
Guide Questions:
- Are there regular checks that records logs and other documentation
arp complete?
rnmnlftf?
are
- How easy is it to retrieve records?
Key Indicators:
- Full awareness of importance of completeness and accuracy of

documentation.
- Regular checks on this by supervisors.
07 (MI)
Basic INSAG Qs: What steps would staff take if they observed actions that might reduce
safety margins? What attitude do individuals take towards their own
mistakes that might prejudice safety?
Guide Questions:
- How would you react if you observed that safety margins were being
or could be reduced?
- What exceptions would be considered acceptable?
- Do you inform your superior of all actions you took outside the
procedure, even if it was a positive action?
Key Indicators:
- Evidence of a self-analytical approach to activities. Documented

policy on open reporting and responsibility for mistakes. Feedback
from staff on personal experiences in error reporting.
53
Self-analysis approach evident.

Stated policy and open route for reporting and rectification of errors.
Questioning, rigorous approach to safety.
Citing admissions of error.
Q8 (MI)
Basic INSAG Q:
What would an operator, instructor or a member of the maintenance

staff do if in following a written procedure he came upon a step that he
thought was a mistake?
Guide Questions:
- How often have you found a mistake in a procedure? What did you
do about it?
- How much confidence is placed in procedural accuracy and the
relevance of procedure content?
Key Indicators:
Recorded evidence of procedure modification from staff input.

Documented policy on procedural error reporting actions.
Regular procedural reviews of safety related documents.
Walk-downs and validation exercises by staff of safety procedures.
Q9 (MI)
Basic INSAG Qs: Do staff use the mechanisms for reporting on safety shortcomings and
suggesting improvements? Is the mechanism used to report individuals'
errors? Is it used even when no detrimental effect is apparent? Do staff
respond satisfactorily to the investigation of safety problems assisting
effectively in seeking the causes and implementing improvements? Do
co-workers look favourably on those who exhibit a good safety attitude
by actions such as attention to housekeeping, completeness of entries in
log-books and adherence to procedures?
Guide Questions:
- What effect would a safety error have on a worker's position in the

plant?
- Do you consider your reporting of safety concerns or improvement
proposals will be given proper attention by management?
Key Indicators:
Reports of staff inputs on safety shortcomings.

Existence of worker safety committees.
Techniques for systematic self-assessment.
Rewards and awards programme established.
Healthy attitude to safety reporting.
Q10 (RMI)
Basic INSAG Q:
Do control room staff show a watchful and alert attitude at all times?
Guide Questions:
- During steady state operation, is there some systematic plant walk

down or written assessments that shift staff undertake to keep them
alert?
54
Key Indicators:
- Recognition that boredom is a problem for shift staff during steady

state operation.
- Measures to counter boredom.
Qll (RMI)
Basic INSAG Qs:
Do staff make maximum use of training opportunities? Do they adopt a
responsible approach, complete necessary preparatory work and

participate actively in discussions?
Guide Questions:
Key Indicators:
- How much benefit do you think is derived from training? Is it

worthwhile?
- What don't you like about training sessions?
- How dedicated are the staff to training preparation and self-study?
Training results show a consistent positive trend and high pass rate.
Interactive training climate evident.
Suggestions for training needs generated by staff.

Staff participating as instructors in courses.
Low absentee rate during training sessions.
Q12 (RCMI)
Basic INSAG Qs:
Do staff communicate their experience effectively to other individuals
and groups? What examples are there?

Guide Questions:
- Are there any influences external to the plant which tend to impede
good communication amongst staff?

- How often do staff meet to discuss experiences and safety
improvements?
Note: At most nuclear plants, as with any large industrial enterprise,
there may be a mix of cultural, national, linguistic or religious groups
amongst the staff. These differences need not adversely affect
communication and hence safety culture, provided they are recognized

and sensitively dealt with to avoid difficulties and promote good
communication. Involvement of staff in safety programmes and reviews
aids interaction and communication.
Key Indicators:
- Awareness of issues and positive steps to ensure good and effective

communication.
- A single language used for all technical communications on site.
- Published papers by staff on safety initiatives.
- Positive feedback from staff on freedom of communication and

effective interaction between workers.
- Regular staff meetings and social interaction.
- Participation by staff in regular safety reviews.
Q13 (RCMI)
Basic INSAG Qs: What is the attitude of staff to safety reviews and audits affecting their
area of work? How responsive are they to improvements sought as a
result?
55
Do staff participate in peer reviews of safety activities aimed at reducing

human errors?
Guide Questions:
- Do those being audited consider that the auditors are technically

competent?
- Do managers show support for the audit to their staff? Do they
explain the need for audits and do they make their own tune available
for briefings with the auditors?
- Is the audit report communicated to the relevant staff, particularly
those who actively participated?
- Are the audit results communicated to the relevant staff; particularly
those who actively participated?
- Are corrective actions actively debated and once accepted cleared?
- Do auditors praise good practice and pass on praise?
Key Indicators:
- Existence of audit programme.

- Staff look upon reviews and audits as an opportunity rather than a
burden.
- Debate by staff of audit findings.
- Acceptance and implementation of changes resulting from audits and
reviews.
- Audits well regarded.
3.3.
RESEARCH ORGANIZATIONS
3.3.1. Research input to safety analyses
Supporting organizations, which include those responsible for design, manufacture,

construction and research, influence greatly the safety of nuclear plants. Their primary
responsibility is for the quality of the product, whether this is a design, safety report,
software development or any other output important to safety. The basis for safety culture
in such an organization is the directive establishing policy and practices to achieve the desired
quality, and thereby to meet the safety objectives of the future operator or user.
Research organizations have a particular problem to overcome, that of remoteness from
the everyday operation of the plant. Many research bodies may only work on nuclear
applications from time to time and their staff may not be totally up to date on the application
and operational limitations of equipment and systems. Plant confidence in the integrity and
accuracy of research results is vital in underpinning safety culture. The questions in this
section seek to establish the degree of support and confidence the plant and regulator may
expect and receive from research bodies.
Questions and indicators may have to be adjusted by team members to suit the type and
format of the relevant organizations. Throughout, the emphasis should be on the research
input to safety analyses for both the plant and the regulatory body. Any stand-alone
assessment of research organizations must take into account the interfaces with the users and
sponsors. Therefore, the specific guideline questions should be reviewed and adapted for
application to a research or supporting body.
56
Qi (S)
Basic INSAG Qs: Do researchers ensure that they understand how the results of their work
will be used in safety analyses? Are they familiar with how their data
are used in interpolating or extrapolating for ranges of parameters
different from those in their experiments? Do researchers identify the
shortcomings and limitations of their results?
Guide Questions:
- In which areas of research is your organization currently involved?

- To what extent do the researchers interact with the plant and the
regulatory body during project work?
- What systems do you have in place to keep research staff up to date
on plant and safety applications?
- How often do research staff visit the plant?
Key Indicators:
Regular interaction between plant, regulator and researchers;

Regular plant visits;.
Established systems for recruitment of qualified, experienced staff;
Ongoing training programmes to upgrade research knowledge with
practical experience.
Q2(S)
Basic INSAG Qs: Do they keep abreast of safety analyses to permit them to identify any
misuse of their work? Do they report any potential misuse or
misinterpretation?
Guide Questions:
- What system do you have for the validation and assurance of research
results?
- How are the limitations of results specified and recorded?
- Are you consulted by plant designers, utility or the regulatory body
when extrapolation of your results is needed?
- What method of quality assurance do you employ to assure the
standards of computer modelling?
Key Indicators:
Established and accepted system for validation of results;

Documented evidence of research staff checks on safety analyses;
Open exchange when extrapolation of results is needed;
Recognized QA requirements in place for computer models.
Q3(S)
Basic INSAG Qs: On any particular topic, is it clear which group or individual is
responsible for monitoring new material or international data? What
personal contacts have been developed to keep abreast of new data? Is
there a mechanism for reporting new information that may invalidate
previous safety analyses? What is the appeal route if the first level of
notification is ineffective? How often are these mechanisms used?
Guide Questions:
- What type of research contracts are undertaken at present, long or

short term?
- How is the allocation of research work handled?
57
What can a researcher do if he/she discovers that new data invalidates

previously agreed work for the plant?
Key Indicators:
Clear allocation and recognition of work.

Organized monitoring system for new data.
International links.
Exchange programme for research workers.
Established system for appeals and data rectification.
Q4(S)
Basic INSAG Q:
Is there a mechanism for ensuring that the relevant research to solve

design and operational safety problems is pursued and carried out in a
timely fashion?
Guide Questions:
- What system do you use to control the planning and prioritization of

research contracts?
- Who has the final word on priorities?
- Who is consulted on scheduling work?
- Are staff aware of the reasons for decisions taken at planning and
priority allocation meetings?
Key Indicators:
- Established system for work allocation and prioritization;

- Consultation with plant staff/regulator on the requirements;
- Positive feedback on decision making and deadlines.
Q5 (RS)
Basic INSAG Qs: How promptly are the results of research fed into the design and
regulatory process? Is there a policy for regular publication of research
results in journals that insists on peer reviews?
Guide Questions:
Key Indicators:
58
- How well is the research documented?

- How many publications on research results does the organization
contribute to?
- Are there multilateral research projects in place at present? What are
they?
- What system do you have to ensure peer review of research results?
- What is the relationship between the researchers and the regulators
and utility?
- How are research results communicated from you to the plant or
regulator?
- What do researchers understand by the term safety culture?
Well developed international co-operation programme.

Established system for publication and dissemination of research
work.
Appreciation at all levels of safety culture concepts.
Positive feedback from regulator and utility on researchers.
3.4. DESIGN ORGANIZATIONS

The design organizations supporting the plant and the regulator influence the safety of
nuclear operations and maintenance. Plant perceptions may differ on the performance of
design organizations; however, their effect on plant safety culture may be significant
dependent upon their involvement at plant level. The extent of questioning and enquiry will
depend largely on the scope of design team work for the utility. It may be necessary to
revisit the supporting organizations if plant or regulator responses indicate areas of
misunderstanding or problems attributable to research or design. Safety culture within the
design organization may require assessment as an individual review; however, the pattern of
questions and key indicators is basically similar to the other areas of plant and supporting
bodies.
3.4.1. Codes for safety aspects of design
Qi (S)
Basic INSAG Qs: What processes exist for verification and validation of computer
modelling codes? Do these involve the relevant researchers? Are the
safety design codes verified and validated for the specific circumstances?
Are the limitations of codes taken into account explicitly in the design
review process? What is the formal mechanism for reporting the matter
if it is considered that the previously reported outputs of a computer
model may be invalid? Has there been a need to use this mechanism?
Guide Questions:
- What methods do you use for accreditation of designs?

- How available are the codes?
- Have you ever experienced a computer code becoming invalid? What
actions were taken?
Key Indicators:
A recognized accreditation system for designs.

Accessible and up to date codes.
Independent review mechanisms for validation and assurance.
Prompt and wide information in the event of discovery of deficiencies
and limitations in computer codes.
- Information network for equivalent external information and prompt
internal actions.
Q2(S)
Basic INSAG Qs: In which international standard problem exercises have analysts
participated to test national computer modelling codes? What efforts
have been made on a bilateral or multilateral basis to compare work with
that of experts in another country?
Guide Questions:
- How do you make international comparisons?

- To what international exchange programmes do you contribute?
Key Indicators:
- National to international comparisons on a regular basis and

documented system of validation and feedback to ongoing projects.
Favourable response from staff.
59
3.4.2. Design review process
Ql (RS)
Basic INSAG Qs: In which areas has outside expertise been used to supplement in-house
capability? How was the competence of the outside experts established?
Guide Questions:
- Is the list of needed expertise established for each safety related

activity?
- Are you allowed to seek for the assistance of external experts to
supplement in-house capability?
- How do you establish the competence of outside experts?
Key Indicators:
- Systematic assessment of needed expertise for each activity.

- Opportunities for seeking external experts when necessary.
- Established process for selection of external experts.
Q2 (S)
Basic INSAG Q:
Where are the functions and responsibilities of design review teams

described?
Guide Questions:
- Are there provisions for using operating experience during design

reviews in order to check the incorporation of lessons learned by for
instance equipment deficiencies or difficulties in material testing, or,
for instance, maintenance difficulties due to layout?
Key Indicators:
- Documented job descriptions.

- Staff familiarity with duties and scope of responsibility.
- Policy statement accepted on design review teams.
Q3 (RS)
Basic INSAG Qs: Has the design review process been audited by internal Quality
Assurance auditors? By the regulatory agency? By a peer group of
national or international members?
Key Indicators:
60
Regular, documented audit reports and close-out of findings.

Full participation of all levels of review.
Conformity with accepted standards.
Independent evaluation of the process.
Appendix I
CONTENTS OF AN ASCOT REVIEW REPORT
The Introduction should include the background, scope and objectives of the review and
set out the approach, methodology and practical application of ASCOT to the particular
situation.
The headings should include details of findings, recommendations and suggestions for
improvements, if applicable and good practices. All recommendations/suggestions and good
practices should be uniquely numbered to facilitate identification.
EXECUTIVE SUMMARY
1.
INTRODUCTION
2.
GOVERNMENT AND ITS ORGANIZATIONS
3.
OPERATING ORGANIZATION
3.1. Corporate level

3.1.1. Corporate level safety policy
3.1.2. Safety practices at corporate level
3.2. Plant level
3.2.1. Management
to include the following topics:
- selection of managers
- attitudes of managers
- field supervision by managers
- relations between plant management and regulators
3.2.2. Plant safety experience
- highlighting safety
- review of safety performance
3.2.3. Individual responses
- attitudes of individuals
- workload
3.2.4. Working environment
- local practices
- training
- definition of responsibility
4.
RESEARCH ORGANIZATIONS
5.
DESIGN ORGANIZATIONS
5.1. Codes for safety aspects of design

5.2. Design review process
6.
OTHER ORGANIZATIONS
7.
GOOD PRACTICES
8.
GENERAL CONCLUSIONS OF THE ASCOT REVIEW

61
ANNEX 1. PARTICIPANTS IN THE ASCOT REVIEW

ANNEX 2. ACKNOWLEDGEMENTS
ANNEX 3. SCHEDULE OF ACTIVITIES
62
Appendix II
ASCOT ADVISORY SERVICE
(Standard syllabus for the ASCOT Seminar)

The principal objective of the ASCOT Advisory Service in the transfer of the ASCOT
methods to the host country. This transfer would be accomplished at the host country's site
in a form of a Seminar.
Venue:
Host country
Duration:
2-2 Vz days
Participation:
10-30 participants from regulatory body and/or utility
Lecturers:
2 (IAEA and/or outside consultants)
Objectives
Today it is widely recognized that sound safety culture is one of the most important
contributors to the safe operation of NPPs. In order to promote the safety culture concepts
and its importance, the IAEA has developed the ASCOT seminar. Participants from the
regulatory body, operating organization and supporting institutions are expected to attend the
seminar. The purpose of the seminar is:
to present internationally recognized indicators of an effective safety culture,
to demonstrate the basic approach and principles of ASCOT, i.e. methodology for the
assessment of safety culture,
to give examples of good and bad practices from different NPPs in the world in order
to illustrate on practical examples obtained from incident analysis and previous ASCOT
reviews/seminars, the impact of safety culture on nuclear safety,
to receive through the discussion among the participants the response on national
practice for further dissemination.
The seminar lasts 2-2 2 days and takes the form of a workshop, at which the
objectives are reached through a series of lectures, discussions and exercises.
Seminar schedule
1. Lecture/discussion: Concept of safety culture (approx. 1 h)
It is essential that the participants obtain at the outset a thorough understanding of the
concept of safety culture. More specifically, the participants should understand the definition
and universal features of safety culture. They should also understand that although safety
culture is intangible, its presence has tangible manifestations. Finally, the participants should
understand some of the broad characteristics of an effective safety culture and learn to
appreciate the long term usefulness of this concept.
63
The lecture will be presented by the ASCOT representative and will cover the concept
of safety culture as presented in 75-INSAG-4. The ASCOT representative will cover each
section of 75-INSAG-4 with special emphasis on the definition and characteristics of safety
culture (Section 2), the tangible evidence of safety culture (Section 4) and the universal
features of an effective safety culture (Section 3). The ASCOT representative will augment
the information in 75-INSAG-4 with illustrative examples based on experience from other
ASCOT reviews/seminars, safety culture indicators (discussed in the Appendix of
75-INSAG-4) will not be discussed in detail at this time but will be covered later as part of
the lecture/discussion on the ASCOT Guidelines (Item 4).
2. Lecture/discussion: Examples of good safety culture practice (approx. 2 h)
Once the participants have obtained an understanding of the concept of safety culture,
it is essential that they develop an appreciation for what is generally considered good safety
culture practice. That is, the participants should be exposed to examples of especially
effective safety culture.
Discussion will follow and will be led by the ASCOT representative. To encourage the
participants to think in terms of sound safety culture, the ASCOT representative will invite
participants to give examples of what they consider to be an effective safety culture in their
own organization. This lecture/discussion will be supplemented by selected video
presentations on related subjects.
Within this framework a national presentation on the country's (organization's)
perspective to safety culture, given by a senior representative is encouraged.
3. Workshop 1: Creation of safety culture framework (approx. 3 h)

Safety culture has two basic components: the framework created within which
individuals work and benefit from, and the attitude and response of individuals. This Seminar
involves two workshops. The first one addresses the framework created within the country
and the second one its effectiveness and response of individuals. The first workshop therefore
deals with the framework and the second one with the individual attitudes.
During the workshop, participants will be divided into smaller working groups. Each
group will be given a task of creating an ideal framework for sound safety culture; defining
safety bodies and committees, levels (regulatory, corporate, plant), responsibilities, resources
etc. Workshop will be concluded by comparing created frameworks among different working
groups and with an existing structure.
4. Lecture/discussion: Assessment of safety culture (approx. 1 h)

The lecture will be given by the ASCOT representative and will cover the general
approach to the assessment of safety culture as presented in the ASCOT Guidelines.
5. Lecture/discussion:
Examples of safety culture issues revealed through the

incident investigation (approx. 2 h)
As an introduction to Workshop 2 incidents will be presented where their investigation

revealed issues pertaining to safety culture. By applying the ASCOT Guidelines on the event
analysis an unproved and more specific identification of these issues can be obtained.
64
6. Workshop 2: Incident evaluation by applying the ASCOT Guidelines (approx. 3 h)

The second workshop is oriented towards identification of issues related to the
individual attitudes, motivation, moral and other less tangible aspects of safety culture.
Participants will be again divided into smaller groups. To initiate the discussion, each group
will be given a task to evaluate different events by using the ASCOT Guidelines, i.e. trying
to determine which ASCOT areas or questions are relevant to the event occurrence and
progression. Corrective measures will at the end be assessed in order to determine if
identified safety culture issues have been properly addressed. Each group will report their
findings in a plenary session followed by a discussion where participants will be expected to
express their views on individual commitment to safety culture.
7. Invited lectures related to the subject of the Seminar (optional 1/2 day)
Special lectures on selected subjects, which might be of interest to the host country can
be arranged. Examples of such lectures, which all should relate to safety culture, are: Basic
Safety Principles, OSART and ASSET highlights, Safety of East European and CIS reactors,
International Nuclear Event Scale, Maintenance and Outage Planning Good Practice, etc.
65
CONTRIBUTORS TO DRAFTING AND REVIEW
Aro, I.
Finnish Centre for Radiation and Nuclear Safety (STUK), Finland
Dusic, M.
(Scientific Secretary)
Hall, A.C.
Operations Assurance, Council for Nuclear Safety, South Africa
Homke, P.
Gesellschaft fur Reaktorsicherheit mbH, Germany
Libmann, J.
Institut de protection et de surete nucleaire, Fontenay-aux-Roses, France
Mavko, B.
Reactor Engineering Division, Institut "Josef Stefan", Slovenia
Orvis, D.
Accident Prevention Group, United States of America
Reig, J.R.
Consejo de Seguridad Nuclear, Spain
Root, W.C.
Wylfa Nuclear Power Station, Nuclear Electric pic, United Kingdom
Thomas, C.
Office of Nuclear Reactor Regulation, Nuclear Regulatory Commission,

United States of America
Consultants Meetings
Vienna, Austria: 15-19 July 1991, 16-March 1992, 15-19 June 1992
67
A guide to selecting appropriate tools to improve

HSE culture
Report No. 435
March 2010
International Association of Oil & Gas Producers
ublications
Global experience
The International Association of Oil & Gas Producers has access to a wealth of technical
knowledge and experience with its members operating around the world in many different
terrains. We collate and distil this valuable knowledge for the industry to use as guidelines
for good practice by individual members.
Consistent high quality database and guidelines

Our overall aim is to ensure a consistent approach to training, management and best practice throughout the world.
The oil and gas exploration and production industry recognises the need to develop consistent databases and records in certain fields. The OGPs members are encouraged to use the
guidelines as a starting point for their operations or to supplement their own policies and
regulations which may apply locally.
Internationally recognised source of industry information

Many of our guidelines have been recognised and used by international authorities and
safety and environmental bodies. Requests come from governments and non-government
organisations around the world as well as from non-member companies.
Disclaimer
Whilst every effort has been made to ensure the accuracy of the information contained in this publication,
neither the OGP nor any of its members past present or future warrants its accuracy or will, regardless
of its or their negligence, assume liability for any foreseeable or unforeseeable use made thereof, which
liability is hereby excluded. Consequently, such use is at the recipients own risk on the basis that any use
by the recipient constitutes agreement to the terms of this disclaimer. The recipient is obliged to inform
any subsequent recipient of such terms.
This document may provide guidance supplemental to the requirements of local legislation. Nothing
herein, however, is intended to replace, amend, supersede or otherwise depart from such requirements. In
the event of any conflict or contradiction between the provisions of this document and local legislation,
applicable laws shall prevail.
Copyright notice
The contents of these pages are The International Association of Oil and Gas Producers. Permission
is given to reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii)
the source are acknowledged. All other rights are reserved. Any other use requires the prior written
permission of the OGP.
These Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales. Disputes arising here from shall be exclusively subject to the jurisdiction of the courts of
England and Wales.
A guide to selecting appropriate tools to improve HSE culture
A guide to selecting appropriate tools

to improve HSE culture
Report No: 435
March 2010
Acknowledgements
This report was prepared by the OGP Human Factors Task Force with contribution from Prof. Patrick Hudson of Leiden
University.
OGP
Management summary
This document provides information about tools which can be used to improve Health, Safety &
Environmental (HSE) performance. It identifies circumstances where certain tools are unlikely to
be effective and may even be counter-productive within a given HSE culture. The identified tools
have been analysed relative to the organisational HSE cultures described in the OGP HSE culture
ladder (Figure 1). The HSE tools most applicable for an organisation at a particular cultural level are
identified and evaluated.
Culture can be simply defined as the attitudes, values and beliefs that underpin the way we do
things here. A positive HSE culture is largely sustained by trust, credibility and behaviour of senior
leaders. Trust is extremely fragile; once lost it can be hard to recover.
Achieving and sustaining a positive HSE culture is not a discreet event, but a journey. Organisations
should never let their guard down. Healthy safety cultures result in high reliability organisations
which are characterised by their chronic sense of unease. Organisations must ensure that senior
management are committed to a journey of continuous improvement.
ii
OGP
Background to the use of HSE tools

There is a wide range of HSE tools, some function at the broadest organisational level and some
target individual activities. Many managers and supervisors simply use the tools they are familiar
with, missing potential opportunities for improving performance. In other cases, groups may try
every new tool they encounter to give the impression of active engagement in HSE improvement,
searching for a quick fix.
As used in this document, the term tool describes a considerable range of processes and commercial products. A company-wide computer system for collecting and disseminating HSE and
operations data is a tool; a one-person process to stop and reflect before taking an action is also
considered to be a tool.
An HSE tool is judged to be appropriate for the level of organisational culture when it meets these
criteria:
It is likely to be accepted and actively used;
Its use serves a required purpose; and
It should improve HSE performance.
A tool, no matter how good it is, will not give the desired
improvement unless an organisation is ready for it. Understanding your HSE culture is critical in determining which
HSE tools are most appropriate for your organisation. The
HSE culture ladder describes five levels of HSE culture.
Pathological organisations believe that individuals, typically
at lower levels, cause accidents. They implement only what
is mandatory, including required checks and audits. Most
HSE tools are ineffective at this level, as HSE is considered
an obstacle to operations. Pathological organisations respond
to clear regulatory requirements, if enforced, and implement
HSE programs only as needed to avoid prosecution. As individuals are generally blamed for incidents, tools dealing with
management system issues are unlikely to be adopted.
Reactive organisations consider HSE important but believe
that most problems lie within the lower levels of the workforce.
Organisational and individual HSE management skills are at
a basic level, suggesting that HSE tools should also be simple.
Tools appropriate at this level are those that address problems
obvious to both management and the workforce. Tools that
relate to issues that have not yet caused actual accidents are
difficult to justify. Reactive organisations value those tools
that bear a clear relationship to a visible issue. For example, if
failure to use seatbelts is identified as a contributor to vehiclerelated injuries, then a campaign to increase seatbelt use is
seen as an appropriate response. It would likely not address
other unsafe road behaviours like speeding that may also contribute to vehicle incidents.
Calculative organisations believe in the value of systems in
managing HSE performance and the use of a large number of
tools and training. The focus on the tools is usually through
analysing metrics rather than their effectiveness i.e. number of
people trained rather than an assessment of their competence.
HSE professionals are seen as the drivers for the use of HSE
tools and are primarily responsible for HSE performance. In
calculative organisations HSE tools need to be justified based
on current performance to address a specific issue associ- Figure 1: HSE culture ladder
OGP
ated with incidents and related risks e.g. driving and vehicle safety campaign in response to vehicle
related injuries.
Proactive organisations consider HSE a fundamental (core) value and leaders at all levels genuinely care for the health and well-being of the staff and contractors. Such organisations understand
the role of management system failures as primary causes of incidents. Information, including data
related to potential consequences (near misses) as well as actual incidents, is used to identify suitable
performance targets. Tools that simplify work processes and support line management as well as the
workforce are used. Continuous improvement is a clear goal of proactive organisations.
Generative organisations have a high degree of self-sufficiency and strive to understand their entire
operating environment. Tools that are chosen and used by the whole organisation are preferred.
Mandatory tools may be counter-productive, suggesting lack of trust. Everyone feels free to highlight both real and potential issues. Workers feel empowered to resolve HSE issues, and leaders provide the support needed.
HSE tools guide

As companies develop more advanced HSE cultures they should consider updating or changing the HSE tools they use. However, HSE culture may not be the same across all the parts
of a large organisation. Companies need to take care when establishing company-wide initiatives. In general, such broad requirements should be used only as needed to communicate
minimum acceptable standards. Tools and indicators appropriate for the culture of the
specific business unit should be selected.
Tools for improving HSE performance and the HSE culture levels for which each tool
is applicable are shown in Table 1. The arrows in the table for each tool indicate the
HSE culture levels at which these tools may be expected to be effective and accepted.
Specific tools within the different tool types may be more applicable at particular culture
levels. Following the table is a description of each HSE tool type and discussion of potential
benefits and/or limitations. Readers are encouraged to fully investigate HSE tools prior to
implementation and select tools that are appropriate for their HSE culture.
Table 1 HSE tool types and HSE culture levels

Tool type
Description
Pathological
Mandatory reporting
1
Reporting and recording

Anonymous reporting
HSE information (incidents
Confidential reporting
& near misses)
Open (non-confidential) reporting
Incident investigation (mandatory)
Incident investigation and

analysis
Root cause analysis

Proactive analysis
Professional audits
Benchmarking
Auditing
Management system audits

Management site visits
Peer assists
OGP
Reactive
Calculative
Proactive
Generative
Tool type
Description
Pathological
Reactive
Calculative
Proactive
Generative
HF design standards mandatory

HF design standards voluntary
4
Human factors in design
HF design analysis
Operator design review
HF design validation
Work practices and

procedures
Mandatory standards
Decision-based practices
Process risk management
JSA led by supervisor
HSE risk management
JSA led by workers

PTRA by individual
Change management (MOC)
HSE management systems
Industry systems (ISO, OHSAS, etc.)

Company systems
Workforce HSE training
HSE training and

competence
Supervisory HSE training

Manager HSE training
Executive HSE training
Performance appraisals
HSE appraisals
HSE leadership assessments

360-degree appraisals
Upwards appraisals
10
Situation awareness
Supervisor-led task discussions

Self-led task evaluations
HSE climate survey
11
Questionnaires and
surveys
HSE culture diagnostic

Personnel and attitude surveys
Personality and team function tests
Observation by supervisor
Observation by peer
12
Observation/intervention
Intervention of at-risk actions

Reinforcement of positive actions
Results shared beyond participants
13
Incentive schemes
Performance (lagging) recognition

Behaviour (leading) recognition
Toolbox talks
HSE meetings
14
HSE communications
HSE alerts
HSE newsletters
Handover information
15
Other HSE tools
Issue-specific HSE tools
OGP
1 Reporting and recording HSE information

HSE reporting systems capture incident and near miss information. HSE reporting may be
mandatory, voluntary, anonymous, confidential, or public (non-confidential). Most reporting systems include a combination of several elements, as reporting of HSE incidents is
generally highly regulated.
Reporting and recordkeeping systems are built on two basic components:
1.
2.
a process for initially reporting an event, situation, or condition; and

a system for handling the reported information.
HSE recordkeeping systems are generally electronic databases designed to collect data
from HSE incidents, near misses and associated investigations. Recording data in a database allows statistical analyses to identify frequency and trends of various types of
incidents. Such systems may also be used to assess the success or failure of improvement initiatives.
Incident reporting and recordkeeping efforts can be undermined or suppressed
by the following factors:
1.
2.
3.
4.
inadequate communication of reporting expectations and criteria;

complicated reporting methods and forms;
perceived blame or punishment; and
lack of follow-up.
Lower culture levels may require a degree of anonymity or confidentiality to encourage reporting,
especially in pathological cultures where punishing the messenger is a common trait of the culture.
Effective HSE reporting is associated with more advanced HSE cultures.
Electronic databases are able to store, organise, and analyse vast amounts of data, but this does not
guarantee the information collected is accurate, complete or even useful. The result may be large volumes of low value data. Pathological and reactive organisations are likely to value data collection and
analysis only to the extent it is required by law or regulation. Calculative cultures typically collect
significant quantities of data without necessarily understanding which information is valuable in
preventing incidents. Proactive organisations mainly focus on the root causes of why events (including near misses) occurred, to improve HSE performance.
Most organisations share reported and recorded information with selected users. Proactive and generative cultures generally share HSE information more openly, subject to regulatory limitations.
Systems are also frequently used to capture and share the status of remedial actions.
Typically, more mature HSE cultures include proactive reporting and analysis of potential problem
areas (near misses, hazards, etc), before an incident occurs.
Examples of HSE reporting and recordkeeping systems include:
Mandatory incident reporting

All HSE culture levels acknowledge this requirement, based on legal consequences for non-compliance. Mandatory reporting systems are generally restricted to major incidents only.
Anonymous incident and near miss reporting
Sometimes used as an initial entry into voluntary reporting in low trust organisations. This tool is
not recommended for long term use as it lacks accountability and information is often of poor quality, leaving more questions than answers. In low trust organisations, people can easily misuse the
system. In general, confidential reporting (see below) is more effective in providing useful information.
OGP
Confidential incident and near miss reporting

This makes the name of the reporter known only to a nominated person who is trusted and capable
of investigating the report and sharing the relevant information. These systems typically exist within
organisations with relatively low trust.
Open (non-confidential) incident and near miss reporting
This relies on a no blame culture for reporters, and belief by both management and workers that
the information generated will be used to drive improvement. This type of system works best in
proactive and generative cultures. Near miss reporting is often used in calculative cultures to mature
to the next level. If misused or misunderstood, near miss reporting may generate overwhelming
amounts of data which could obscure the desired outcome.
2 Incident investigation and analysis

Learning from incidents and near misses is fundamental to an effective HSE system. Understanding what happened (incident investigation) and why it happened (incident analysis)
allows the organisation to identify and implement steps that will help to prevent future
occurrences of similar events. Ideal investigation and analysis tools identify individual and management system failures and both immediate and underlying
causes. There is a strong link between investigation and analysis. For example,
analysis of investigation data often generates additional questions requiring
further investigation.
Incident investigation
The aim of incident investigation is to gather data to determine the immediate
causes of an incident and provide information for an analysis process that can uncover
the underlying causes of the incident. Pathological organisations are likely to believe
that individuals caused accidents and not investigate further once an individual has been
found to blame (legal systems, especially in criminal law cases, often support this rationale as the evidence at that level is seen as sufficient to prove a case).
Tools for systematic investigation of incidents are essential for the effective management of HSE.
Incidents are clear evidence for the need to improve, so anything learned from an incident should
be relevant for all organisations. Incident response procedures should include the preservation and
collection of potentially relevant information whenever possible. Beyond complying with local legal
requirements, effective incident investigation tools should provide information to the organisation
to ensure appropriate lessons are identified and shared.
Effective incident investigations gather information from all relevant sources, including:

statements from individuals involved or who witnessed the event;

materials that may be subjected to forensic examination;
documents, records, computer data, tachographs, etc; and
photographs or video recordings.
From these sources the investigating team determines a sequence of events and a basic cause-andeffect relationship between various factors related to the incident.
There are a number of considerations when choosing an incident investigation tool:
comprehensiveness;
training and competence requirements; and
intended use of the investigation results.
OGP
In advanced HSE cultures incident investigation typically involves persons other than HSE professionals. Incident investigation training is required to produce reliable results. Investigation tools
may use predefined checklists for considerations or causes to assist the investigator and provide a
measure of consistency. Such checklists should be used as guidance only as these may miss unique or
other potentially vital information.
Root cause analysis

Incident analysis tools take the information obtained by the investigation process and use this to
identify underlying, systemic causes. The depth of the analysis can vary from superficial factors close
to the immediate causes, through deeper underlying causes and failures. These may include latent
failures (eg a failure in design) and cultural analyses of why an organisation allowed an incident to
happen. Root cause analysis is any basic analysis methodology to uncover underlying causes which is
usually based on a predefined list of causal categories.
Organisations with lower level HSE cultures may be less likely to analyse the causes of incidents.
There may be a fear of retribution and an assumption that management may not accept results which
could point to their own actions (or inactions) as significant causes of incidents. Pathological and
even reactive cultures may reject findings as inappropriate or irrelevant. Calculative organisations
typically restrict the use of in-depth analysis techniques to major incidents or to incidents with a
high potential to become severe. Generative and proactive organisations generally apply analysis
techniques to minor incidents and near misses.
Proactive analysis
This is intended to uncover potential underlying causes of future incidents, mainly systemic problems. These techniques are not based on the occurrence of a specific incident, but rather rely on
the belief that the underlying causes of future incidents are already present in the organisation and
can be identified in advance. Pathological or reactive cultures are unlikely to use this technique, as
no incident has occurred to justify taking resources from other priorities. Conversely, generative
organisations might not need this tool, as they would use active and ongoing reporting and resolution of issues. Proactive analysis is best suited to proactive cultures and mature calculative cultures.
OGP
3 Auditing
Verifying that HSE processes are in place and functioning properly is an essential part of HSE
management. Auditing typically involves the comparison of actual performance relative to
an accepted standard. In most areas the standard is a documented public requirement or
company expectation. In less developed locations the expectations of the auditor may set
the standard.
Audits can range from a simple walk
around a facility looking for obvious
discrepancies, to a systematic review of
management systems, documentation, and
field practices relative to a published standard. In lower level HSE cultures, auditing
tends to be associated with negative results.
At higher cultural levels, audits may be welcomed by those involved in running an operation
to benchmark their current performance and reveal areas for
improvement.
Professional audits (3rd party)

These are the most common tool in lower culture levels. This approach relies on an external expert
auditor to review the site and identify deficiencies from required standards. Pathological and reactive cultures are less likely to train internal auditors and may even shop around for external auditors perceived to be less stringent in their assessments.
Benchmarking
A form of audit where the standard is set by the performance of others. This tool is common with
calculative and higher cultures. More advanced organisations use benchmarking to drive improvements by generating a case for positive change. Generative organisations tend to benchmark themselves against best-in-class organisations.
Management system audits
These are aimed at evaluating the underlying HSE system performance. This tool requires that an
HSE management system is in place, so is best suited to the calculative and higher level cultures.
Calculative cultures may have a tendency to concentrate on the paperwork to prove the existence of
the system. With proactive and generative cultures, these audits would also verify that the system is
actually operating effectively.
Management site visits
These may be used at all levels of culture to verify compliance with company expectations, but the
behaviour of visiting manager may differ based on the culture. In reactive and pathological organisations, the focus will be on finding problems and then demonstrating management commitment
through strong and immediate but often superficial responses. At higher culture levels, the visiting manager will also use the audit as an opportunity to reinforce positive practices and identify
areas where expectations may be raised.
Peer assists
These are visits conducted by workforce members from other parts of the organisation to share best
practices. While an audit of performance relative to requirements is a part of the process, the main
result is an open dialogue between peers to improve the performance of both organisations. This
approach is most applicable at the generative culture level, although proactive organisations may use
this tool as they transition to a generative culture.
OGP
4 Human factors in design

Weaknesses in the design of the physical and cognitive interface between people and technological systems can be a major contributor to HSE incidents. Well-engineered safety
defences (including the engineering of the human-machine interfaces) are significantly
stronger and more reliable than reliance on safety management systems, procedures or
competent people alone.
Lack of adequate attention during design to the physical,
cognitive and socio-technical interface between people
and technology is often a significant contributing factor
behind incidents. Many incidents and near misses can
be traced to a lack of attention during design to both the
limitations and capabilities of human operators, as well
as to competing demands for their time and effort.
Advanced HSE cultures ensure human factors issues
are given appropriate consideration from early stages
in capital projects. By identifying and focusing design
effort on critical human activities throughout development, the chance of human error during operations or
maintenance activities can be greatly reduced.
Human factors design issues can include:
The selection, placement and layout of equipment.
Both the physical design and layout of controls and displays as well as the cognitive interface
between people and technology.
The design of organisations, work practices, and procedures.
Proactive and generative cultures give adequate attention, using competent personnel, to integrating
human factors issues into design wherever people perform a critical role in overall safety defences.
HF design standards mandatory

Some countries mandate compliance with minimum HF technical standards as part of the requirements to be granted a licence to operate (or equivalent) in their territories. A prominent example is
the Norwegian NORSOK workplace standards. Many countries embed specific workplace design
requirements for plant layout, access, escape routes, etc within statutory legislation.
HF design standards voluntary
Many companies ensure appropriate HF technical standards and specifications are applied to the
procurement, design and testing of equipment. Relevant standards are published by international &
national standards bodies and industry organisations as well as individual companies.
In higher culture levels, compliance with technical standards will be supported by focused human
factors design analysis, requirements specification and validation activities.
HF design analysis
HF design analysis ensures human factors requirements are adequately identified and specified as an
input to procurement and detailed design decisions.
Various forms of design analysis can be required depending on the scope, complexity and novelty of
a project, and the demands on human performance to operate and maintain the facility. The type of
analysis involved, and the level of experience and skill needed to perform the analyses, depend on the
nature of the human issues of concern.
OGP
Types of analysis typically applied to support oil and gas projects include:
Analysis of valves to ensure valves are optimally located for ease and speed of access.
Task analysis to ensure requirements of the interface needed to ensure safe, effective and reliable human performance are identified and specified in advance of design or procurement. Task
analyses provide the basis for other, more specific types of analysis, including manual handling
assessments, workload estimation and development of procedures.
Human error analysis where a more detailed assessment of human reliability, or the potential
for human error is needed
HF analysis to support design of human machine interfaces to IT systems, particularly real-time
DCS systems, can be particularly specialist.
Operator design review

This allows operators to review the design prior to construction and comment on factors that can
affect their ability to effectively operate the facilities. Based on their experience, issues from past
operations can be avoided in new or modified facilities. Operator reviews are common within proactive and generative cultures. Calculative cultures may use operator design reviews as a transition step
to higher culture levels.
HF design validation
A range of techniques are available to validate HF aspects of a design as a project progresses. Validation techniques range from paper reviews, HF input to 3-D model reviews and more formal
anthropometric and biomechanical modelling through to pre-commissioning and construction
walk-throughs. The most common technique is HF involvement in 3-D (eg PDMS) model reviews.
Higher cultures will ensure results of HF design analyses are made available to design validation
activities as a means of focusing on critical human tasks, and ensuring design requirements have
been met. Higher cultures also take proactive steps to ensure HF design intent developed in early
stages of design are not violated by decisions and trade-offs made during construction.
5 Work practices and procedures

Work practices and procedures for consistently guiding workers in the safe completion
of tasks is an important part of maintaining HSE performance. As used here, work
practices provide higher level guidance in the key considerations associated with the
activity. Procedures refer to the specific actions or safeguards required in performing a task creating a standardised instruction within the organisation
for performing certain tasks.
Mandatory standards
Typical in lower culture levels and largely focus on areas where
specific problems have arisen, and the resulting guidance leaves no
room for worker decision-making or deviation. Standards are often set
by external requirements (regulatory or industry) and generally address
the minimum acceptable level of performance. At lower culture levels the primary
focus is on what to do, with little discussion of underlying rationale. At higher culture levels, mandatory standards are limited to highly regulated or critical activities, and typically include information to aid in understanding the requirements.
OGP
Decision-based practices
More typical in higher level cultures, where workers are trained and trusted to apply best practices
to address unanticipated situations as well as routine activities. Work guidance at higher culture
levels typically includes information on underlying principles or objectives and the potential consequences of non-compliance. This level of worker independence is usually rejected by lower culture
levels, as workers would not be trusted to make competent decisions.
6 HSE risk management

HSE risk management tools are intended to identify significant HSE risks and help define appropriate control measures. Such tools are inherently proactive and often are a standard part of engineering
activities. In advanced organisations, HSE risk management is addressed several times at successively greater levels of detail throughout the development of a facility and continues through its
operating life. Risks may be managed through either quantitative or qualitative approaches.
Quantitative risk assessment (QRA) assigns a numerical risk value to each risk. The total identified risks are then aggregated to determine an overall risk level for the associated operation. This
approach requires a statistical basis for the probability and consequence of the individual identified
risks.
Qualitative risk assessment looks at the risk of identified operations or activities, without the use of
statistical based numeric values. Tools such as a risk assessment matrix are typically used to evaluate
risks relative to established criteria. Qualitative risks are evaluated individually, rather than being
aggregated. By properly managing each risk, the overall risk level is managed.
Pathological and reactive cultures often struggle with addressing problems that have not yet happened, seeing these efforts as unnecessary or an inefficient use of resources. Where incidents have
occurred, mitigation is likely to take the form of mandatory procedures that prescribe a specific
approach to reduce worker decision-making in the process. Calculative cultures generally use risk
management processes extensively, but can have a tendency to interpret the data to suit their own
purposes and indicate lower risk levels. Proactive and generative organisations are typically open to
involving individuals in the risk management process, once they have demonstrated their competence.
Process risk management

Involves identifying, assessing and mitigating hazards associated with operation of a facility that
could result in harm to people, the environment or to the facility itself. Although process risk management is sometimes treated separately from personal risk management, many of the tools for managing process risk also address issues that protect the individual. Individual risk management tools
(eg slips, trips and falls) will not identify major process failures. Examples of tools include:
HAZOP (Hazard and Operability Study): HAZOP systematically reviews the potential hazards associated with a facility, equipment and/or work processes. Although this process is
most commonly linked to evaluation of equipment technology and function relative to operational criteria, the interaction of the workforce is an integral consideration in the process.
HAZID (Hazard Identification): HAZID systematically identifies conditions that could
harm workers, the environment, or the equipment/facility.
Job safety analysis (JSA)

A tool for a work team to collectively review the main steps of a task, the hazards associated with
each step, and the control measures required. In reactive or calculative cultures, the JSA process is
often directed by the group supervisor. At higher culture levels, the work team members complete
the JSA.
10
OGP
Personal Task Risk Analysis (PTRA)

A tool used by each worker prior to starting a task to evaluate potential risk factors. The worker typically has a checklist for considering various aspects of the task. The results guide the worker to implement the appropriate safeguards. This tool is best used at the calculative level and higher, although
there may be a tendency in calculative organisations to document results, at the expense of making
the tool an integral part of each task.
Change management (MOC)
A key element of most effective risk management systems. MOC methodology includes identifying
the potential consequences of change and mitigating any potential negative effects. Change-related
incidents are often the result of unintended side-effects of efforts to control a different issue. HSE
cultures above reactive generally recognise that changing materials, practices, or guidance, even in
seemingly small ways, can introduce new hazards. The most advanced MOC systems often include
techniques for facilitating change within the organisation, as well as addressing potential hazards
associated with change.
7 HSE management systems

An HSE Management System (HSE-MS) defines how HSE is to be managed and includes the
specific components (programmes, tools, procedures, etc) to identify and manage all relevant
HSE issues. These systems are usually based on Demings Plan Do Check Act cycle, also
the basis for the ISO 9000 series of standards.
Regulations in some countries mandate HSE-MS, although the specific structure of
the systems may vary widely between users. HSE-MS is well-suited to calculative cultures, where well-organized processes are valued. Pathological and
reactive organisations do not recognise the need for HSE-MS except when
these are required by regulations. Proactive organisations have typically
fully implemented HSE-MS and the requirements have become integrated
into normal worker activities. As a result, opportunities to reduce the administrative load
of HSE-MS are often identified. Advanced HSE cultures strive to integrate HSE-MS with broader
operating considerations such as quality and reliability. However, prematurely integrating HSE-MS
with other considerations can weaken HSE-MS effort, requiring effort to rebuild the effectiveness
of the HSE-MS processes.
Industry recognised systems

These are commonly accepted standards and practices for managing HSE issues. Examples include
ISO 9000, ISO 14000, and OHSAS 18000. Industry recognised systems can provide consistency
between organisations, but are often limited to compliance with the standard and the expectations
of the average industry performer, rather than best-in-class.
Company systems
These are company-specific standards and systems for managing HSE issues. Company systems can
be adapted to the unique structure and objectives of the company and may exceed typical industry
requirements. Due to their unique nature, company specific systems may not be well-suited beyond
the originating organisation.
OGP
11
8 HSE training and competence

HSE training is an essential component of HSE management. This document addresses the characteristics of HSE training and competence in general terms, without attempting to identify all of
the specific HSE competencies required. In general, pathological organisations will find it hard to
justify training beyond legally required instruction. Reactive organisations may train to respond to
immediate problems but do not train for the unexpected or unusual until it happens. Calculative
organisations typically value developing HSE competencies among workers, but may develop complex competence programs where the process is more important than the knowledge and experience
gained. Proactive and generative cultures are more likely to utilise the knowledge of their workforce
in on-the-job training rather than using specialised outside trainers.
The scope of HSE training and competence expectations often varies. Lower HSE cultures concentrate on training their workforce and requiring contractors to have similar training. More advanced
cultures recognise the need for HSE competence throughout the supervisory and managerial levels
and training and experience is provided as a part of normal career development.
Workforce HSE training

Typically mandated within process industries and is generally found at all culture levels. This category includes HSE inductions for new workers or for short-term visitors to a site.
Supervisory HSE training
Aimed at front-line supervisors. Specific technical HSE training is supplemented by human factors
and behavioural HSE training in more advanced cultures.
Manager HSE training
Found in more advanced HSE cultures where managers are seen as accountable for leading HSE
performance.
Executive HSE training
Found in the most advanced HSE cultures. At this level, executives and non-operational staff
(finance, HR, etc) are recognised as being in positions to make organisational decisions that could
impact HSE performance. Executives are trained to consider potential HSE impacts in every decision made.
12
OGP
9 HSE appraisals
These tools provide individuals with information
about how others perceive their behaviours and attitudes related to HSE issues compared with established
expectations or with their self-evaluations. They include
traditional performance appraisals, 360-degree appraisals,
peer appraisals, and upwards appraisals.
It is important to remember that HSE appraisal systems are aimed at improving
HSE-relevant behaviours and attitudes, not as an assessment of general work performance. If the
appraisal results are used as a basis for personal consequences (promotion opportunities, salary or
bonuses, disciplinary action, etc) the appraisal tool must be validated for reliability.
At the pathological and reactive culture levels, HSE appraisals leading to personal consequences
may be used to enforce minimum requirements, although pathological organisations are unlikely to
place a high value on HSE skills relative to other measures. HSE appraisals are most useful in calculative and higher cultures. Workers in generative organisations typically seek frequent feedback
from others through appraisal-type systems.
Performance appraisals
should include characteristics of HSE leadership and should focus on activities under the control
of the individual being appraised, rather than on broad organisational indicators. These appraisals
are conducted by the group leader assessing worker performance relative to expectations to help
focus on useful activities and improvement opportunities. HSE leadership is typically one aspect of
a larger performance appraisal process. To the extent that HSE leadership is specifically identified
as an expectation, the performance appraisal process can contribute to long-term HSE performance
improvement, especially in lower culture levels.
HSE leadership assessments
typically describe critical HSE leadership behaviours against which individuals can be assessed.
These can serve to help individuals acquire new skills and improve behaviours by providing examples
that can be practiced and emulated. The descriptions need to be validated if used specifically for
assessments with consequences.
360-degree appraisals
Used to provide an individual with input from peers, subordinates and superiors within the organization. Such appraisals can highlight differences in perceptions or expectations from different
organizational levels. Proactive and Generative organizations are most likely to value the results of
360-degree input.
Upwards appraisal
is used by managers for appraisal input from lower organisational levels. It is often compared with
ones self-assessment to help recalibrate self-perceptions. Where possible, upwards appraisals should
include appraisal by individuals two or more levels removed from the appraised manager to capture
broader organisational perspective.
OGP
13
10 Situation Awareness
One of the frequent findings in incident investigations is
a lack of situation awareness. This is normally used to
describe a loss of understanding of the current situation
or failure to predict future situations by members of
the workforce. The term can also be applied to supervisory and managerial positions. Generalised awareness programs are most appropriate for reactive and
calculative organisations, but situation awareness tools
can help combat complacency, making them appropriate
for proactive and generative organisations. Situation awareness tools typically take one of two forms either small group
discussions of the work situation, or individual evaluations of the work.
Supervisor-led task discussions

such as toolbox talks or Job Safety Analysis (JSA) discussions (see Section 6 HSE risk management) where workers highlight specific questions or concerns regarding an upcoming work activity
and then resolve the issues through collective input. In reactive and calculative cultures the discussions may be led by the group supervisor, while in more advanced cultures the workers are entrusted
with the responsibility to manage the discussion themselves.
Self-led task evaluations
such as Last Minute Risk Assessments and Stepback 5-by-5, STAR (Stop, Think, Act, Review).
These processes encourage each worker to mentally review and evaluate the potential risks and exposures faced at each step of a task as it is being performed. This tool is very similar to the Personal Task
Risk Assessment (PTRA) (see Section 6 HSE risk management). These tools often use a reminder
card or checklist of common work factors and usually do not require written documentation of the
results. Such tools are well-suited to proactive and generative cultures. Calculative cultures also find
these tools helpful, but struggle with not documenting the findings.
11 Questionnaires and surveys

These tools cover a variety of techniques to gather information on perceptions, attitudes, or understanding about an organisation, its practices, or its demonstrated values. The results can provide
useful information and awareness both to management and the individuals completing the
survey. Results may confirm common understanding, or may uncover differences in perception between groups or individuals. Such tools can help define pathways to improve
performance relative to the stated objectives or expectations. Generally, these tools are
effective with cultural levels above pathological. In lower trust environments a confidential survey is more appropriate, whilst in higher trust environments a culture diagnostic including open discussion of results is appropriate.
HSE climate surveys

measure worker satisfaction against expectations. This tool is useful for reactive to proactive organisations to discover misalignments. These are particularly
common in calculative organisations. Users must remember to focus on the reasons
behind the results, rather than on the data alone. Where other feedback outlets are
not readily available, workers may use climate surveys to express dissatisfaction with
leadership in areas not specifically within the scope of the survey. In high trust environments, HSE climate surveys should be followed by focus group discussions of
what lies behind the data. In generative cultures, there is little need for structured
surveys, as sharing of data and perceptions are commonplace.
14
OGP
HSE culture diagnostics

are intended to uncover the underlying, often unspoken, values, beliefs, and assumptions within
the organisation. This tool can be used at all levels within the organisation, but is particularly useful
within line management. Like climate surveys, culture diagnostics can be used to detect misalignment in perceptions between different levels. Scores in culture diagnostics are sometimes overly
optimistic as participants often believe organisational best practices are more widespread than may
be the actual fact. The real value of this technique is creating discussion between leaders related to
the current culture level, the aspired culture level, and necessary next steps. This tool can provide
a basis for change in reactive organisations and higher culture levels. The value of this technique
diminishes as the generative culture level is fully achieved.
Personnel and attitude surveys
are useful as a supplement to the culture diagnostics to uncover the values and beliefs of individuals. Personnel surveys generally cover a wider range of topics outside of HSE. Items such as trust and
respect between workforce and management, known to be correlated with HSE performance, can
be measured using these surveys. These tools are generally applicable for all cultures above pathological. Calculative cultures may over-interpret the data at the expense of acting on obvious issues.
Personality and team function tests
are simple personality tests (eg Myers-Briggs) that can provide people with some insights into
themselves and co-workers. Such tests can increase awareness and respect of individual diversity
within the workforce, but are of limited scientific validity and should be used with care. These tools
require professional support if they are to be used beyond group exercises like team-building.
12 Observation/intervention
Observation of work activities as a tool for improving HSE performance
is well-established. There are, however, a variety of tools for conducting
work activity observations. These range from observation and intervention by supervisors to identify and remedy unsafe acts and conditions,
to more advanced tools where workers reinforce and train one another.
Observation and intervention techniques can vary considerably based
on the HSE culture level of the organisation.
Fundamentally, observations involve an observer recording the
activities of a worker or work team as they perform a task. Actions
are compared to accepted standards and where deviations occur
there is a discussion between the observer and worker(s) identifying the
deviation and suggesting an improved technique. At lower culture levels,
a supervisor is more likely to be the observer, while at higher levels peers are responsible for observing, discussing issues, making improvements, and recognising positive performance.
Observations by supervisor
is used to address an obvious breach of an accepted or regulated standard, direct corrective action
(often a penalty) is supported. Pathological cultures tend not to go looking for trouble and observations are usually non-existent.
Observation by peer
is conducted by peers and results are usually shared beyond the peers involved. Observations also
include analysis of the causes of observed at-risk actions. Peer observations are usually found in
higher HSE cultures. Workforce acceptance of peer observations can also be influenced by national
or local culture, especially in hierarchically societies.
OGP
15
Intervention of at-risk actions

are used to directly stop unsafe worker behaviours and mitigate workplace hazards. Punishment
for at-risk activities tends to be more tempered, and at the higher end of this range amnesty may be
given to induce openly identifying at-risk behaviours. Deviations are viewed as individual actions
with little effort spent on identifying more systemic causes. Calculative organisations will track the
number of observations submitted as an indicator of proactive HSE, but may not capture the content of the observations. Observations at this level also begin to recognise positive actions.
Reinforcement of positive actions
is typically found in proactive and generative cultures. Observations look for best practices and
activities done safely as well as deficiencies from accepted standards. In higher cultures interventions are conducted to address deficiencies as well as to reinforce positive behaviours. A common
calculative approach is to track the relative number of positive actions and at-risk actions from each
observation. This practice can be counter-productive if management attempts to drive the metric to
100% correct, thereby eliminating the discussion of potential improvements.
Results shared beyond participants
Results from observations are shared with the supervisor and with other workers without fear of
punishment. Results from many observations are collected and analysed for common causes. In
addition to deviations from existing standards, observations at this level identify areas where standards should be upgraded or where accepted practices can be further improved. HSE considerations
may be integrated with other objectives such as quality and reliability when identifying areas for
improvement. Care should be taken not to integrate too quickly the non-HSE considerations, as it
may dilute the focus on HSE improvement. Management at higher cultural levels value the items
identified for discussion and improvement and are more likely to measure the number of implemented suggestions than the number of observations.
13 Incentive schemes
Using incentive schemes to improve HSE performance appeals to management who believe that the
cause of unsafe behaviours is a lack of motivation on the part of the workforce. At more senior levels,
bonuses may be contingent on the organisations HSE performance.
Workforce rewards may be financial or non-financial, such as BBQ cook-outs, thank you letters
from senior management, etc. Financial rewards can quickly become seen as a right, regardless of
performance, so should be used with care. In more advanced HSE cultures workers are rewarded for
activities rather than non-activities (lack of incidents). For example, trying to achieve 1,000,000
man-hours without an incident can result in behaviour that has little relationship to safe work practices, but much to do with accumulating low-risk/low productivity work hours that hasten achievement of the reward.
Incentive programs must consider whether to recognise behaviours (leading) or outcomes (lagging).
Performance (lagging) recognition

Reactive and calculative organisations believe that rewards must be associated with concrete outcomes. When HSE performance is poor, incentives based on reasonable performance improvements
will probably work by directing managerial attention to the problems. Experience suggests that setting stretch targets in lagging HSE performance based solely on the financial benefits to the worker
is not effective. Workers generally feel they have relatively little direct influence on the result so they
prefer to devote their attention to activities where they are more directly rewarded.
Behaviour (leading) recognition
Proactive and generative organisations accept rewarding desirable behaviours that will result in
better performance.
16
OGP
14 HSE communications
Communication of key HSE policies, expectations, results, and
incidents is an essential way of supporting the development of
general HSE awareness and specific situation awareness. It is also
effective in supplementing training efforts. Communications are
often a component of other HSE processes, but can exist as an HSE tool in its own right.
Pathological organisations find it hard to justify the time and resources for such non-productive
activities. Reactive organisations may provide limited communications, largely linked to events that
have occurred. Calculative organisations will use all media, but may leave the impression that they
are meeting set targets. Proactive and generative organisations use communication media extensively and encourage open communication of potential issues and suggestions.
Tool-box talks
are discussions held by individual work groups, usually in a field setting to raise HSE awareness
for the day, or to specifically discuss potential hazards associated with an upcoming task.
HSE meetings
are sessions held regularly to discuss HSE related issues among multiple work teams. These meetings may include sharing lessons from past events, new work practices or expectations from management, or increased awareness of HSE issues of general interest. Advanced cultures include their
contractors in the meetings, and in the most advanced cultures the HSE meeting is run by the workers or contractors directly.
HSE alerts
are communications specifically for informing workers of incidents or problems identified at other
locations.
HSE newsletters
are periodic communications to inform workers of issues, policies, and recent performance. Newsletters often cover topics similar to those discussed in HSE meetings, but may go into more detail
or provide additional references to further support desired objectives. Newsletters are common in
calculative and higher HSE cultures. In more advanced cultures, the content of the newsletters is
determined to a greater extent by the workers themselves.
Handover information
are processes for transitioning work from one group to another. These could include shift handovers, handover from the control centre to the field team, or bridging documents between operators
and contractors. These protocols assist the applicable groups in sharing critical operating considerations or potential hazards associated with the tasks being passed to the next group.
15 Other HSE tools

There are a number of other HSE tools that do not fall conveniently into the categories above, or
address only a very narrow topic within a category. Most of these tools are designed to address a
particular type of issue. For instance, general rule-breaking or non-compliance may be identified as
a cause of many different incidents in many different activities.
Issue-specific tools
such as the Hearts and Minds Managing Rule Breaking are generally appropriate for proactive
and generative organisations and may be used to help calculative organisations take the next step
up the culture ladder. Pathological or reactive cultures will not likely use issue-based tools, as the
organisational vision is limited to addressing each incident independently.
OGP
17
Additional references and resources

Energy Institute Investigating and Analysing Human and Organisational Factors of Incidents
and Accidents (May 2008)
Energy Institute Hearts and Minds http://www.energyinst.org.uk/humanfactors
UK HSE Inspectors Toolkit - Human factors in the management of major accident hazards
http://www.hse.gov.uk/humanfactors/index.htm
NORSOK S-002 Working Environment
NORSOK S-005 Machinery working environment analyses and documentation
CRIOP scenario tool (for control rooms) http://www.criop.sintef.no/
ISO 9000 Series (ISO quality management system)
ISO 14000 Series (ISO environmental management system)
ISO 11064 series Ergonomic Design of Control Centres
OHSAS 18000
OGP Catalogue of International standards used in the petroleum and natural gas industries
Baker Commission Process HSE Culture survey
18
OGP
For further information and publications,

please visit our website at
www.ogp.org.uk
209-215 Blackfriars Road

London SE1 8NL
United Kingdom
Telephone: +44 (0)20 7633 0272
Fax: +44 (0)20 7633 2350
165 Bd du Souverain
4th Floor
B-1160 Brussels, Belgium
Telephone: +32 (0)2 566 9150
Fax: +32 (0)2 566 9159
Internet site: www.ogp.org.uk
e-mail: reception@ogp.org.uk
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
,
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
ust explosions have caused extensive

property damage and fatalities in process plants. Because of their familiarity, dusts do not get the respect that
flammable vapors and gases receive. Dust explosion safety rules are entirely different from the
safety rules for gases and vapors; dust is an entirely
different phenomenon. Dust area classification
standards and the electrical installation practices
are found in the National Electrical Code. This
paper will provide assistance in applying
these dust standards
and practices and will
provide recommendations concerning their
application.
Trouble L i g h t Explosion
An operator died as the result of a dust explosion
that occurred when he inserted a portable trouble
light inside a plastic dust bin. He was cleaning the
inside of the bin with a water hose to remove the
dust. A dust cloud was produced, and at the same
time, water contacted the light causing it to spark
and ignite the dust cloud.
Electrical wiring and equipment are identified
as ignition sources in other dust explosion studies.
Dust Fxplosion
Fundamentals
Dusts are deceptive and

their familiarity masks
their potential for fire
and explosion. Their
presence in a chemical
process unit may seem
Case Histories of
normal and harmless,
Dust Fxplosions
but they are a fuel; only
During an eight day pean ignition source (under
riod in 1977, five explocertain conditions) is
sions in grain facilities
resulted in fifty-nine
needed
to produce a
Example
~- of a dust
deaths and forty-nine injuries. Dust
damaging and deadly explosionor fire.
hazardous uvea,
explosion experiences in other pro- ,-lass 1, ~ i ~1 and2,
is the sudden
i ~ iA dust
~ explosion
~ ~
cess plants include:
release of heat energy through rapid
combustion of airborne particulate matter in a
Dust Dyyer Explosion
confined or partially confined space. Heat is genTwo employees died as a result of a dust cloud
erated faster than it is dissipated. The rapid temperature rise produces a pressure wave which can
explosion that occurred from a large dust cloud
that was released when they opened an access
cause destruction.
opening at the bottom of a dust collector. In a
Dust explosions follow the fire triangle. The
lawsuit that followed, it was claimed that the
fuel is the dust; the finer the dust the greater the
location was a Class 11, Division 1 location and
potential for explosion. The oxidant is the oxygen
that a TEFC motor a t the same location vioin the air, and the ignition source can be electrical.
When these three elements are together at the
lated the NEC and produced the spark that
caused the explosion.
same time in certain proportions an explosion can
I
I
I
I
RichurdJ. Buschart, P. E., is with PC C E, Inc., ofSt. Louis,Missouri.He isu Life Fellow ofthe I E E E anda Fellow
in the I S A . Thisurticle uppeured in its oi.iginulform ut the 1997 PCIC Confeyence in B a n g Canada.
/FE Industry Applications Muguzine
January/Februury I 999
Authorized licensed use limited to: David Wechsler. Downloaded on January 15, 2010 at 12:33 from IEEE Xplore. Restrictions apply.
077-2618/99/$10.000
1999 IEEE
I
I
I
I
occur. The dust cloud must have a certain minimum

concentration for flame propagation to occur. There
is also a maximum explosion concentration, but it is
poorly defined for most dusts.
A dust explosion can begin as a small fire or as
dust melting. This c m cause further heating and
turbulence of the air., which disperses more dust,
which in turn provides fuel for more heating, burning, and air pressure buildup. The initial burning
and pressure rise can dislodge dust accumulations
on building structures, piping, ductwork, and machinery, which provic es more fuel and can result in
secondary and subsequent explosions. Witnesses of
dust fires have replxted sensing air pressure
changes and seeing burning dust clouds. The final
explosion is a rapid burning of a cloud of dispersed
dust and a release of t k ermal energy in a rapidly rising air pressure wave.
Dust layers can produce dust clouds if the layers
are sufficiently dispersed or agitated. Dust layers
can also melt, char and burn, and propagate a flame
either by excessive temperature (if the dust layer
has settled on a hot surface such as an electrical motor ot lighting fixture), or by sparking material
from a welder, or by a fault in electrical equipment
falling on the dust layer, causing burning.
Dusts are a necessajrypart of many chemical process facilities. They are usually not the final product but can occur as fines in milling, cutting, and
other mechanical operations. Almost any chemical
dust can be made to explode if the dust is fine
enough, the dust cloud dense enough, or the dust
layer thick enough, and a strong ignition
source-either a spark or hot surface-is present.
Determining the mi:iimum ignition energy (in
millijoules) depends on the individual dust and the
test technique.
w Relative flammability of a dust cloud

w Limiting oxygen concentration
w Pressure and rate of pressure rise.
The Bureau of Mines has published reports of
investigations of the explosibility o f metal powders, carbonaceous dusts, and agricultural, plastic,
chemical, drug, dye, pesticide, and other miscellaneous dusts. Of particular interest to chemical processing is RI 7 132, Dust Explosibility of Chemicals,
Drugs, Dyes, andpesticides ( I I ) and RI 597 1,Explosihility of Dusts Used in the Plastics Industry [lo].
Two indexes are defined that provide a measure
of relative explosibility compared to Pittsburgh
coal dust. One is the ignition Jensitivity, which
equals the ratio of the dust cloud ignition temperature
times the dust cloud rrcinirnurn ignition energy times the
minimum dust cloudexplosionconcentration for the particular dust as compared to Pittsburgh coal dust.
The other is the explosion severity, which equals the
ratio of the maximum explosivepressure times the maximum rate of explosivepresswe rise for the sample dust
compared to Pittsburgh coal dust.
The overall Index of Explosibility is the product
of the explosive sevwity and the ignition sensitivity. If
their ratios are one, it iniplies that the dust sample
is equivalent to Pittsburgh coal dust as far as
explosibility is concerned. Explosion hazards are
further classified as weak, moderate, strong, and
severe according to this ratio as established by the
Bureau of Mines.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Characterizationof Dusts
As with Class I vapors and gases, it is first necessary
to determine if the material requires classification,
and if so, to what degree. This can be done by testing the individual dust or by referring to test data
on similar dusts and assuming your dust will act in
a similar way. This assumption may not be correct.
Testing is always better because the actual dust
may have different pzrticle size distribution than
the tested value. Testing usually follows the practices established by tEe United States Department
of Interior, Bureau of Mines. In the early sixties, the
Bureau of Mines issue'rl a number of reports on the
explosibility of dusts i.1various industries. RI 5624
E91 describes the laborxory equipment and test procedures for evaluating; explosibility of dusts. The
dust explosion parameters considered are:
w Minimum dust cloud explosiveconcentration
w Ignition temperiture of a dust cloud
w Ignition temper.iture of a dust layer
w Electrical energy for ignition o f a dust cloud
w Electrical energy for ignition of a dust layer
where P,,,e,x= Maximum Explosive Pressure; P =

Maximum Rate of Pressure Rise; T, = Minimum
Ignition Temperature; E = Minimum Ignition Energy; M( = Minimum Explosive Concentration.
The report on explosibility of plastics dust reveals that compositioii and chemical structure are
imporcant hctors, and there are variations within
dust samples even ifthe dust appcars to be the same
chemical composition.
Particle shape is also important. Irregularly
shaped particles present a greater explosion hazard
than do spherical particles. For instance, spherical
particles of one plastic had an explosibility index of
less than 0.1 indicating a weak explosion hazard,
whereas, irregularly shaped particles of the same
material had an explosibility index greater than 10
indicating a severe hazard. Bureau of Mines reports
indicate that the basic chemical structure governs
explosibility aid iiicoqiuration of halogens, chlorides, and fluorides works in the direction of de-
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
IEff Industry Appbiions Maguzine m /unuury/februury 1999

I
I
I
I
I
I
I
I
I
creased hazard. The effect ofparticle shape can only

be measured by testing the actual process dust.
The tests were based on dusts that pass through
a 200 sieve (74microns particle size). Dust particle
size is a major factor in dust explosions. The
smaller the dust particle size, the higher the probability of dust explosion. NFPA Publication 69 defines a combustible dust as finely divided
combustible material with a particle size of 420
microns or less (material passing a No. 40 sieve) in
diameter that can produce fire and explosion when
dispersed or ignited.
In chemical process operations there is a distribution of particle sizes, and although some of the
particles may be pellet size and too large to explode
by a reasonable ignition source, processes usually
produce fines that may be explodable.
I
I
I
I
I
I
I
I
I
I
I
1
I
I
I
I
I
NEC Requiremenfs for Dust Areas

Article 500 of the NEC provides definitions and
fundamental criteria for the classification of locations where combustible dust layers or clouds may
exist and electrical equipment and wiring could
provide an ignition source.
Electrical classification is a statement of the following four items.
1. Type of Flammable-Class I1 Combustible
Dusts
2. Grouping by type of dust based on dusttightness of electrical enclosures, blanketing effect
of layers of dust on electrical equipment that may
cause overheating of the dust layer
3. Probability that a combustible dust cloud or
layer can exist: Division 1 - higher risk, Division 2
- lower risk, and unclassified
4. T number based on the ignition temperature of the particular dust and Table 500-3(d) of
the NEC.
Class II Gvoups pey the 1993 N E C aye:
I
I
I
I
I
I
I
I
I
I
I
I
Group E: Atmospheres containing combustible

metal dusts or other combustible dusts whose particle size, abrasives, and conductivity present similar hazards.
Group F: Atmospheres containing combustible
carbonaceous dusts including carbon black, charcoal, coal, or coke dusts that have more than 8% total entrapped volatiles.
G ~ w G:
p Atmospheres containing combustible
dust not in E or F including flour, grain, wood,
plastic, and chemicals.
Agricultural and chemical plant facilities are
typically Group G with the possibility of Group F
areas where coal handling facilities are present.
The ignition temperature of a dust is the lower
of the dust cloud or dust layer ignition temperature. NFPA Publication 497M, CIass$ication of
Gases, Vapors, and Dusts fir Electrical Equipment in
Hazardous (Classified) Locations 141, provides a listing of dusts including the NEC grouping and typiIEEE Industry Appliratians Muguzine
tal ignition temperatures. The layer ignition temperature is usually lower than the cloud ignition
temperature. An example of a classification of a
dust plastics facility where the dust has an ignition
temperature of 115OC (239F) is:
Class I I (dusts),Division 2, Group G (plastic dusts),
T5 Ignition Temperature 115C (219F)
Class I1 Locations Division 1 and 2 aye

Indicated as:
Division I: Alocation where combustible dust is
in the air in quantities sufficient to produce explosive or ignitable mixtures under normal operating
conditions, or locations where a mechanical failure
could produce an explosive mixture and simultaneously an electrical source of ignition, or locations
where conductive dusts (Group E) are present in
hazardous quantities.
Note: NEC Table 500-3(f) provides ignition
temperatures for groups E, F, and G for listed
equipment that was specified before T numbers
were applied to dusts in the 1981 NEC. The table
is for reference to approvals before this time.
Division 2: A location where combustible dust is
not normally in the air in quantities to produce ignitable mixtures and accumulations of dust are
normally insufficient to interfere with the normal
operation of electrical equipment, however, as a result of infrequent malfunctioning ofprocess equipment, combustible dust may be in suspension in
the air and dust accumulations may be sufficient to
interfere with the safe dissipation of heat from electrical equipment or may be ignitable by failure of
electrical equipment.
These word definitions provide only general
guidelines in classifying locations. This paper will
provide guidance in dust classification based on
ISA Standard S12.10-Area Classij5cation in Hazardous (Classiied) Dadst Locations [2f and NFPA
497B Classification of Class 11Hazardous (Classified)
Locationsfor Electrical lnstallations in Chemical Process
Areas 1991 E31.
Dust lgnifion By Elecfrical Equipment

Dust clouds or layers can be ignited from electrical
facilities by sparks from electrical contacts, faulted
wiring, or from the heated surfaces of motors,
lights, heaters, solenoids, etc.
Dust Cloud Ignition

As with vapors and gases, a minimum concentration must be reached before an ignition will be
propagated. This lower explosive limit (L.E.L.)
varies with composition and particle size for the
material involved. For instance, the value for polystyrene is ,020 ounces per cubic foot while for cornstarch it is .055. In most situations visibility is
severely restricted before the concentration of dust
reaches the lower explosive limit.
Junuury/Februury 1999
I
I
I
Dust clouds can be ignited by hot surfaces or by

sparks. The dust c l o d ignition temperature for
many materials is mLch higher than the temperature that can be expxted from electrical equipment. Dust cloud ignition by sparks is possible
since dust cloud ignition energies are within the
capability ofmuch electrical equipment. However,
the probability of sinultaneous occurrence of a
spark and a combustisle cloud is low.
The L.E.L. of most dusts is far above acceptable
dust concentrations br personnel safety. Therefore, dust control effcrts aimed at protecting people also significantly reduce the necessity of
classification of areas. It is improbable that a Division 1 area exists in an area where personnel are permitted to enter withcut breathing apparatus.
Dust Layer Zgnitioii

As dust accumulates on the surface of heat generating, electrical equiplr ent, e.g. motors, lights, the
dust layer has a blanketing effect which will further increase surface temperatures. The thicker the
dust layer the greater I he potential for a dust explosion. Dust layer ign tion temperature decreases
with dust layer thicmess. For instance, a 2cm
thickness of sawdust can ignite on a hot surface at
approximately 300C (572F) while a 10cm thickness ignites at approximately 220OC (428F).
Other dusts act in a similar manner. Time is also a
factor. Prolonged exposure to elevated temperature
will usually decrease minimum layer ignition temperature. For instance, for cornstarch the layer ignition temperature drops from 500C (932F) for
.3 hours to 150C (302F) for 70 hours. Therefore,
dust layer ignition for large dust layers and long
time exposure can be considerably lower than the
values indicated in NFPA 497111 [4]. The values
given in 497M are bas:d on tests on a one-half inch
thick test sample. For this reason electrical equipment that generates heat, for example motors and
lights, should have its surface temperature limited
to 80% of the ignitior temperature of the particular dust as indicated in NFPA 497M C41.Ifthe dust
layer temperature is sufficiently high, excessive dehydration and gradual decomposition may take
place. The minimum temperature at which these
changes take place is :he dust layer ignition temperature. This temper;.ture varies with the particular dust involved.
Dust layers could d s o be dispersed into the air
and form a combustitile cloud. Even a very small
dust layer can create a large dust cloud. For instance, a ,180 inch (4i.72mm)dust layer of polyethylene can produce a combustible dust cloud
that is barely combust ble, ten feet high if it is uniformly dispersed.
Chemical compositior ,particle size and shape, and
moisture content all erfect explosibility. The finer
the dust the greater the potential for ignition. NEC
group and minimum cloud and ignition tempera-
ture as indicated in NFPA 497M E41 are the

variables relevant to dust classification.
For Dusts That Are Not Listed:
1. If their ignition sensitivity is equal to or
greater than .2,
2. or their explosion severity is equal to or
greater than .5,
3. or if these factors are not known,
4.the dust area should be classified.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Dust Condmivity
Metal dusts, Group E, are classified as conductive. If
these dusts enter an electrical enclosure and bridge
between energized terminals, a leakage current
might subsequently produce dust ignition. For this
reason there is only Division 1 in Group E dust classified locations. Coal dusts are generally not considered conductive. However, in high voltage electrical
equipment the possibility of voltage breakdown exists especially in wet or humid environments.
Chemical, plastic, or agricultural dusts are insulators, and, therefore, conductivity for these
dusts is not a dust explosion issue.
Dust Area Chsification

Area classification is required for any dust where
ignition sensitivity is equal to or greater than .2or
explosion severity is equal to or greater than .5 as
determined by the Bureau of Mines data.
Area classification is the process of determining
the existence and extent of Class 11, Division 1 and
Division 2 zones. These classifications shall be indicated on area classification drawings along with the
Group (G for plastics or agricultural dusts or F for
coal) and maximum temperature or Tnumber.
The maximum temperature shall be the dust
layer or cloud ignition temperature in degrees Celsius, whichever is less, and indicates the maximum
permissible surface temperature that electrical
equipment shall have under normal conditions.
Classified zones will exist around leak points or
sources where dust can escape from the process.
These include but are not limited to open drums,
fill openings, rotary feeders, flexible connections,
open conveyors, and other similar sources. The extent of classified areas depends on:
1. Height a t which dust is released
2. Velocity and direction of release
3. Velocity and direction of drafts
4. Presence of solid floors, tops of tanks, and
other equipment, duct work, etc.
5 . Presence of confining walls or barriers
6. Frequency of housekeeping
7. Frequency ofmaintenanceofprocess equipment.
Item 7 is an important condition that may be
overlooked. The opening of dust process equipment caused a dust cloud that produced fatal explosions. The greater the volume of dust and the
height of the opening in the structure, the larger
the dust cloud and potential for explosion.
IFF Industry Applications Magazine January/February 1999
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Elimination or Reduction
of Classified Locutions
It should be the safety goal of any facility to eliminate classified locations by equipment design that
will minimize dust leaks and structures where dust
cannot accumulate.
The importance of these factors is indicated in
the following fine print notes in NEC Section
500-6-(b) Class II, Division 2 definitions:
(FPN No. 1):The quantity of combustible dust
that may be present and the adequacy of dust removal systems are factors which merit consideration in determining the classification and may
result in an unclassified area.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Classification Technique
The visibility of dust accumulation provides the
opportunity for determining electrical area classification by inspection of process facilities. The factors to consider in surveying existing facilities and
in comparing them to processes that require classification are:
1. Housekeeping
2. Leak points-their
location, especially
height.
3. Horizontal dust collection areas-solid
floors, the tops of tanks, and duct work.
4. Confining walls and barriers.
The classification of a location by a survey is
done by observing dust accumulations for typical
operations. Instrument Society of America, ANSI
Standard S12.10, Area Classification in Hazardous
(Classified) Dust Locations and NFPA 497B 133
provide the following general rules for dust classification:
1. In dusty areas where the layer is just thick
enough to obscure the floor or surface color, the location should be classified Division 2.
2. In dusty areas where larger dust accumulations are present and the dust layer thickness exceeds one-eighth of an inch, the location should be
classified Division 1.
These criteria should be used to classify dust locations for existing facilities and for new facilities
where a similar unit exists.
Dust Hazardous Area Electrical Installations
I
I
I
I
I
I
The fundamental concept of protection in dust

hazardous locations is entirely different than for
gases and vapors. Explosion proof enclosures allow
gases and vapors to enter enclosures, but if ignition
occurs inside the enclosure, it contains the explosion. In dust locations the principles are:
1. Keep the dust outside the enclosure.
2. Do not allow sparks or heat inside enclosures
to ignite external dusts.
3. Limit external surface temperatures so that
they will not ignite external dusts.
External dusts could be dust clouds or layers of
dust on or around the electrical equipment. Surface
I
I
I
I
I
I
I
I
I
I
I
I
I
I
ignition is a greater issue in dust areas than in vapor

or gas locations. The ignition temperatures of
dusts are generally lower than for vapors or gases.
In addition, dust can blanket heat generating
equipment and cause an increase in surface temperatures. The accessibility of heat generating equipment is important. Lights, solenoids, or motors
that are located in high inaccessible locations can
have significant dust accumulations. Tnumbers
apply to dust locations. Electrical equipment in
dust areas should not operate at temperatures
above the particular dust ignition temperature. Intrinsic Safety, Purging and Pressurization, Dust
Ignition Proof (DIP), and dust-tight enclosures are
used in hazardous dust areas.
In Division I locations:
1.Type MC cable can be used in cable tray, otherwise, conduit and MI cable are permitted.
2. Fittings and boxes can be dust tight unless
taps, joints, or terminals are present, or conductive
dusts are involved, in which case, the enclosure
must be DIP.
3. Liquid tight flexible conduit and cords can be
used for flexible connections.
4. Explosion seals are not required. Sealing is
only needed to keep the dust out of DIP enclosures.
Lengths of raceway can provide sealing requirements (See Figs. 1, 2, and 3).
5 . Most other enclosures are DIP with some exceptions and special requirements for metallic dusts.
6. Motors can be DIP or totally enclosed, pipeventilated.
In Division 2 Locations:
1. Dry-type transformers operating at over 600
volts cannot be used
Junction Box Not

Required To Be
Dust-Ignition-Proof
Sealing Fitting
Dust-lgnitionProof Enclosure
Fig. 1. Preventing dust from entering the

dust-ignition-proof enclosure by sealing between
enclosures.
IFF Industry Applications Magazine I January/February I 999
Zone 21: Combustible

dust likely to be present in
normal operation.
Zone 22: Combustible
dusts occur infrequently.
The IEC has installation
practices similar to the
NEC. The three zone approach is similar to NEC
Section 505.
I
I
I
I
I
I
I
I
I
I
I
I
Fig. 2. preventing dust from qntering the dust-ignition-proof

.
. enclosure by
horizontal distance ( n o seal).
Fig. 3. Preventing dust from entering the dustignition-proof enclosure by vertical distance (no seal).
2. Types TC, MC, ITC, and PLTC cables can be

used in cable trays. Note type TC must be spaced
apart but not the other types of cable.
3. Enclosures are generally dust-tight.
4.Explosion seals are not required. Same as Division 1.
5 . Enclosures for fuses, switches, circuits breakers, and motor controllers can be dust-tight.
6. Motors can be totally enclosed and should operate at surface temperatures below che dust layer
ignition temperature. There is no requirement for
DIP enclosures if the motor winding has contacts
as there is for Class I, therefore, totally enclosed DC
motors are acceptable.
7.For signal and control systems, enclosures
with contacts can be dust-tight. Nonincendive circuits can be in general purpose enclosures.
International Dust Hazardous location

The international system for dust hazardous rules
is defined in the work of IEEE Subcommittee 3 14.
The IEC system uses the three zone approach:
Zone 20: Combustible is present continuously,
typically inside dust equipment.
Summary and Conclusion
Dust explosions in process

plants can be eliminated by
proper area classification
and application of the NEC, but unfortunately it
has not received the attention that flammable vapor or gas explosions have received. Dusts explosion considerations are completely different and, in
some ways, more complicated than vapors and
gases. It is essential to characterize and test the particular dust involved. Chemical structure and particle size and shape are all critical variables. The
finer the dust, the greater the explosion potential.
Hot surface temperatures are especially important,
and the effect of layering should always be considered. Elimination of classified locations should be
the first consideration. This could be accomplished
by improved dust containment, good housekeeping, and reduction of horizontal surfaces that can
accumulate dusts.
Special attention should be given to situations
where dust processing equipment is opened for
maintenance and dust cloud releases could result.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
References
Cl] ANSUNFPA 70,1996 NationalElectrzcalCode, Quincy MA.
121 ANSIIISA, S12.10-1988 Area Classi$catzon In Hazardous
[Classified) Dust Locations.
131NFPA 497B-1991, RecommendedPracticefir the Classification
of Class [ I Hazardous (Classzfied)Locationsfor ElectrzcallnstalIations in Chemzcal Process Areas.
141 NFPA 497M-1991, Manualfor Classificatzon of Gases, Vapors, and Dwts for Elei%rzcdlEquspment In Hazardous (Cla$szfied) Locations.
151 K.J.
Buschart, Electrzcalandlnstriimentatzon SaJety For Chemical Processei Chapman and Hall, NY and London 1991
[b] R.J. Buschart, "Monsanto Standards - Area Classification
For Electrical Ignition Hazards-Combustible Dust-Air
Mixtures Design Guide E2.2 Std 3, 12/28/92."
[7]NFPA 654-1994, Standard for the Preventzon of Fire and Durt
Explosions in the Chcriai~al,Dye. Phmrmaceaticaland P b t i r ~Industries
181 IEC - 314147iCDV - Part 3, Classification ofArem-Where
comhnitible d7~stare or may be present.
[9] U.S. Bureau of Mines, Washington DC, "Laboratory Equipment and Test Procedurei for Evaluation of Explosihility of
Dusts," RI No. 5624, 1960.
[lo] U.S. Bureau of Mines, Washington DC, "Exploszbzlzty of
Dusts Usedin the Plastics Industry," RI No. 5971, 1962.
1111 U S . Bureau of Mines, Washington DC, Dust Explosibilzty
of Chemicals, Drug, Dyes, and Pesticides RI No. 71 32.
1121 NFPA 69, Explosion Prevention Systems, 1997.
IEEE Industry Applicaiions Magazine
Junoury/Februory I 999
I
I
I
I
I
I
I
I
I
I
I
I
I
Health and Safety

Executive
Safe handling of combustible

dusts:
Precautions against explosions
This is a free-to-download, web-friendly version of HSG103
(Second edition, published 2003). This version has been adapted for online
use from HSEs current printed version.
You can buy the book at www.hsebooks.co.uk and most good bookshops.
ISBN 978 0 7176 2726 4
Price 10.95
This publication provides practical advice on the prevention and mitigation of dust
explosions and fires. The guidance is intended for employers, managers, foremen
and safety representatives working in the many industries where combustible dusts
may be present. A number of materials used in everyday business can produce
dusts that are flammable and can explode if ignited, they include sugar, coal, wood,
grain, certain metals and many synthetic organic chemicals.
The publication outlines the relevant legislation and illustrates the effects that dust
explosions can have. It also provides advice on how to prevent dust explosions,
explains how to protect plant and equipment if an explosion occurs and covers the
particular hazards of fires within dust handling plants.
HSE Books
Page 1 of 34
Health and Safety

Executive
Crown copyright 2003

First published 1994
Second edition 2003
ISBN 978 0 7176 2726 4
All rights reserved. No part of this publication may be reproduced, stored in
a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording or otherwise) without the prior written
permission of the copyright owner.
Applications for reproduction should be made in writing to:
The Office of Public Sector Information, Information Policy Team,
Kew, Richmond, Surrey TW9 4DU or e-mail: licensing@opsi.gov.uk
This guidance is issued by the Health and Safety Executive. Following the guidance
is not compulsory and you are free to take other action. But if you do follow the
guidance you will normally be doing enough to comply with the law. Health and
safety inspectors seek to secure compliance with the law and may refer to this
guidance as illustrating good practice.
Page 2 of 34
Health and Safety

Executive
Contents
Introduction 4
Who is this booklet for? 4
Legal framework 5
Why does dust explode? 5
What are the effects of a dust explosion? 6

What can I do to prevent or mitigate the effect of a dust

explosion? 7
Assessing the risk 7

Very simple plant 8
Control over formation of dust clouds 8
Inerting 8
Control over sources of ignition 9
Area classification where dusts are handled 10
Equipment used in classified areas 10
Plant design and controls 13
Mitigation measures 13
Explosion relief venting 14
Explosion suppression and containment 16
Plant siting and construction 17
Interconnected plant 17
Verification before first use 20
Fires involving explosible dusts 20
Examples of protection in two plants 21
Human factors 22
Appendix A: Dust explosion testing 25

Appendix B: Legal 29
Appendix C: Laboratories undertaking testing of flammable dusts 30
Appendix D: Zone Definitions 31
References 32
Safe handling of combustible dusts: Precautions against explosions
Page 3 of 34
Health and Safety

Executive
Introduction
1 This guidance document provides advice on the prevention and mitigation of
dust explosions and fires. Many materials we use everyday produce dusts that are
flammable and in the form of a cloud can explode, if ignited. Examples are:
n
n
n
n
n
n
sugar;
coal;
wood;
grain;
certain metals; and
many synthetic organic chemicals.
Quite generally, the advice applies to anything which can burn, and which exists in
a fine powdered form, unless tests show that particular hazards are not present. In
some cases, a very simple knowledge of chemistry can rule out the explosion risk,
eg in the case of sand, cement and sodium carbonate (soda ash).
2 Dust explosions are not new and records from over 100 years ago exist of
incidents that have resulted in large loss of life and considerable and costly damage
to plant and buildings.
3 The objectives of this book are to:
n
n
n
n
n
outline legislation;
illustrate the effects of dust explosions;
show how to prevent dust explosions;
explain how to protect plant and equipment if an explosion occurs; and
give advice on the particular hazards of fires within dust handling plants.
Who is this booklet for?

4 This guidance is intended for employers, managers, foremen and safety
representatives working in the many industries where combustible dusts may be
present. It describes in non-specialist terms the hazards from dust explosions and
common means to control the risk.
5 The guidance also describes common ways you can achieve an adequate
standard of safety. You may use alternative designs or precautions to meet
particular circumstances, so long as they provide an equivalent standard of safety.
The guidance contains basic advice and you should not use it as a design guide.
Information for design purposes can be found in reference 1.
6 The guidance does not apply to mines, where special considerations apply.
The guidance is not applicable to the handling of loose explosive or pyrotechnic
compositions in licensed explosives factories. The general principles are, however,
applicable to handling individual components of such compositions that are not in
themselves explosive (eg sulphur dust or aluminium powder). Powders which can
decompose energetically in the absence of air (eg some organic peroxides and
blowing agents) are also out of scope. These are covered in reference 25 booklet
Energetic and spontaneously combustible substances.
Page 4 of 34
Health and Safety

Executive
Legal framework
7 The Health and Safety at Work etc Act 1974 (HSW Act)2 places a general duty
on employers to ensure the safety of both employees and other people from the
risks arising from work activity, so far as is reasonably practicable.
8 The Dangerous Substances and Explosive Atmospheres Regulations3 require
employers to make an assessment of the health and safety risks arising from
dangerous substances, and this specifically includes dusts which can explode.
Where the employer has more than five employees, the significant findings of the
risk assessment must be written down. Precautions to control any risks associated
with dust fires and explosions are then needed (see below.) Specific requirements
relating to classification of hazardous areas within a plant, and marking of points of
entry into such areas are covered in paragraphs 32-34 and 98. These regulations
also require that information about the risks and emergency procedures is made
available for the fire authorities. It is not necessary to send the written risk assessment
to the fire authority in every case, but where contact is made, the particular risks and
precautions associated with dust explosions should be identified.
9 In addition to this a number of regulations are relevant where flammable dusts
may occur. These are:
n
n
n
n
n
The Fire Precautions (Workplace) Regulations 19974

The Provision and Use of Work Equipment Regulations 19985
The Workplace (Health, Safety and Welfare) Regulations 19926
The Control of Substances Hazardous to Health Regulations 19997
The Equipment and Protective Systems for Use in Potentially Explosive
Atmospheres Regulations 19968
Appendix B contains further information.
Why does dust explode?

10 A dust explosion involves the rapid combustion of dust particles that releases
energy and usually generates gaseous reaction products. A mass of solid
combustible material as a heap or pile will burn relatively slowly owing to the limited
surface area exposed to the oxygen of the air.
In 1981 an explosion at a plant in Banbury which manufactured custard powder
injured nine men and caused substantial damage to an external wall of the
building9. A fault in a pneumatic conveying system caused a holding bin to overfill
and the air pressure caused the bin to fail. The released custard powder ignited
as a dust cloud within the building.
11 If you have the same solid in the form of a fine powder and you suspend it in
air as a dust cloud the result will be quite different. In this case the surface area
exposed to the air is much larger, and if ignition occurs, the whole of the cloud may
burn very rapidly. This results in a rapid release of heat and gaseous products and
in the case of a contained dust cloud will cause the pressure to rise to levels which
most industrial plant is not designed to withstand.
12 Although a cloud of flammable dust in air may explode violently, not all mixtures
will do so. The concentration of dust and air must be within the upper and lower
explosive limits for the dust involved.
Page 5 of 34
Health and Safety

Executive
13 Measurements of the lower explosive limits of many materials are available, and
for many organic materials the limit is in the range 10 - 50g/m3. A dust cloud of
this concentration resembles a very dense fog. Upper explosive limits are difficult to
measure accurately, and have little practical importance.
14 The most violent explosions usually result from dust/air mixtures that are fuel
rich. This means that the oxygen available in the air cannot burn all the dust, and
partly burnt, glowing material often remains after the explosion. This can reignite
if more air becomes available. The shape and size of the dust particles, and other
factors, strongly affects the force of the explosion and the explosive limits. Only weak
explosions are likely where the mean particle size of the dust exceeds 200 microns,
or the moisture content exceeds 16%. Appendix A contains information about
methods of testing dusts.
What are the effects of a dust explosion?

15 A dust explosion can result in:
n
n
n
n
n
death or serious injury to workers;

destruction of plant and buildings;
a large fireball;
secondary explosions; and
fire.
air / oxygen
ignition source
heat / spark
dust sufficiently
fine
movement to
create a cloud
confinement
hopper / silo
filter / blender
When a dust cloud ignites in an enclosed volume it results in a very rapid rise in
pressure within the container. The container may be an item of plant or a room of a
building. Typical peak pressures in laboratory apparatus are in the range 8 - 10 bar.
In normal circumstances the plant or building will not be strong enough to withstand
the pressure from the explosion and it will fail in a sudden and uncontrolled manner.
Anyone close to exploding plant, or inside a room where an explosion occurs is likely to
be killed or seriously injured. The plant or building will only survive if the design or other
protective measures deliberately allows for the high pressures.
16 Where an item of plant fails, or an explosion vent opens as a result of a dust
explosion, a fireball and shockwave will emerge. The fireball is usually much larger
than the vessel from which it came, and is likely to spread burning particles a
substantial distance. A person engulfed in such a fireball is likely to receive serious
burn injuries.
Page 6 of 34
Health and Safety

Executive
17 An explosion within a piece of plant may also stir up dust deposits within the
building. The failed plant may also release as a cloud a large quantity of unburnt
material. Burning particles from the primary explosion can then ignite the dust cloud
within the building causing a secondary explosion that is generally more destructive
than the primary explosion.
An explosion initiated in the dust collector of a grain storage facility at Blaye
in France. The towers contained elevators and the gallery over the 44 silos
contained belt conveyors. All the areas were open allowing the spread of dust
clouds and flames. Both towers, the gallery and 28 silos were completely
wrecked with the loss of 11 lives.
What can I do to prevent or mitigate the effect of a dust explosion?

Assessing the risk
18 This task should be your starting point, and it can be addressed under a
series of questions. Is my dust capable of exploding? Where could dense dust
clouds form? What could ignite them? How likely is this? What would be the
consequences? Who would be at risk? Can we prevent the risk of an explosion
altogether? If this is not possible, what can be done to protect people, and
minimise the consequences of an explosion?
Records show where explosions are most likely to start.
19 Following the risk assessment the options should be considered in this order:
n Eliminate the risk.
n Provide controls to minimise the risk.
n Provide supplementary controls to mitigate the consequences.
20 Many products have to be handled as fine powders, and the risk cannot be
eliminated, but there are occasions where granular or pasty products can be used
with advantage. The risk of an explosion may also be effectively eliminated if the
quantity of dust present is sufficiently small.
The great majority of dust explosions start inside the process plant, and most of
the control measures concern conditions inside the dust handling system. They can
be grouped under the headings of:
n
n
n
n
controls over dust cloud formation;

preventing the explosive atmosphere by inerting;
avoiding ignition sources; and
plant controls, which may have various purposes.
Page 7 of 34
Health and Safety

Executive
Very simple plant

21 In many cases the plant to be assessed is a dust extraction system, with
ductwork drawing from a single point of release, and a filter to collect the dust. Key
points to consider are then:
n Does the system catch all the dust effectively, so that deposits do not form
around the workroom? How do you make sure the fan is always running when
needed?
n Was the filter designed to handle dusts that could explode? Explosion vents are
normally needed in this case.
n Is it located where it would cause no danger if it exploded? eg on the roof
n How would you know if the filter became blocked, or the fan performance
dropped off?
n Do dust deposits in the ductwork need clearing out from time to time? Are
there access hatches for this?
n Can you empty the filter without creating a dust cloud?
If you can provide satisfactory answers to these questions, there may be nothing
more to do.
Control over the formation of dust clouds
22 Sometimes the process can be designed to prevent or minimise the formation
of a dust cloud inside the equipment. If your product is available as a paste, in
dampened or pelletised form instead of fine powder the explosion risk may be
avoided completely. Any movement of pelletised or granular material is likely,
however, to produce dust by attrition.
23 Many types of process plant inevitably contain explosible clouds of dust.
Cyclones or dust filters provided as part of a ventilation system concentrate the
dust and are likely to contain an explosive atmosphere somewhere within them,
even if the dust concentration in the extract ducting is well below the lower
explosive limit. In some cases there are alternatives. For example, tray driers create
a smaller dust cloud than fluid bed driers. Wet dust collectors avoid the cloud that
is formed regularly inside a reverse jet dry filter.
24 Completely enclosed plant should be used whenever practicable for handling
fine dusts. This will reduce or prevent significant dust clouds within the building,
reduce the extent of any hazardous areas, reduce the need for cleaning, and
reduce the exposure of employees to dust, which might have a health risk.
Features that should be particularly avoided are: conveyors that tip into open
topped plant; discharge of bulk quantities from big bags into process vessels
where the air displaced comes direct into the workroom, and filters that have to be
regularly emptied releasing large amounts of dust into the building.
Inerting
25 This is a way you can prevent explosions by preventing the formation of an
explosive atmosphere. In a substantially closed system the oxygen content of the
atmosphere within the plant can be controlled at a safe level. You will normally need
to determine the maximum safe oxygen content experimentally. This will vary with
the type of inert gas and the chemical reactivity of the material being processed.
One man died following an explosion in a plant that manufactured powdered
aluminium. Part of the process used nitrogen to maintain an inert atmosphere but
system controls were rudimentary and inadequate to detect blockages caused
by powder collecting in the nitrogen supply pipework.
Page 8 of 34
Health and Safety

Executive
26 Inerting is only likely to be effective in a system that is fully enclosed, with a

minimum number of places where air can enter. You need to consider how process
materials will be added to or removed from the system. If air enters at this point,
a purge cycle is likely to be needed before the process restarts. Calculations
to determine the times and gas flows needed for purging and other design
recommendations are given in reference 1.
27 Many factors will influence the overall reliability of an inerting system. For
example,
n
n
n
n
n
n
n
n
n
the location and number of atmospheric sampling points;

type of sensor head;
frequency of calibration of the sensor;
contaminants in the system that interfere with sensor readings;
provision of safe means of control or shutdown, if the oxygen concentration
exceeds a predetermined level;
adequate supplies of inert gas for all foreseeable needs;
the number of locations where air may enter the plant;
the safety margin allowed when setting control levels for oxygen;
the reliability of any electronic control system;
Where inerting is used as a means of preventing explosions, the overall reliability of

the system should be assessed.
28 If the plant is held at a pressure slightly above atmospheric, air leaks into the
system can be avoided, but you then need to consider the risk that inert gas could
accumulate in the general atmosphere of the workroom. In an extreme case this
could lead to asphyxiation.

29 The supply of inert gas should be reliable, and sufficient reserve is needed to
shut the plant down safely if a seal failure or similar unexpected leak occurs. This
could cause the required flow of inert gas to increase suddenly.
Control over sources of ignition
30 Careless use of welding, flame-cutting equipment or other hot work has caused
many incidents. It is essential that before hot work begins you isolate the plant
effectively to prevent fresh material entering, and clean it thoroughly. After the work
is complete, the site should be watched for at least an hour, for signs that fire is
growing from a smouldering deposit.
31 Sparks from hot work may travel a considerable distance, particularly if you
carry out the work at a high level. You can greatly reduce the risk of ignition by
adopting cold cutting methods. Commonly accepted best practice for hot work
requires a permit-to-work system, with the permit issued by a responsible person
before work commences.
Such permits need to set out clearly:
n
n
n
n
your arrangements for handover,

the allowable range of work,
time limits on when the work may be done; and
the precautions required.
The ACOP to the DSEAR regulations gives further information.14-18
Page 9 of 34
Health and Safety

Executive
Area classification where dusts are handled

32 Area classification is a technique intended to help people decide where specific
controls over all sources of ignition are needed. It was originally developed to
help with the selection of fixed electrical equipment, but its use has now been
extended to any equipment that has hot surfaces or generates other possible
ignition sources. Parts of buildings or process plant may be described as zone 20,
21 or 22, depending on the amount of time that an explosible dust cloud may be
present. Equipment installed in a zoned area should then be built to an appropriate
standard.
33 The zone definitions are contained in regulations, and are repeated in
appendix D. These regulations bring in a new legal requirement to carry out area
classification, where dusts are handled in quantity. In most plant handling dusts the
inside of the dust equipment will be zone 20 or 21. Rooms within the building, if
they need to be zoned, should only be the less onerous zone 22. A few very small
areas where dust escapes in quantity in normal operation might need to be zone
21. In the open air, dust clouds are unlikely to persist for more than a brief period,
and any zoning is likely to be very limited in extent.
34 Where dust layers are often present, explosible dust clouds can be formed by
any sudden movement of air, except with products like sugar, which quickly absorb
moisture from the air. Experience shows however, that while fires may easily start in
dust layers on hot surfaces, very few explosions are caused by hot surfaces outside
the dust containment system. Further advice on zoning is given in reference 11.
Equipment used in classified areas
35 Electrical and non electrical equipment supplied after June 2003 that creates
a potential ignition risk and is designed for use in explosive dust atmospheres, is
subject to specific regulations. Such equipment should be marked with the sign
of explosion protection (see below), a category number (1,2, or 3) followed by
the letter D for dust, a temperature rating and other codified identifying marks.
The temperature rating may be expressed as a T class (eg T4 or T6) or an actual
temperature. Details of the marking scheme are contained in standards.
36 There is rarely any need to site power-consuming electrical equipment inside an
area classified as zone 20. If you need to install electrical equipment where it will be
buried in dust (eg inside a storage bin) you should consult the equipment supplier.
37 It is preferable to site electrical equipment away from dusty areas, but where you
install equipment close to sack tipping points, sanding machines, sampling points or
similar foreseeable dusty areas that are classified as zone 21, new equipment should
meet the requirements for ATEX category 2D. Existing equipment made to older
standards such as BS 6467, or with a dust tight enclosure made to IP6X (see BS
EN 60529) is still likely to be suitable.
38 You are likely to need ignition protected equipment in areas inside buildings
around process plant handling flammable dusts which are classified as zone 22.
In this situation new equipment built to ATEX category 3D requirements will be
suitable. Older equipment made with a dust resistant enclosure to IP5X may remain
in service.
39 BS EN 50281-1-2 (1999)10 gives additional advice on the selection, installation
and maintenance of electrical equipment for use in the presence of combustible
dusts. Anyone familiar with the requirements for protected electrical equipment
for use in the presence of flammable gases should note that the requirements for
atmospheres of flammable dusts are not the same.
Page 10 of 34
Health and Safety

Executive
40 Dusty areas may extend well away from sources of release of dust unless you
install local dust extraction to prevent this. Air currents will carry the finest dust
particles a considerable distance and allow them to settle at high levels within a
building. Dust deposits on beams and ledges at high level create a secondary
explosion risk, but you should also be aware that surface deposits of dust might
ignite on equipment that is designed to run hot, or may block ventilation holes or
otherwise interfere with the cooling of electrical equipment.
41 To prevent fires, you should ensure that the maximum surface temperature
produced by an item of electrical equipment exposed to dust is below the
temperature required to ignite the dust either as a layer or as a cloud. BS EN
50281-1-2 contains a formula for maximum temperatures, which includes a
safety margin. You can find tables of measured values of ignition temperatures in
reference 12, and as a rough indication the layer ignition temperatures of many
natural products exceed 300 deg C and cloud ignition temperatures are usually
higher. Thicker dust layers can ignite at much lower temperatures.
42 Where the interior of a plant item requires regular illumination, you can almost
always do this with the light source outside the plant. Mains powered portable
lights should not be lowered into storage bins. Even if the light unit is designed for
an explosive atmosphere, the cable might be easily damaged, and the risk is high.
If illumination from the inside is needed, and a dust certified lamp is not available,
battery-powered lamps certified for use in gaseous flammable atmospheres are
unlikely to cause ignition. If, however, they are dropped and buried in a heap of
dust some high powered types could overheat and start a fire.
43 Frictional heating of moving parts of process plant may raise the temperature
locally to the point where ignition of a dust occurs without any spark or flame. Bucket
elevators have proved vulnerable to this problem, as have hammer mills and rotary
atomisers on milk spray driers. Modern plant may have features designed to prevent
or detect such problems eg ammeters on motors to indicate overloading. Inadequate
maintenance can negate the effectiveness of these features.
44 Impact sparks are likely to arise where tramp metal or stones enter process
plant. A magnetic separator to catch ferrous tramp metal is a very widely
used precaution that helps minimise this problem. For the separator to remain
effective, you need to remove the caught fragments on a regular basis. If you find
fragments regularly, it is better to identify the source and then take steps to reduce
contamination rather than depend on the magnet. Sieves, pneumatic separators
and other methods allow you to remove stones and other extraneous matter from a
lighter feedstock. Where you are handling loose materials eg open floor storage of
grain, bulk handling in ships holds etc, such separators are particularly useful.
45 Electrostatic charging of plant items or process materials is likely when moving
dusty materials in quantity. It is necessary to take precautions to prevent discharges
that are powerful enough to cause ignition of a dust cloud. A conducting (metal)
item isolated from earth produces the most energetic discharges when it becomes
charged by contact with a stream of charged dust particles. You should prevent this
by earthing all metalwork that may be in contact with the dust. The least electrically
conducting dusts, such as polyethylene, cause the most problems as the charge is
retained within the bulk and additional precautions may be needed.
Page 11 of 34
Health and Safety

Executive
46 Experience from the chemical industry suggests that explosions are most likely
with dusts that have a low minimum ignition energy (MIE). Certainly electrostatic
hazards need more careful control with the most easily ignited dusts. For example
the use of highly insulating parts may need to be avoided. The test methods used
strongly influence measured values of minimum ignition energy, and care should
be taken in interpreting data from old sources. Usually the test houses that can
measure MIE will be able to advise on the significance of the results.
47 Typical precautions required are earthing of delivery tankers, electrical bonding
across sight glasses in transfer lines, earthing of plant items that stand on nonconducting floors and avoiding the use of non-conducting fastenings to join metal
components together. Checking the earthing arrangements before the plant is first
brought into use might form part of the verifications required by the Dangerous
Substances and Explosive Atmosphere Regulations3. BS PD CLC/TR5040419 also
recommends the checking of earthing arrangements at scheduled maintenance
and after other maintenance or modification.
Common ignition sources include:
n
n
n
n
n
n
n
n
hot surfaces;
naked flames;
faulty or unsuitable equipment;
overheating of moving mechanical plant eg by friction;
impact sparks;
electrostatic discharges;
spontaneous heating; and
smoking materials.
48 You may require additional precautions where combustible dusts and flammable
solvent vapours are present together, eg in some drying or mixing processes in the
chemical industry. Reference 20 includes discussion of precautions required in this
situation and other circumstances where dust and vapour are present together.
49 Exothermic decomposition, air oxidation or biological action may cause
spontaneous heating in many materials. Careful control of maximum temperatures
is necessary when you handle such materials in a hot process, such as drying. You
may use small-scale tests to identify unstable materials, but large-scale processes
should usually operate at temperatures well below the onset temperatures shown in
these tests. See reference 20 for information on suitable small-scale tests.
50 When storing such materials for long periods in large bulk containers, periodic
temperature checks within the interior of the pile may help you to detect the onset
of overheating; alternatively regular transfer of the powder from one silo to another
will help dissipate localised build up of heat. Materials known to be prone to
spontaneous heating include fishmeal, corn meal, dried sewage sludge and milk
powder.
51 Combined gas/dust explosions have also occurred where dust smouldering in
a restricted air supply has given off carbon monoxide. In an essentially closed plant,
the carbon monoxide can build up to the point where introduction of a fresh air
supply causes an explosion.
Page 12 of 34
Health and Safety

Executive
Plant design and controls

52 Various types of plant design and control may be important in controlling the
risk or consequences of a dust explosion. This section cannot be comprehensive
but highlights the type of process deviations that you need to control, preferably by
continuously monitoring the plant. Examples are:
n Extensive centralised dust collection systems create many links through
which burning material can spread following an explosion in the filter. This can
be controlled, but filters drawing dust from just one or two locations reduce the
risk more simply.
n Overloading or blockage of the feed system may cause some process plant to
overheat. If this is possible, reliance on visual indication may not be adequate.
n Large volumes of dust may escape if filters fail, relief panels become loose
or sacks being filled fall off a collection point. You may need to monitor the air
pressure at appropriate points within the plant to identify such an event
promptly.
n Where you provide local exhaust ventilation to control the release of dust from
an operation you may find it necessary to interlock the process so that it can
only run with the ventilation operating properly.
n Detectors are available which continuously monitor the product from a grinding
plant or similar unit for sparks or glowing material. They can then activate a
water spray downstream from the detector and extinguish potential ignition
sources before they reach a large dust cloud in other parts of the plant.
n High-level alarms on bins or hoppers may be useful in preventing material being
spilt. Many reliable types are now available.
n Deviations from a safe condition should cause automatic plant shut-down or
the raising of an alarm. In the latter case the follow up action needs to be preplanned.
Magnesium Grinding and Polishing
Magnesium is rated as an St 3 dust, which means that any explosion will be very
severe. If you are involved in the special case of grinding or polishing Magnesium
you should ensure that:
n None of the equipment has been used previously for abrading iron or other
ferrous material.
n There is a dust extraction system leading to a scrubber where the dust-laden
air is drenched with water. It is usual to provide a separate scrubber for each
grinding or polishing device. The scrubber will need cleaning out at least once
a week and tools containing iron or ferrous material should not be used. The
scrubber should have a high level vent to avoid accumulations of hydrogen.
n Duct work carrying grinding or polishing dust is kept as short as possible, with
few crevices to retain dust. It should also be possible to inspect and clean the
inside surfaces.
n You dispose of any dust collected by removing from site or by burning in a
controlled manner.
n Wet sludge is stored outside where gas evolved may disperse safely.
Mitigation measures
53 The most important mitigation measure is maintaining the process
buildings in a clean condition. If you allow dust deposits to accumulate,
they can provide the fuel for a secondary explosion. Dust deposits shaken into
suspension from all the ledges within a room by a small primary explosion may
then ignite. You only need comparatively small amounts, and a layer of flour 0.3mm
thick on the floor can in principle fill a room with an explosible dust cloud up to 3m
above floor level.
Page 13 of 34
Health and Safety

Executive
54 The first step towards preventing dust accumulations within a building is to

maintain a plant in a leak-tight condition. Loosely bolted flanged joints, damaged
flexible seals and ill-fitting or propped open access hatches are common sources of
leaks. Some processes can be operated at slightly below atmospheric pressure to
reduce the escape of dust.
55 Despite this, the building will require regular cleaning, and the preferred method
is a vacuum system rather than brushes and shovels, which tend to raise dust
clouds. You should avoid the use of compressed air lines to dislodge dust deposits,
as this will cause unnecessary dangers by creating dust clouds. There is no general
preference between mobile vacuum cleaners and a centralised system. Depending
on the design of the building, both may have their place.
56 You can reduce the labour involved in cleaning by designing plants and
buildings with the minimum number of horizontal ledges on which dust can settle,
and sufficient access platforms to avoid the need for temporary platforms. Do not
neglect the highest parts of buildings as these are the areas where the finest and
most hazardous dust can be found.
57 Electrical apparatus may be particularly prone to overheating if dust deposits
accumulate and the standards10 assume that dust deposits will never be more than
5mm thick. If you cannot control dust accumulations to this thickness, you should
obtain special advice from the equipment supplier.
58 Where filtered dusty air is returned to a workroom, it is important to ensure that
this does not significantly increase the exposure of an individual employee to the
dust. Health limits for dusts are typically a thousand times less than explosion limits,
and you should, therefore, consider the effect of recirculation in any assessment
made under the Control of Substances Hazardous to Health Regulations7. The
failure or partial failure of a filter may greatly increase exposure to dust unless there
is prompt detection of the fault. Dust filters may not remove volatile materials and
where these are present a further assessment of the health risks is needed. A badly
designed air recirculation system may also adversely affect worker comfort.
59 We can group more technical measures to mitigate an explosion into the
following main categories:
n explosion relief venting;
n explosion suppression and containment; and
n plant siting and construction.
Explosion relief venting
60 A simple and common method of protecting process plant against the
consequences of an internal dust explosion is to provide one or more deliberate
points of weakness. We call these explosion relief vents. If they are of suitable size
and in the right place, they will safely vent an explosion within the plant. The intention
is to prevent injuries to persons nearby by avoiding uncontrolled failure of equipment.
Page 14 of 34
Health and Safety

Executive
61 Extensive research over the last 20 years has provided soundly based calculation
methods to determine the vent area required. To design an explosion vent you require:
n
n
n
n
the volume of the equipment to be protected;

the properties of the dust measured in a 20-litre or larger apparatus;
an estimate of the strength of the plant involved; and
the opening pressure of the relief panels.
The plant user supplies information about the properties of the dust whilst the
equipment manufacturer or installer supplies the calculation of relief areas. Some
manufacturers test a complete assembly of, for example, a filter, with its vent
panels. Others may calculate the equipment strength and fit vent panels from a
specialist supplier that have been separately tested.
62 Different design equations are used for different circumstances. For example a
tall thin silo may need more vents than a short squat vessel with the same volume.
Full details are given in reference 1.
63 When an explosion vent opens as a result of a dust explosion, a fireball
or jet of flame must be expected. This can carry out a mass of burning and
unburnt dust. In addition there will be a pressure wave associated with the
explosion. If the vent opens inside the building the burning dust may start
further fires, and the blast may damage nearby plant. Anyone inside the room
or building may be at serious risk. For these reasons explosion vents which
discharge inside a building will give people inside the building little protection
from the explosion. The usual solution is to fit a duct to lead the explosion
products to a safe place in the open air. You may need to keep personnel
away from an area around the end of a vent duct. Proprietary flameless venting
devices, which quench flames and catch burning dust are also available. The
suppliers advice concerning installation must be followed carefully. See also
paragraphs 68 and 69.
64 Bucket elevators may have an explosible cloud of dust within both legs
during normal operation. Frictional heating within the elevator has caused a
number of explosions. Explosion relief vents at the top and as close to the
boot as is practicable (this generally means within 6m of the boot) will usually
provide adequate protection for dusts with a KSt of 150 or less although long
elevators may require additional vents. See appendix A for an explanation of
KSt
This assumes the vent panels have an area equal to the cross-section of the leg,
or for any panel at the top, both legs. Reference 1 contains additional guidance for
dusts with a KSt of more than 150.
Note: It is often difficult to locate relief panels at the elevator boot where they can
open safely.
65 Because of the difficulty of ducting vents from bucket elevators sited in
buildings to the open air, it is preferable to locate such elevators outside buildings.
66 Screw conveyors do not generate large dust clouds within the casing, and
experience has shown that explosion relief on such items is not normally necessary.
Drag link (en masse) conveyors may contain a substantial void above the powder level
in horizontal sections, and can be damaged by, or transmit explosions. Malfunction of
either type of conveyor may cause frictional heating and ignition of the dust.
Page 15 of 34
Health and Safety

Executive
67 The dangers of a dust explosion will depend, among other factors, on the size
of the ignited cloud. There is no simple answer to the common question: My plant
has a size of only x do I still need an explosion vent? It will depend on the risks to
people for any given plant. Factors you should consider are: the explosibility of the
dust, whether existing openings will provide adequate protection, the cleanliness of
the building, the likelihood of an ignition source being present, and the number of
people who would be at risk.
68 To operate successfully an explosion vent must open reliably at a pressure
well below that which the plant it is protecting can withstand, and must open
fully almost instantaneously. Vents normally take the form of bursting panels or
explosion doors. From 30 June 2003 newly supplied vent covers should conform to
the EPS Regulations8, be tested by one of the recognised independent test houses
(notified bodies) and CE marked.
69 Where you site explosion vents is important because, if they are close to a
wall or other obstruction, it can inhibit the release of combustion products and
make the vent ineffective. Normally you should leave a minimum space of 1 panel
diameter or diagonal between a vent panel and an obstruction. A larger distance
will be needed to prevent damage to masonry walls from the pressure wave.
70 Where panels could become dangerous missiles in the event of an explosion,
you should attach them to the plant by a strong chain, cable, or other restraint.
The chain/cable must be long enough to allow the panel to open fully. Normally
explosion vent doors and panels are not strong enough to stand on, and where
necessary you should provide a suitable barrier to prevent access. A less
satisfactory alternative is a widely spaced wire grill on the inner side.
71 Explosion doors are heavier than panels and will take longer to open than the
lightest vents available. For this reason doors are likely to need to be bigger than
the area calculated for panels. New doors made and tested to the EPS Regulations
will come with a quoted figure of effective vent area. All types of explosion vent
need occasional maintenance, to ensure that seals remain in good condition, there
is no accumulation of dirt or corrosion products and hinges operate easily etc.
Explosion suppression and containment
72 Although the provision of explosion relief vents is the most widely used
technique for protecting process plant from dust explosions, suppression and
containment are equally valid alternatives. The choice of technique will depend
not only on safety considerations, but also issues like cost, reliability, continuity of
operation and keeping a plant free from contamination. Explosion venting will be
inappropriate if the material is too toxic or environmentally harmful to release to
atmosphere, or if there is no safe place to locate the vent outlet.
73 Dust explosions typically produce maximum overpressures in the range 8 to
10 bar. It is not generally practicable to produce plant capable of withstanding
such pressures unless it is of small volume and simple circular or spherical shape.
Hammer mills and certain other grinding equipment are however, often strong
enough to contain an explosion; you will need to consider protection of the
ductwork leading to and from them unless it is of similar strength. Plant operating
under a vacuum, eg some types of drier, may also be strong enough to withstand
the low explosion pressures that would result.
74 Explosion suppression systems allow the control of a developing explosion
by the rapid injection of a suitable suppressing medium into the flame front. They
have been developed into reliable systems over years of testing and operating
experience. They are classed as autonomous protective systems and need
certification and appropriate marking under the EPS regulations.
Page 16 of 34
Health and Safety

Executive
75 Such systems combine, in their simplest form, a rapid-acting pressure sensor

with a number of pressurised containers of suppressant designed for rapid injection
into the protected vessel. The suppressant is commonly a dry powder similar to
those used in fire extinguishers, but in certain circumstances it may be water. The
few specialist manufacturers of explosion suppression equipment are the best
source of advice if you are considering this method of explosion protection.

Plant siting and construction
76 Where some risk of a dust explosion remains despite a high standard of control
over sources of ignition, and provision of protective measures, the siting of unit(s) in
the open air may minimise the consequences of an explosion. The intention of the
risk assessment mentioned in paragraph 8 is to consider such factors.
Open air siting of dust handling process plant is strongly

recomended
n where the scale of the operation is large, such as large silos;
n where substantial sized plant, such as a dust filter, has a flammable, dust
cloud inside it constantly during normal operation; or
n where a particularly severe explosion is possible, as with metal powders.
77 When you install plant handling flammable dusts within a building, ducting the
relief vents direct to the outside will reduce the risk to the building and people within
it. To function correctly such ducts must have at least the same cross-sectional area
as the vent panel or door. Any duct will provide some restriction to the flow of gases
through it and, in consequence, both relief panels and ducts need to have a larger
cross-section than for a freely discharging vent. You can minimise this problem if
you locate such plant items close to an outside wall and ducts are straight and of
minimum length. Vent ducts should be designed to direct any burning material safely
away from anywhere people regularly go. Reference 1 contains detailed advice on
the design requirements for the use of ducts.
78 Sometimes you may not be able to site explosion-prone plant where it
can relieve to a safe place in the open air. In this case you should give careful
consideration to the consequences of an explosion within the building. Explosion
vents should not relieve to regularly occupied areas. The use of suitable plant
automation may remove the need for personnel to visit vulnerable areas while the
plant is running.
79 The building itself may be vulnerable to a pressure rise from either a primary
or secondary explosion. In the past buildings with load bearing brick or stonewalls
have collapsed following dust explosions, with much loss of life. A suitable choice
of building design will allow a building to relieve a pressure wave without major
damage. You may achieve this by fitting areas of open louvres, roof or wall panels
of light construction lightly attached, or plastic glazing weakly secured to its frames.
Methods are available for estimating the required area of weakness in a building
(see reference 1).
Interconnected plant
80 Many processes involving flammable dusts use a series of interconnected units
of plant, such as grinders, elevators, cyclones, silos and filters. Unless you take
appropriate precautions, an explosion occurring in any one unit of plant may spread
from unit to unit causing extensive damage.
Page 17 of 34
Health and Safety

Executive
81 Methods to separate items of plant and so restrict this possibility include the use
of:
n
n
n
n
n
rotary valves;
a choke of material in an intermediate hopper;
screw conveyors with a missing flight and baffle plate;
explosion suppression barriers; and
explosion isolation valves.
The aim is to prevent both the spread of burning particles, and the pressure wave
associated with the initial explosion. Equipment newly installed after June 2003,
intended specifically to act as an explosion barrier device needs to be tested and
certified under the EPS Regulations8. Detailed standardised test arrangements are
not available for any types of barrier device at the time of going to print.
82 The transfer system of the plant will continue to spread burning material with
potentially serious consequences unless it shuts down immediately in the event
of a fire or explosion. You can achieve this by providing trip switches activated by
explosion relief panels to cut the power to elevators, conveyors, rotary valves etc.
83 Rotary valves are commonly provided to control powder flow, or to act as an
air lock. If they are also intended to act as explosion chokes, they need rigid blades
eg of metal, that will not deform under a pressure wave, and which have as small a
clearance as practicable from the casing. Both the gap width and gap length affect
the ability of the valve to extinguish a flame front. See figure 3 rotary valve diagram
explosion
explosion
gapwidth
width W
W
gap
rotor
rotor
gap
gap length
length lg=
lg=
thickness of
of the
thickness
the
rotor-vanes
rotor-vanes
housing
rotor
vane
rotor vane
Figure 3 Important dimensions of rotary values used as chokes
Page 18 of 34
Health and Safety

Executive
84 If you omit one turn of the flight, a screw conveyor will act as a choke to a dust
explosion. On an inclined conveyor the screw will not normally empty itself below
the missing flight even when the supply of feed to the lower end stops.
A horizontal conveyor with a trough casing needs an adjustable baffle plate to
complete the seal of dust with the upper side of the casing. See figure 4
baffle
plate
baffle
plate
choke
choke
Figure 4 Use of a screw conveyor as an explosion choke

85 Explosion suppression barriers, also called advanced inerting systems are similar
to suppressors used for major items of plant. A suppression barrier involves linking a
pressure or optical detector to a rapid-acting device designed to inject an inerting or
suppressing material into a duct. See figure 5.
suppressant
container
suppressant
container
control
control
unit
unit
detector
detector
ignition
ignition
source
source
flame
front
flame
front
dispersion
of
dispersion
of
extinguishing medium
extinguishing
medium
Figure 5 Suppressant barrier
Page 19 of 34
Health and Safety

Executive
86 Explosion isolation valves act by closing in milliseconds, following detection of

a flame or pressure rise by a sensor situated an appropriate distance towards the
anticipated source of the explosion. They have particular advantages where you
want to avoid a hold up of material within the plant. See figure 6
gas
gascylinder
cylinder
slide valve
slide
valve
piston
piston
Figure 6 High speed isolaion valve

87 Your choice between these methods will depend on the particular plant or
process concerned, but on any substantial system of interconnected plant that is
vulnerable to dust explosions you will certainly need to take some effective steps to
prevent propagation of any explosion to other plant items.
Verification before first use
88 Regulations require that any explosion protection measures included in plant
newly brought into use after 30 June 2003 should be verified by a competent
person. This might include: checks of the design of vent panels; checks that
electrical equipment actually installed is suitable where necessary for use in dusty
areas; a review of the zoning diagram; and checks of earthing arrangements,
measurements of air flows in extract ducts etc. The objective is to see that the
plant is installed correctly, and will perform to its intended design. This work may be
done by someone working for the installer, user or an independent company.
Fires involving explosible dusts
89 Some dusts are capable of self heating, when they are held in quantity,
deposited on a heated surface, or deliberately heated as part of a process.
Depending on the conditions, the product may rise in temperature until it starts
to smoulder or burn. Dusts which demonstrate this hazard can be identified by a
variety of tests, which try to mimic on a small scale the conditions found in a full
scale plant. Details are given in reference 20
90 Small smouldering fires may develop in dust accumulations not only from
self heating but also from any of the common sources of ignition. If you suspect
a fire inside a dust handling plant, it may be dangerous to open up any of
the inspection points to look inside. A sudden rush of air into the plant could
cause a smouldering deposit to flare up, or a dust cloud to form, followed by
an explosion that vents out through the inspection point. It is preferable first to
try and cool the affected plant from the outside, or where practicable to apply a
water spray into the plant through a small opening. See also paragraph 39.
Page 20 of 34
Health and Safety

Executive
91 If you try to extinguish a fire using water, it is important that you apply it as a
fine spray or fog. Using high-pressure water jets on a smouldering fire is dangerous,
as you can raise dust clouds. Attempts to restrict the spread of fire by removing
dust from adjacent plant have also resulted in the unintentional formation of dust
clouds with disastrous consequences.
92 When tackling fires involving powdered metals or coal you should not use water
as it may cause a violent reaction or the formation of flammable gases. Dry sand
applied cautiously to a small burning heap on the floor from long-handled shovels
may be effective, but special proprietary powder fire extinguishers are better. If a fire
certificate is in force for the premises it will specify the types and numbers of fire
extinguishers required.
93 You may tackle deep-seated fires inside a dust handling plant by applying an
inert atmosphere. It is likely to take a considerable time for displacement of all
the air from the centre of a large volume of powder and it may take days or even
weeks to dissipate the residual heat from a fire in a large silo.
Examples of protection in two plants
94 To illustrate the application of the precautions already described, paragraphs 95
and 96 describe the safety features of two simple plants.
95 The first plant is a grinding operation that involves the tipping of granular
material from intermediate bulk containers (IBCs) into a feed hopper. This leads to
a small hammer mill and from this a blower transfers the ground material to one of
two product bins. See Figure 7.
n The IBC tipping point has local exhaust ventilation. This draws escaping dust to
a filter located outside the building. The filter has explosion relief.
n The feedstock flows from the hopper through a rotary valve to the mill. The
rotary valve serves not only to control the flow of product, but also prevents an
explosion in the mill venting out through the hopper.
n A magnetic separator before the mill catches tramp metal.
n The mill itself can withstand an explosion and needs no explosion relief. The
inlet and outlet ductwork and associated joints are capable of withstanding
over pressures of up to 9 barg without distorting enough to allow flames to
emerge.
n A pressure sensor on the conveying system detects blockages. This allows the
mill to be turned off before material in the mill overheats and catches fire
n Slide valves control what bins the product will enter. Interlocking ensures that
only one valve is open at any time. This will prevent an explosion propagating
from one bin to another.
n The bins are outside the building and have explosion relief.
n The bins have integral filter socks to permit the escape of air displaced during
filling. The dusty side of the filter is effectively part of the bin; the calculation of
the explosion relief area required depends on the bin volume alone.
Page 21 of 34
Health and Safety

Executive
intermediate
intermediate
bulk
container
bulk
container
filter sock
sock
filter
slide valve
slide
valve
FEED
HOPPER
explosion
explosion
relief panel
relief panel
local
local exhaust
exhaust
ventilation
ventilation
system
system
leading
leading to
to filter
filter
outside
outside
building with
building
with
explosion
explosion
relief
relief on top
on top
PRODUCT
BIN
PRODUCT
BIN
magnetic
magnetic
trap
trap
conveying
conveying
system
system
rotary
rotaryvalve
valve
grinder
grinder
Figure 7 Simple grinding installation diagram

96 The second plant takes bulk powder deliveries from a road tanker and stores it
in a single silo inside the factory. See Figure 8.
n The road tanker is earthed to the plant before delivery starts. The pneumatic
filling line uses some plastic sections, but the earth continuity of all metal parts
of the plant has been checked.
n The bin has explosion relief, and a duct directs any relieving explosion to a safe
place outside the building.
n The airstream from the bin goes to a cyclone outside the building. This cyclone
has explosion relief. An alternative to the cyclone would be a filter unit. A filter
would separate fine particles more effectively.
n The bin has a high level alarm to warn against overfilling and so prevent the
escape of material. Omission of this is possible by ensuring a high standard of
supervision of the transfer.
Human factors
97 Fires and explosions can occur even in the best designed plant if the people
involved do not understand the hazards of the dust and the controls provided.
The Dangerous Substances and Explosive Atmospheres Regulations require you
to provide information for employees about risks and safety measures provided,
together with adequate health and safety training. You should give all people
involved in plants handling explosible dusts training in general terms about the
nature and hazards of dust explosions, typical sources of ignition, safeguards
provided, precautions to take and any emergency procedures on their plant.
Particular points you should cover in such training are: the importance of good
housekeeping, the need to report promptly any substantial release of material, or
any equipment malfunction that could be a source of ignition.
Page 22 of 34
Health and Safety

Executive
98 You may need to restrict access to some areas while the plant is operating.
This is easier to achieve where there is clear marking of the areas concerned. This
type of arrangement is sometimes used for areas at the top of storage bins, where
it has not proved possible to duct explosion vents to the outside. DSEAR3 also
requires the access points to zoned areas to be marked with a yellow and black
triangular Ex sign (see below), where the risk assessment shows it will have some
benefit. Signs might help remind employees where special rules apply, for example
on the use of portable electrical equipment, or define parts of the premises where
office staff are not intended to have access because they have not been trained.
Page 23 of 34
cyclone
outside building
building
cyclone outside
with
explosion
relief
with explosion relief on
on top
top
silo
silo inside
inside
building
building
highlevel
level
high
alarm
alarm
Figure 8 Pneumatic delivery diagram
discharge
dischargehose
hose
earthing
earthing
strip
striptoto
framework
of building
building
of
explosion
relief
explosion relief
ducting
to
outside
wall
ducting to outside wall
powdertanker
tanker
powder
Health and Safety

Executive
Page 24 of 34
Health and Safety

Executive
Appendix A: Dust testing for fire

and explosion properties
A1 A wide range of tests have been developed for use where combustible dusts are
used or stored. The results may be useful in plant design, or setting safe operating
conditions. You should be clear how the results will be used, before carrying out the
work.
A2 Tests may be needed to answer the questions:
Question 1
How could a dust be ignited in this process?
Question 2
What would be the consequences?
Question 3

How do I design the plant and process to preventor

minimise the consequences of an explosion?
Question 1
Test
Main Purpose
Hot surface

Layer ignition test

Cloud ignition test
Used to specify equipment surface

temperature limits
Self heating
Various

Used to specify processing and storage

temperatures and volumes
Electrostatic
Minimum ignition energy
spark

Safe use of highly insulating materials,

and other precautions, against static
electricity.
Question 2
Test
Main Purpose
Can the dust explode?

Vertical tube test

Particle size analysis
Are precautions against an explosion

risk needed?
Can fire spread across a

layer of dust?
Train fire test
Limited application
Question 3
Test
Main Purpose
Can I avoid dust clouds

capable of exploding
Minimum explosible
concentrate
May demonstrate the risk is minimal

in some applications
How violent would an

explosion be?
20 litre sphere, KST, Pmax

measurement
Design of explosion vents or suppression

system
Can the explosion risk be Limiting oxygen

prevented by excluding
concentration
air?
Used in the design of plants protected by

inerting
Other tests may be needed in particular circumstances
Page 25 of 34
Health and Safety

Executive
A3 The vertical tube apparatus is a small-scale method, which gives a visual result
only. It is used as a quick screening test to determine whether a particular dust has
any potential for exploding. Dusts that do not explode on initial testing may be dried
and/or sieved, then retested. See figure 9
perspex tube
tube
perspex
ignition
ignition
electrodes
electrodes
non-return
non-return
valve
valve
deflector
deflector
solenoid
solenoid
valve
valve
steelblock
block
steel
ball
ballvalve
valve
air reservoir
air
air
Figure 9 Vertical tube apparatus

A4 Numerical data obtained from the 20-litre sphere test apparatus (figure 10) is
used in the design equations for explosion vents and suppression systems and in
the design of pressure resistant plant. The apparatus allows a well-distributed dust
cloud to be ignited with a powerful ignition source and the pressure time trace to
be recorded. Tests are normally run at a range of concentrations repeated and
averaged to determine the most vigorous conditions.
A5 The most significant figure from this test is the maximum rate of pressure rise.
This is because test work on vessels of up to 600m3 capacity has shown that the
following relationship holds for a given dust:
V
1/3.
dP
dt
= KSt
max
where KSt is a constant with units of bar. m. sec-1, and V is the volume in m3 of the
vessel. The meaning of (dP/dt) max is indicated (figure 11) by a graph of a typical
pressure-time trace from an explosion. The test is run at a range of concentrations,
and the KSt value calculated from the most vigorous explosion.
Safe Handling of combustible dusts: Precautions against explosions
Page 26 of 34
Health and Safety

Executive
ignition
ignition
leads
leads
water
water inlet
inlet
perforated
perforated
dispersion
dispersion
ringring
pressure
pressure
transducer
transducer
exhaust
exhaust
valve
valve
pressure
pressure
gauge
gauge
ignition
ignition
pellet
pellet
water
water
outlet
outlet
dust
dust
chamber
chamber
support
support
Figure 10 Sphere test apparatus

A6 Values of KSt are used in one generally useful method of calculating the size
of explosion relief vents. Dusts are commonly classified into broad groups as an
indication of their explosion properties. The dust groups are given below and
examples of measurements are given in Table 1.
(dt) max
(bar)
(bar)
Pressure
Pressure
(dP)
PP
( dPdt )
max
P
t
P
t
tt
dust injection
dust
injection
Time
Time
(sec)
(sec)
Figure 11 Typical trace from a dust explosion test
Page 27 of 34
Health and Safety

Executive
Explosion class
KSt bar.m.sec-1
St 0
St 1
> 0 200

St 2
> 200 300
St 3
> 300 600
No explosion
Increasing severity of
explosion
A7 A range of wheat dust and wheat flour samples have been tested with moisture
contents in the range 4-14% and median particle sizes in the range 21-72 microns.
The range of KSt values were from 53-137 bar.m/sec, with a value of 146 for a
sample of wheat gluten at 7% moisture, ie all were St1 class. See reference 22
A8 The results of tests on a large number of samples of different materials are
given in reference 13. For some natural products, where a scatter of results is to
be expected, this reference gives records of substantial numbers of earlier tests. In
this case, cautious assumptions about the properties of a particular product based
on the set of tests, may be as reliable as testing a further single sample. In other
cases, however, it is strongly recommended that process equipment is designed
using test results on samples representative of the finest and driest material likely to
be found in the process, and not just data drawn from other sources.
Table 1 Dust groups and examples of measurements
Dust tested

Median particle
size m
Minimum explosible
concentration g/m3
Maximum explosion
overpressure bar
KSt valve
bar.m/s
St class
Paper tissue
54
30
8.6
52
Glucose
30
60
9.2
123
Wheat
80
60
9.3
112
Polyethylene
low density
62
15
8.5
131
Polymethyl
methacrylate
21
30
9.4
269
Calcium
stearate
12
30
9.1
132
Wood flour-
65
various samples
60
7.7-10.5
83-192
Magnesium
30
17.5
508
28
Warning: these results are not intended to be used directly for plant design
Page 28 of 34
Health and Safety

Executive
Appendix B: Legal
B1 The Health and Safety at Work etc Act 1974 (HSW Act)2 places a general
duty on employers to ensure the safety of both employees and other people from the
risks arising from the work activity, so far as is reasonably practicable. Suppliers or
manufacturers of flammable dusts that can explode, particularly where these are new
substances, have a duty under section 6 to inform anyone to whom the substance is
supplied about its properties. This may include the results of tests for explosibility.
B2 The Dangerous Substances and Explosive Atmosphere Regulations
20023 requires that risk should be eliminated or reduced as far as is reasonably
practicable and that substitution of the dangerous substance should be considered
as the first option. The requirements are set out in more detail in supporting
approved codes of practice.14-18
B3 The Provision and Use of Work Equipment Regulations 19985 requires
every employer to take measures to prevent work equipment catching fire or
exploding. Where it is not reasonably practicable to prevent all fires and explosions,
measures to reduce the likelihood and minimise the consequences of a fire or
explosion are required. Any new equipment provided at a workplace must comply
with relevant European product safety legislation.
B4 The Workplace (Health, Safety and Welfare) Regulations 19926 and the
associated Approved Code of Practice sets out the requirement to maintain plant in
a clean condition. The importance of cleanliness in plants handling flammable dusts
is highlighted elsewhere in this guidance.
B5 The Control of Substances Hazardous to Health Regulations 19997 will
usually apply where fine dusts are present as many cause health risks where they
can be breathed in. Precautions taken to reduce the dust levels in the workroom
for health reasons will help reduce the need for regular cleaning of the room.
Knowledge of the particle size of the dust will be useful in assessing both the health
and potential explosion risks.
B6 The Equipment and Protective Systems for Use in Potentially Explosive
Atmospheres Regulations 19968 (EPS) introduce requirements relating to
equipment placed on the market that are intended for use in potentially explosive
atmospheres. Any equipment, protective system or device within the scope
of the regulations is required to satisfy the relevant essential health and safety
requirements, and have undergone an appropriate conformity assessment
procedure. It will carry the CE mark and symbol of explosion protection, Ex in a
hexagon. Such equipment may be described as ATEX equipment. A substantial
guide to these regulations is published on the EU website. The regulations describe
3 categories of equipment, with the different categories intended for use in the
different zones. In addition equipment classed as an autonomous protective system
must comply with detailed essential health and safety requirements.
B7 The Fire Precautions (Workplace) Regulations 1997 as amended by
SI 1999/1877 apply very widely, and require employers to take precautions to
safeguard employees in case of fire. These include adequate emergency escape
routes from buildings, fire alarm systems and fire extinguishers. The precautions
selected will need to take account of any explosible dust that is present.
Page 29 of 34
Health and Safety

Executive
Appendix C: Laboratories
undertaking testing of flammable
dusts
C1 FRS, Building Research Establishment Ltd, Garston, Watford, WD2 7JR
C2 Chilworth Technology Ltd, Beta House, Chilworth Science Park, Southampton,
SO16 7NS
C3 Syngenta Technology, Process Hazards Section, South Bank, Huddersfield
Manufacturing Centre, PO Box A38, Huddersfield, HD2 1FF
C4 Hazard Evaluation Laboratory, 50 Moxon Street, Barnet, Hertfordshire,
EN5 5TS
C5 Burgoyne Consultants Ltd, Burgoyne House, Chantry Drive, Ilkley, West
Yorkshire, LS29 9HU
C6 Health and Safety Laboratory, Harpur Hill, Buxton, Derbyshire, SK17 9JN
Page 30 of 34
Health and Safety

Executive
Appendix D: Area classification,

Zones definitions
Zone 20
A place in which an explosive atmosphere in the form of a cloud of combustible
dust in air is present continuously, or for long periods or frequently.
Zone 21
dust in air is likely to occur in normal operation occasionally.
Zone 22
dust in air is not likely to occur in normal operation, but if it does occur, will persist
for a short period only.

Layers, deposits and heaps of combustible dust must be considered as any other
source which can form an explosive atmosphere.
Reference 14 describes the transitional arrangements for implementing the
requirement for area classification of dust handling plant
Different equipment categories are specified under the EPS regulations. Category
3D is designed for use in zone 22, category 2D in zone 21, and category 1D in
zone 20.
Page 31 of 34
Health and Safety

Executive
References
1 Dust explosion prevention and protection: A practical guide Institution of
Chemical Engineers 2002 ISBN 0 85295 410 7
2 Health and Safety at Work etc Act 1974 chapter 37 The Stationery Office
ISBN 0 10 543774 3
3 Dangerous Substances and Explosive Atmospheres Regulations 2002
SI 2002/2776 The Stationery Office ISBN 0 11042957 5
4 Fire Precautions (Workplace) Regulations 1997 SI 1997/1840 as amended by
SI 1999/1877 The Stationery Office ISBN 0 11 082882 8
5 Provision and Use of Work Equipment Regulations 1998 SI 1998/2306
The Stationery Office ISBN 0 11 079599 7
6 Workplace (Health, Safety and Welfare) Regulations 1992 SI 1992/ 3004
7 Control of Substances Hazardous to Health Regulations 1999 SI 1999/437
8 The Equipment and Protective Systems for Use in Potentially Explosive
Atmospheres Regulations 1996, implementing the ATEX 95 directive SI 1996/192
as amended by SI 2001/3766 The Stationery Office ISBN 0 11 038961 1
9 Corn starch dust explosion at General Foods Ltd, Banbury Oxfordshire, 1981
The Stationery Office ISBN 0 11 8836730
10 BS EN 50281-1-2 1999 Electrical apparatus for use in the presence of
combustible dust; selection installation and maintenance British Standards
Institution
11 BS EN 50281 -3 2002 Electrical apparatus for use in the presence of
combustible dust. Classification of areas where combustible dusts are or may be
present British Standards Institution
12 Combustion and Explosion Parameters of Dusts (Brenn- und
Explosionskenngroessen von Stauben), published in English by the HVBG (statutory
accident insurance organisation) Sankt Augustin, Germany ISBN 3 88383 468 8
13 BSEN 60529 1992 Specification for classification of degrees of protection
provided by enclosures British Standards Institution
14 Dangerous Substances and Explosive Atmospheres. Dangerous Substances
and Explosive Atmospheres Regulations. Approved Code of Practice and guidance
L138 HSE Books 2003 ISBN 0 7176 2203 7
15 Design of plant, equipment and workplaces. Dangerous Substances and
Explosive Atmoshperes Regulations 2002. Approved Code of Practice and
guidance L134 HSE Books 2003 ISBN 0 7176 2199 5
Page 32 of 34
Health and Safety

Executive
16 Storage of dangerous substances. Dangerous Substances and Explosive

Atmospheres Regulations 2002. Approved Code of Practice and guidance L135
HSE Books 2003 ISBN 0 7176 2200 2
17 Control and mitigation measures. Dangerous Substances and Explosive
Atmospheres Regulations 2002. Approved Code of Practice and guidance L136
HSE Books 2003 ISBN 0 7176 2201 0
18 Safe maintenance, repair and cleaning procedures. Dangerous Substances
and Explosive Atmospheres Regulations 2002. Approved Code of Practice and
guidance L137 HSE Books 2003 ISBN 0 7176 2202 9
19 PD CLC/TR50404: 2003 Electrostatics. Code of Practice for the avoidance of
hazards due to static electricity British Standards Institution
20 Prevention of fires and explosions in dryers Institution of Chemical Engineers
2nd ed 1990 ISBN 085295 257 0
21 The explosibility of dispersed flour dust, Incorporated National Association of
British and Irish Millers Ltd.
22 BS EN 1127 Explosive atmospheres, explosion prevention and protection, part
1 basic concepts and methodology. British Standards Institution
This contains further information on many of the issues covered in this booklet, and
in particular, a discussion of all the potential sourcces of ignition.
23 BS EN 13463 part 1 Non electrical equipment for use in potentially explosive
atmospheres, basic method and requirements British Standards Institution
24 Guide to the ATEX 95 (equipment) directive
http://europa.eu.int/comm/enterprise/atex/index.htm
25 Energetic and spontaneously combustable substances: Identification and safe
handling HSG131 HSE Books 1995 ISBN 0 7176 0893 X
Page 33 of 34
Health and Safety

Executive
Further information
For information about health and safety ring HSEs Infoline Tel: 0845 345 0055
Fax: 0845 408 9566 Textphone: 0845 408 9577 e-mail: hse.infoline@natbrit.com or
write to HSE Information Services, Caerphilly Business Park, Caerphilly CF83 3GG.
HSE priced and free publications can be viewed online or ordered from
www.hse.gov.uk or contact HSE Books, PO Box 1999, Sudbury, Suffolk
CO10 2WA Tel: 01787 881165 Fax: 01787 313995. HSE priced publications
are also available from bookshops.
British Standards can be obtained in PDF or hard copy formats from the BSI online
shop: www.bsigroup.com/Shop or by contacting BSI Customer Services for hard
copies only Tel: 020 8996 9001 e-mail: cservices@bsigroup.com.
The Stationery Office publications are available from The Stationery Office,
PO Box 29, Norwich NR3 1GN Tel: 0870 600 5522 Fax: 0870 600 5533
e-mail: customer.services@tso.co.uk Website: www.tso.co.uk (They are also
available from bookshops.) Statutory Instruments can be viewed free of charge
at www.opsi.gov.uk.
Published by HSE 11/09
Page 34 of 34
GCPS 2010 __________________________________________________________________________
Application of a short cut risk analysis methodology for analyzing dust

explosion hazards
Kees van Wingerden
GexCon AS
Fantoftvegen 38, Bergen, Norway
kees@gexcon.com
Geir Pedersen
GexCon AS
geir@gexcon.com
Scott Davis
GexCon US Inc
7735 Old Georgetown Road, Suite 1010, Bethesda, MD 20814
sgdavis@gexcon.com
[Copyright GexCon AS]
Prepared for Presentation at
American Institute of Chemical Engineers
2010 Spring Meeting
6th Global Congress on Process Safety
San Antonio, Texas
March 22-24, 2010
UNPUBLISHED
AIChE shall not be responsible for statements or opinions contained
in papers or printed in its publications
GCPS 2010 __________________________________________________________________________
Application of a short cut risk analysis methodology for analyzing dust

explosion hazards
Kees van Wingerden
GexCon AS
kees@gexcon.com
Geir Pedersen
GexCon AS
Scott Davis
GexCon US Inc
Keywords: Risk analysis, dust explosion, preventive measures, protective measures
Abstract
In this paper a semi-quantitative short-cut risk analysis method (SCRAM) is presented, allowing
for the assessment of dust explosion hazards. The method is first described and two application
examples are presented.
SCRAM is based on semi-quantitative descriptions of both the likelihood of dust explosions
occurring and the consequences of such explosions. The likelihood of dust explosions occurring
is based on the ignition probability and the probability of flammable dust clouds arising. While
all possible ignition sources are reviewed, the most important ones include open flames,
mechanical sparks, hot surfaces, electric equipment, smoldering combustion (self-ignition) and
electrostatic sparks and discharges. Apart from the machinery, the ignitibility and explosibility of
the dust will also play an important role.
The consequences of dust explosions are described as consequences for personnel and
consequences for equipment. The method reviews the consequences of both primary and
secondary events. Factors determining the consequences of dust explosions include the how
frequently personnel are present, the equipment strength, housekeeping and implemented
consequence-reducing measures. Both the likelihood of dust explosions and consequences are
described by classes ranging from low probabilities and limited local damage, to high probability
of occurrence and catastrophic damage. Acceptance criteria are based on the likelihood and
consequence of the events.
The method allows for optimal choice of adequate preventive and protective measures.
To demonstrate the method an application of the method is presented: a milk powder production
facility.
Note: Do not add page numbers. Do not refer to page numbers when referencing different portions of the
paper
GCPS 2010 __________________________________________________________________________
1. Introduction
Dust explosions are a continuous threat in companies producing flammable powders and dust as
final and intermediate products. Sad recent examples include the serious accidents in Kinston,
North Carolina in 2003 (killing 6), Savannah, Georgia in 2008 (killing 14), and one year later the
explosion in a coal silo injuring 7 in Oak Creek, Wisconsin (2009). These serious accidents are
accompanied by many smaller dust explosion accidents in industry causing limited damage and
minor or no injuries. Some of them could however have led to more serious consequences.
Dust explosion risks prevailing in industrial facilities are dependent on a large variety of factors
that include process parameters, such as pressure and temperature, as well as equipment
properties, such as the presence of moving elements, the mechanical strength of such dust
handling equipment, dust explosion characteristics, and mitigating measures taken including
housekeeping and protective measures such as explosion venting.
In this document a semi-quantitative short-cut risk analysis method (SCRAM) is presented,
allowing for the assessment of dust explosion risks and choosing adequate preventive and
protective measures. The performance of an analysis as described here would make industry
aware of the most hazardous areas in their facilities and associated consequences in case of an
explosion.
The method is described and an application example presented. The example demonstrates the
strength of the method and the support it offers to industry for choosing appropriate risk
mitigating measures.
2. Description of the short-cut risk analysis method

This chapter describes the methodology used to determine the risk for dust explosions in
industrial facilities. The risk for a dust explosion is the product of the probability of a dust
explosion occurring and the consequences of the dust explosion. The consequences can be
divided in primary consequences such as failure of the piece of equipment in which the dust
explosion occurs and secondary consequences such as a an ensuing fire and secondary
explosions in connected equipment or in the working area due to whirling up and subsequent
ignition of dust layers there.
2.1
Estimating the probability of an explosion occurring
For a dust explosion to occur a flammable atmosphere must be present and simultaneously a
sufficiently strong ignition source. The dust concentration in this atmosphere must exceed a
certain limits, typically 30 g/m3, and the particle size distribution must be sufficiently small. Dust
with particle size distribution from 10 to 40 micron and dust concentration range from 250 to
1500 g/m3 have shown to ignite easiest and produce the most severe explosions. Finer dust
might produce more severe explosions if the dispersion process has enough force to break up the
agglomerates and produce a dust cloud consisting of primary particles.
GCPS 2010 __________________________________________________________________________
To be able to quantify the probability for the occurrence of an explosive atmosphere, properties
of the combustible material should be considered, together with how likely it is that the
combustible material will be mixed with air.
The probability of a specific ignition source being able to ignite the explosive atmosphere is
considered based on different criteria, such as the energy released by the ignition source, the
period in which this energy is supplied, the surface temperature of the ignition source and its
size. For mechanically generated sparks, collision speed, friction, contact time and physical
properties of the colliding materials are included.
Whether an ignition source is capable of igniting an explosive atmosphere depends on several
properties of the atmosphere, for instance the fuel concentration and the turbulence level and the
ignition properties of the explosive atmosphere (normally described by the minimum ignition
energy and minimum ignition temperature).
The factors mentioned above are considered individually and form the basis for estimating how
often an explosion can occur. It is not possible to give the exact frequencies for an explosion. In
a risk analysis the probability for an explosive atmosphere and the probability for an ignition
source are ranged from I to V, where I has the lowest probability and V has the highest
probability. Each range (I, II, III, IV and V) describes a range in probability or frequency.
The probability of an explosion occurring depends on the probability of the presence of an
effective ignition source and the probability of having an explosive atmosphere. The probability
of an explosion will be the product of these two probabilities (as long as the two are generated
independent from each other). Definitions and explanations of the values used are described
below.
The probability for a secondary event depends on the probability for the primary event and is
normally lower than that of the primary event.
2.2
Estimating the consequences of an explosion
The consequence for personnel (Dp) and equipment (De) is estimated based on the expected
effect of the explosion. This is estimated based on expected damage caused by the heat, pressure
or loose items after the definitions given below. The consequence for personnel and equipment
from an explosion depends on the explosion pressure and the heat intensity from the explosion.
Pressure build-up in enclosed units might cause the units to rupture resulting in heat radiation
from flames, dispersion of pressure waves and flying objects.
The strength of an explosion depends on several factors, for example the initial conditions of the
dust cloud, including the fuel concentration, initial turbulence and the position of the ignition
source. The properties of the combustible material are also important, including chemical
composition. The properties of the explosive atmosphere will change over time hence, the time
of the explosion is important for the explosion propagation.
Flames propagating out from a ruptured vessel release heat that might injure personnel or cause
damage to equipment. The convective heat transfer during an explosion causes the most severe
burns. Burns/damage might be the result if personnel or equipment are in direct contact with the
explosion flame.
GCPS 2010 __________________________________________________________________________
2.3 Definitions
The probability or the frequency of an explosion occurring and the potential consequences is
estimated from I to V, as described previously. The definition and description of the different
values are given below.
Table 1
Definition of the probability and consequence for explosions under normal

operation
Probability of the formation of an explosive atmosphere

Range, Da
I
II
III
IV
V
Description
Very unlikely
Unlikely
Somewhat likely
Likely
Very likely
Probability of the formation of an effective ignition source

Range Di
I
II
III
IV
V
Description
Very unlikely
Unlikely
Somewhat likely
Likely
Very likely
Probability for an explosion to occur

Range De
I
II
Description
Very unlikely
Unlikely
III
Somewhat
likely
Likely
Very likely
IV
V
Definition
< 1/ 10000 per year
> 1/10000 per year < 1/100
year
> 1/100 < 1/10 per year
> 1/10 year < 1 per year
> 1 per year
Consequence for personnel and equipment

Range Dp De
I
II
III
IV
V
Description
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Definition
No injury.
Marginal damage to process units. Process shut down.
Limited injury.
Damage to process unit (<$ 20, 000).
Personnel injury.
Process unit collapse and possible damage to corresponding units (> $ 20, 000; <
$ 200, 000).
Serious personnel injury, possible loss of life.
Significant damage to several process units (> $200, 000; < $2, 000 000).
Loss of one or several lives.
Plant fully damaged (> $2, 000 000).
GCPS 2010 __________________________________________________________________________
2.4
Estimating the explosion risk
Consequence
The explosion risk is the product of the probability of an explosion occurring and its
consequences. In the present risk analysis a qualitative risk evaluation is completed for each
process unit. The risk level for explosions can be estimated from the matrix given in Figure 1
below, based on the probability and consequence, as described in the above section, and after the
definitions in Table 1 also above. The risk level increases from E to A.
V
IV
III
II
II
III
IV
Probability
Figure 1
2.5
Risk matrix
Acceptance criteria
The risk level and the recommended acceptance criteria are selected and based on the
probability for human and economical loss according to Table 1 above. The selected criteria are
given in Table 2 below. It should be emphasized that these acceptance criteria are a proposal
only and may be chosen differently.
GCPS 2010 __________________________________________________________________________
Table 2
Risk level definitions and recommended acceptance criteria
Risk level
Acceptance criteria
Recommended action
Very high
Unacceptable
Risk reducing measures must be implemented
High
Unacceptable
Risk reducing measures must be implemented
Medium
Medium
Risk reducing measures should be implemented
Low
Acceptable
Risk reducing measures can be implemented
Very low
Acceptable
Risk reducing measures are not required
In the application example given in this document, the estimations of probabilities and
consequences are summarized in tables. These tables also include estimations of ignition source
probability and an estimate of the risk of secondary incidents/events.
Below, explanations to the different parts of the tables are given.
Table 3
Process
unit
Example
Example of table summarizing the assessment of probability and

consequences of a dust explosion in a process unit.
Probability
of
flammable
atmosphere
IV
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
II
Mechanical
sparks
Flames
and
smoldering
combustion
Probability
of
explosion
II
EXPOSURE TO EXPLOSION
PRIMARY EXPLOSION
Probability (injury/damage)
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
III
III
SECONDARY INCIDENTS (inclusive explosions)

Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Comments:
EXAMPLE
GCPS 2010 __________________________________________________________________________
Process unit:
The process unit the analysis applies to.
Probability:
The estimated explosion probability. The probability of an explosion is the

product of the probability for an explosive atmosphere and effective
ignition source.
Consequence:
The consequences for an event considering both personal injuries and

damage to equipment. Both primary and secondary consequences are given.
Definitions for explosion related probability, (and consequences) are given
in the above section.
Risk:
The product of probability and consequence. Both the risk of primary and
secondary events is estimated. See Table 2 for acceptance criteria.
Ignition source:
Probability for occurrence of the five most common ignition sources are
given.
3. Application example: a spray dryer installation for milk powder

To demonstrate the method an analysis performed for a spray dryer installation used for drying
milk powder (see Figure 2) is presented. The total height of the spray dryer is 15 m, the height of
the cylindrical part is 6.3 m supported by a conical part (angle 60). To move dried powder out of
the conical part a pneumatic hammer has been provide. The temperature of the hot air to dry the
milk slurry is 200 C. The temperature of the air leaving the dryer is 90 C. Based on air and
product throughput the average dust concentration in the dryer would be 30 g/m3. The dried
powder collected in the cone of the spray dryer is transferred into a fluidized bed for further
drying or cooling. The powder taken along with the air flow out of the dryer is removed from the
air by cyclones and a bag filter. Also the air from the fluidized bed is cleaned in cyclones and the
bag filter. The dust collected in the cyclones is returned to the fluidized bed by pneumatic
transport.
The described spray dryer installation has not been provided/equipped with any special
preventive or protective measures. The installation is located inside a building. Personnel is
around the installation only occasionally for inspection reasons.
3.1
Analysis
The analysis has been performed for the dryer only.

To perform the risk analysis the explosion properties of milk powder need to be known.
Although it is strongly preferred to have these properties determined for the milk powder in
question the present study was performed using literature data. This may lead to
overconservative preventive and protective measures resulting from the analysis since one would
normally base oneself on the most conservative values of published data. On the other hand an
underestimate of the hazards may also be possible, especially for dusts where only a limited set
of explosion properties is available. For milk powder the use of literature data is acceptable since
GCPS 2010 __________________________________________________________________________
there is a rather big number of well-described data available which are not varying much. The
data found for milk powder are presented in Table 4 (from Beck et al, 1997).
Table 4 Explosion properties of milk powder (Beck et al., 1997)
Explosion property
Maximum explosion pressure Pmax (bar)
Dust explosion constant KSt (bar.m/s)
Minimum ignition energy (MIE) (mJ)
Minimum ignition temperature (MIT) (C)
Lower explosion limit (LEL) (g/m3)
Value
6-7
80-130
> 50
450-600
60-150
Figure 2 Analyzed milk powder spray dryer installation

In addition to the properties presented in Table 4 it is known that milk powder stored in bulk
might self-ignite when exposed to a higher temperature over a longer period. Tests show that
storage at a temperature of 80-90 C during a period exceeding 20 hours results in self-ignition
(Le Maillard reaction).
Hazards identification
Under normal operating conditions the average dust concentration in the dryer is below the lower
explosion concentration. Locally in the cone however one can expect that flammable
concentrations can be reached though being it intermittently. An initial local explosion could
however whirl up dust present on the cone walls causing a stronger secondary explosion (Siwek
et al., 2004). Potential ignition sources include mechanical sparks due to the rotating spraying
GCPS 2010 __________________________________________________________________________
wheel in the top of the dryer coming loose and hitting the wall of the dryer (In the light of the
minimum ignition temperature and minimum ignition energy of milk powder this ignition source
is most likely not able to cause ignition) and self-heating of layers of milk powder. The latter
would especially be possible if the rotating spraying wheel, in case of an anomaly, is distributing
the milk slurry against the walls of the cylindrical part of the dryer. The hot drying air could
cause the resulting milk powder cake to self-ignite. The smoldering material could come loose
and fall into the cone of the dryer, causing either ignition of a flammable dust cloud there or
whirl up dust and causing this to ignite.
The probability of the latter is relatively high and based on historical evidence an explosion
should be expected with a frequency of between 10-1 and 10-2 per year (probability class III).
Here it is assumed that the ignition source also causes the dust cloud (a smoldering cake of milk
powder falling into the cone of the dryer).
A final ignition source could be an explosion occurring in other parts of the drying installation
running back into the dryer. This ignition source, although very realistic, is not considered here
since in a full risk analysis of the spray dryer installation it has to be considered in the analysis of
the other pieces of equipment of the installation. In this document it is assumed that sufficient
preventive and protective measures are taken to prevent this from happening, i.e. the likelihood
of this ignition source occurring is assumed to be sufficiently low.
The consequence of the explosion is most likely the failure of the dryer (explosion tests reported
by Siwek et al. (2004) show that pressure up to 1 bar are possible; it should be mentioned
however that these tests were performed under conservative conditions) potentially injuring
personnel or even causing fatalities if in the vicinity of the dryer at that very moment
(consequence classes III and IV respectively). Moreover there is a possibility that the explosion
propagates into the fluid bed or the cyclones and into the bag filter (secondary incident). This
probability is however lower than the probability of an explosion (probability class II). The
consequences are however more severe: loss of the plant (consequence class IV) and most likely
loss of one or several lives (consequence class V).
The analysis is summarized in Table 5. The table also determines the risk based on the various
probabilities and associated consequences.
Risk evaluation
The results of the analysis of the spray dryer as summarized in Table 5. The Table shows that the
risks are either medium (implying that risk reducing measures should be implemented) or high
(implying risk reducing measures must be implemented). Hence two alternatives are
investigated: one where a single preventive measure is introduced reducing the probability of
explosions and a second one where this preventive measure is combined with protective
measures.
3.2
New analysis investigating the introduction of preventive measures
To reduce the probability of explosions from occurring it is proposed to introduce a carbon

monoxide-detection system. Smoldering results in the generation of carbon monoxide (CO) due
to incomplete combustion. A CO-detection system could warn the operator on ongoing
GCPS 2010 __________________________________________________________________________
smoldering before a hazardous situation arises (Steenbergen et al, 2007). Including this
preventive measure a new analysis has been performed of the explosion risks of the spray dryer.
Table 5
Summarizing the probabilities and consequences of primary and secondary
events in the spray dryer and the associated risks for personnel and equipment.
Process
unit
Spray
dryer
Probability
of
flammable
atmosphere
V
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
Mechanical
sparks
Flame and
smoldering
combustion
III
Probability
of
explosion
III
PRIMARY EXPLOSION
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
III
IV
III

Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
II
IV
Comments:
The introduction of a CO-detection system will reduce the probability of an explosion. An early
detection of smoldering combustion is assumed to reduce the probability of explosions by at least
a factor of 10 implying a probability of explosions of class II. The probability of equipment be
damaged and personnel being affected will be reduced accordingly both for primary and
secondary incidents. The consequences are however still similar. This results in risks as
summarized in Table 6.
Risk evaluation
Table 6 shows that risks have been reduced by introducing a CO-detection system compared to
Table 5 presenting the original risks without any preventive or protective measure. The
GCPS 2010 __________________________________________________________________________
Table 6
events in the spray dryer and the associated risks for personnel and equipment after
implementation of a CO-detection system.
Process
unit
Spray
dryer
Probability
of
flammable
atmosphere
V
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
Mechanical
sparks
Flame and
smoldering
combustion
II
Probability
of
explosion
II
PRIMARY EXPLOSION
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
II
IV
III

Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
IV
Comments: A CO-detection system has been included.
remaining risks for personnel which are described as medium according to the acceptance
criteria proposed in Table 2 should be addressed by introducing further risk reducing measures.
A described in section 3.1 an additional analysis is presented where the preventive measure of
CO-detection is combined with protective measures. A combination of explosion venting and
explosion isolation by extinguishing barriers between the dryer and fluidized bed and the dryer
and the cyclones is investigated.
3.3 New analysis investigating the introduction of preventive measures in combination with
protective measures
Reducing the probability of an explosion by introducing CO-detection still leaves personnel
exposed to a medium risk. Hence additional protective measures are proposed. The effects of
introducing a combination of explosion venting and explosion isolation (extinguishing barriers)
have been investigated.
GCPS 2010 __________________________________________________________________________
The probability of explosions assuming an early detection of smoldering combustion is still as
described in section 3.2 equivalent to a probability class II. The consequences of possible
explosions are however reduced considerably. Assuming use of appropriate venting devices,
sufficient venting surface and taking into account the effect of vent ducts (which are necessary
since the spray dryer is installed inside a building) and adequate installation distances for the
extinguishing barriers (containing sufficient extinguishing powder to extinguish flames) the risk
of explosion in the spray dryer can be reduced considerably. The consequences of an explosion
are now reduced to limited or no damage both for the primary and secondary events
(consequence class I).
Risk evaluation
Introducing explosion protective measures as described reduces the risks both for the equipment
and personnel to acceptable levels. The reduction of consequences to consequence class I
(replacement of vent panels and refilling of extinguishing barriers (neglecting the costs of loss of
some produced milk powder)) results in risk levels E implying that no further measures would be
necessary. Results of the analysis have been presented in Table 7.
4. Conclusions
A semi-quantitative short-cut risk analysis method (SCRAM) has been presented, allowing for
the assessment of dust explosion risks and choosing adequate preventive and protective
measures. The performance of such an analysis makes industry aware of the most hazardous
areas in their facilities and associated consequences in case of an explosion.
The application example demonstrates the strength of the method and the support it offers to
industry for choosing appropriate risk mitigating measures.
GCPS 2010 __________________________________________________________________________
Table 7
events in the spray dryer and the associated risks for personnel and equipment after
implementation of a CO-detection system in combination with explosion venting and
explosion isolation towards fluidized bed and cyclones.
Process
unit
Spray
dryer
Probability
of
flammable
atmosphere
V
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
Mechanical
sparks
Flame and
smoldering
combustion
II
Probability
of
explosion
II
PRIMARY EXPLOSION
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
II

Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Comments: A CO-detection system has been included combined with explosion venting
and isolation.
5. References
Beck H., Glinke N.and Mohlman C., BIA-Report: Combustion and explosion characteristics of
dust, HVBG, Berufsgenossenschaftliches Institut fr Arbeitssicherheit BIA 13/97, 1997.
Siwek, R., van Wingerden, K., Hansen, O.R., Sutter, G., Schwartzbach, Chr., Ginger, G., &
Meili, R., Dust explosion venting and suppression of conventional spray driers. Eleventh
International Symposium on Loss Prevention, Prague, May 31 June 3, 2004.
Steenbergen, A.E., Van Houwelingen, G. and Straatsma, J., System for early detection of fire in
a spray drier, International Journal of Dairy Technology, 44, no. 3, pp. 76-79, 2007.
GCPS 2011 __________________________________________________________________________
Evaluating Combustible Dust Hazards and Implementing a

Risk Reduction Program
F. Russ Davis, CSP
Aon Energy Risk Engineering
6455 South Shore Blvd., Suite 400, League City, TX 77573
russ.davis@aon.com
Prepared for Presentation at

American Institute of Chemical Engineers
2011 Spring Meeting
7th Global Congress on Process Safety
Chicago, Illinois
March 13-16, 2011
UNPUBLISHED
AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications
GCPS 2011 __________________________________________________________________________
Evaluating Combustible Dust Hazards and Implementing a

Risk Reduction Program
F. Russ Davis, CSP
Aon Energy Risk Engineering
6455 South Shore Blvd., Suite 400, League City, TX 77573
russ.davis@aon.com
Keywords: Combustible dust hazard, PHA, engineering controls, housekeeping, fire protection,
mechanical integrity, hazard communication
Abstract
Dust is created from solids handling in many industries. Every company that has a process that
handles dust must fully understand all of the associated hazards. A hazard analysis performed by
competent technical specialist using fully developed process safety information is the most
effective method of hazard evaluation. Process Hazards Analysis (PHA) methodology developed
and matured in the refining and chemical industries is proving very successful in evaluating
combustible dust handling processes.
This paper will present a methodology for conducting combustible dust PHAs. Once hazards
have been identified and the consequences associated with improper handling are fully
understood, safety systems can be evaluated for adequacy and gaps identified. This paper will
discuss available recognized and generally accepted good engineering practice, as well as
industry best practices. Combustible dust control philosophies will be reviewed and discussed.
Management systems, dust handling equipment, safety systems, and mitigation systems will also
be a focus of this paper.
1.
Introduction
Most organic dusts and some metallic dusts are combustible under the following conditions:
Particles are ignitable and small enough to propagate a flame front (< approximately
420 m (microns))
Dust is suspended into a cloud in sufficient quantity
The dust cloud is confined
Oxidant is present (usually air)
Ignition source is present
GCPS 2011 __________________________________________________________________________
Proper management of processes handling solid particulates with the possibility of producing
dust is basic to reducing risk to a Companys acceptable level. A proper management system
should consist of at least the following eleven elements:
1. Identification of dust hazards
2. Proper area classification
3. Process Hazards Analysis (PHA)
4. Management of Change (MOC)
5. Engineering controls
6. Housekeeping
7. Process separation/segregation
8. Fire protection
9. Grounding/bonding
10. Mechanical integrity
11. Hazard communication training
2.
Definitions
The following terms/acronyms are used in this document:

Term
Combustible dust
Explosive atmosphere
Kst
Limiting Oxygen Concentration (LOC)
Particulate solids
Minimum explosive concentration (MEC)
Minimum ignition energy (MIE)
Maximum pressure (Pmax)
Minimum autoignition temperature
(MAIT)
Definition
A combustible particulate solid that presents a fire or deflagration
hazard when suspended in air or some other oxidizing medium over a
range of concentrations, regardless of particle size and shape. (NFPA
654)[1]
For the purpose of this requirements document, an explosive
atmosphere means a mixture of air, under atmospheric conditions, and
a combustible dust in which, after ignition has occurred, combustion
spreads to the entire unburned mixture.
Maximum rate of pressure rise expressed in bar-meters/second
normalized to a volume of 1 cubic meter (m3) to distinguish from
(dP/dt)max. Referred to as the deflagration index of a dust cloud.
The concentration of oxidant below which a deflagration cannot occur
in a specified mixture.
Granules, pellets, dusts and powders.
The minimum concentration of a combustible dust suspended in air,
measured in mass per unit volume, which will support a deflagration.
Minimum spark energy needed to ignite an optimum concentration of
a material using a capacitive spark under ideal conditions.
The maximum pressure occurrence as a result of a dust explosion or
deflagration.
The lowest temperature at which a material will ignite without an
external ignition source.
GCPS 2011 __________________________________________________________________________
3.
Process Safety Information
Facilities with processes that manufacture, handle, and/or store particulate solids should evaluate
the potential for those processes to produce a combustible dust. The process may be the
production of a product, handling of a raw material, or the processing of an intermediate
particulate solid. Almost all solids can produce dust during handling processes. If the dust
produced from the handling process is not directly known to be combustible, through industry
consensus or published data, the material must be tested by a competent laboratory to determine
if the dust produced is combustible. Most organic dusts and many metallic dusts are
combustible.
When combustible dust is handled in a facility, testing to determine the potential hazard rating
should be performed by a competent laboratory or a competent source should be used to provide
documentation of the hazards of the dust. The following information should be obtained either
by testing the particulate using applicable testing protocols or obtaining the data from existing
technical resources and published test data:
Maximum pressure, Pmax
Deflagration Index, Kst
Minimum ignition energy (MIE)
Minimum oxygen concentration necessary for deflagration/fire
Particle size (worst case scenario: the smallest particles that may be found under
normal or abnormal operating conditions)
Minimum explosive concentration (MEC)
Percentage moisture (normal and worst case)
Conductivity
Maximum rate of pressure rise (dP/dT)
Minimum autoignition temperature
The combustible dust should be classified, in accordance with the table below, and the
classification rating retained as process safety information. [2]
Dust explosion class
Kst (bar.m/s)
Characteristic
St 0
No explosion
St 1
> 0 and < or = 200
Weak explosion
St 2
> 200 and < or = 300
Strong explosion
St 3
> 300
Very strong explosion
GCPS 2011 __________________________________________________________________________
An explosion protection document (required by EU directive 1999/92/EC Article 8, for facilities

located in the EU and for facilities outside the EU and under a regulatory jurisdiction that
requires development of an Explosion protection document or its equivalent)[5] shall be
developed by a competent person and shall demonstrate the following:
4.
That explosion risks have been determined and assessed (typically through a process
hazard analysis (PHA))
That adequate measures will be taken to attain the aims of the EU 1999/92/EC
directive
That areas containing combustible dust have been properly classified into explosion
zones
That the workplace and work equipment, including warning devices, are designed,
operated and maintained with due regard for safety (see Section 6 on engineering
controls)
That arrangements have been made for the safe use of work equipment
(89/655/EEC)[6]
That the area is properly fenced and signage indicates proper warnings (where
required by local regulations)
Process Hazard Analysis
A Process Hazard Analysis (PHA) should be performed to analyze each process handling
combustible dust. Each PHA should be revalidated every 5 years or as required by local
regulation. A targeted What-if/Checklist method of PHA is very effective in evaluating the
hazards and process controls. The PHA team should always have present a subject matter
expert, someone familiar with the technical aspects of dust explosions and fires and the systems
required to manage the hazards. The PHA should:
Review the design of processes and facilities
Should consider the physical and chemical properties that establish the hazardous
characteristics of the combustible dust being handled
Evaluate the need for safety systems to prevent or mitigate combustible dust fires and
explosions
The design of new processes that will handle combustible particulates should be analyzed
through PHA. The design and design basis should be documented and retained for the life of the
process.
GCPS 2011 __________________________________________________________________________
The PHA should assess the specific risks arising from explosive atmospheres, taking into
account at least:
The likelihood that explosive atmospheres will occur and their persistence
The likelihood that ignition sources, including electrostatic discharges, will be present
and become active and effective
The installations, substances used, processes, and their possible interactions
The consequences of an explosion and the overall risks of an explosion occurrence should be
assessed.
Places connected to equipment or places where an explosion could occur should be taken into
account when evaluating the explosion risks.
The PHA should evaluate the inherent safety of a system handling combustible dusts.
Replacement of chemicals or substitution of a different formulation (liquid versus powder, pellet
versus powder, etc.) should be considered by the PHA team when making recommendations.
Design considerations should analyze equipment design options that include designing
equipment capable of containing an internal dust deflagration.
The PHA team should have at least one person familiar with combustible dust hazards and
protective systems. A team member may be considered as familiar with the hazards and
protective systems associated with combustible dust if they have a background in identification
of combustible dust hazards and engineering and administrative controls. A PHA team member
may also be considered as familiar with combustible dust hazards and protective systems through
training.
5.
Processes handling combustible particulate solids should have a written management of change
(MOC) procedure to safely manage changes to the process, technology, equipment and facilities,
except for replacements-in-kind. This program should address the following:
The documentation of the technical basis for a change and the expected result
The impact of a change on safety and health
When a Process Hazards Analysis and/or other EHS Reviews should be conducted
The mechanisms necessary to maintain Process Safety Information and Procedures

(operating, emergency, and maintenance procedures) that are affected by the change
up-to-date and accurate
Authorizations by Company employees who are charged with overall responsibility

for operations affected by the change
The responsibilities of those persons initiating and authorizing a change
The identification of temporary changes, necessary time period for these changes and
measures that should be taken to assure a safe operation
GCPS 2011 __________________________________________________________________________
Training of employees (operators, mechanics, and technical personnel) who have job
responsibilities affected by the change prior to its implementation or performing work
associated with the change
Examples of a change that would require a MOC may include the following (this is not intended
to be a complete list of items requiring MOC for dust concerns but only to serve as examples):
6.
Adding new equipment, such as a mixer, dryer, bag house, conveyor, dust collector,
cyclone, separator, blower, sifter, or classifiers
Increasing the temperature in the process that could result in drier material
Adding new materials, purchase of raw materials in particulate solid form
Changing a product formulation by the addition of solid combustible particulate

materials
Reduction or change in the inerting gas flow or volume or a change in the type of
inert gas such as nitrogen to carbon dioxide
Making a process change that reduces the particle size of the combustible particulate
solid being handled
Engineering Controls
Engineering controls should address the hazards of handling combustible particulate solids.
Controls should be designed and installed in accordance with recognized and generally accepted
good engineering practices (RAGAGEP). Engineering controls should require:
Prevention of the potential for a dust explosion through inherently safer technology
(e.g., designing equipment to contain a deflagration, etc.)
Design and installation of deflagration containment system
Inerting of the process to prevent a dust deflagration and fire
Emergency venting of the process
Suppression equipment per applicable RAGAGEP
(An example of RAGAGEP includes, but is not limited to, NFPA 654.)
6.1
Inerting
Gas inerting of a process handling combustible particulates should be designed to maintain the
oxygen concentration at a level that is too low to support a dust deflagration or fire. Adequate
instrumentation and instrumented protective systems should be installed to ensure that oxygen
concentrations are always in a safe range whenever there exists the possibility of an ignition
occurring.
GCPS 2011 __________________________________________________________________________
6.2
Emergency Venting
Emergency vents installed to safely relieve an overpressure caused by a dust deflagration to a

safe location should be designed in accordance with recognized and generally accepted good
engineering practice. Examples of RAGAGEP for design of emergency venting include NFPA
68.
6.3
Equipment Specifications
Equipment specifications should follow RAGAGEP for control of the hazards of handling
combustible particulates. Equipment should be designed to be inherently safe, (able to contain
an internal dust deflagration) or adequate protective systems should be installed to protect the
equipment from internal deflagration. Emergency venting or high integrity instrumented
protective systems (interlocks) should be installed to reduce the risk of an internal deflagration to
an acceptable level. Equipment that should be considered as potentially handling combustible
dust includes the following:
Silos
Conveyors (solid particulate handling)
Product elevators
Classifiers and sorters
Cyclones
Ducting
Cleaning vacuum systems
Loading/unloading systems
Dryers
Mixers
Dust collection systems
(This list is not intended as all inclusive. Other equipment, as noted by intended service, should
be included in this list.)
Equipment should be classified as suitable for the area in which it will be installed and follow
applicable area classification standards. Examples of applicable standards include but are not
limited to:
NFPA 70, Chapter 5, Article 500
Directive 99/92/EC of the European Parliament - ATEX 137
Directive 89/655/E EC of the European Parliament
Directive 94/9/EC of the European Parliament - ATEX 95
GCPS 2011 __________________________________________________________________________
Safety instrumented systems and alarms should be designed, installed and maintained per
industry RAGAGEP.
Equipment interconnectivity should be considered and evaluated during the PHA of processes
that manufacture, handle, and/or store combustible dusts. Protective systems should be installed
to prevent the propagation of a fire or deflagration flame front from the original equipment to
other connected equipment in the process. NFPA 654 provides examples of engineering
corrective measures that may be used to prevent the spread of a dust fire or deflagration.
Applicable RAGAGEP should be used as reference for proper design of segregation equipment.
Explosion suppression equipment should be designed and installed per guidelines of applicable
RAGAGEP such as NFPA 69.
Equipment handling combustible particulates should be grounded and bonded to prevent the
accumulation of static electricity that can discharge and ignite combustible dust. Grounding and
bonding should be verified by a qualified person prior to start-up of any newly added equipment
or existing equipment that has been modified in such a manner to affect its electrical bonding or
grounding. A maintenance program should be in place to periodically confirm the continuity of
equipment bonding and path to ground. Electrical resistance should be measured and verified as
being less than 1 x 106 ohms to ground. [1]
Buildings housing equipment handling combustible particulates should be constructed per
applicable RAGAGEP. One example of RAGAGEP is the NFPA 654 Standard. NFPA 654
requires buildings to be constructed in such a way that the support structure will remain standing
after a dust explosion to prevent full collapse of the building on the occupants and equipment and
to also allow for emergency exit of occupants[1]. Another example of RAGAGEP is the Uniform
Fire Code, which states that buildings where flammable or explosive dusts are manufactured,
processed, or generated shall be provided with explosion control.
7.
Housekeeping Controls
Facilities should have a program in place to control fugitive emissions of combustible dust into
work areas. This program should include recognition and prompt repair of dust leaks. Where
fugitive dust is released the facility should have controls in place, which may include continuous
ventilation to minimize the build-up of dust in normal operations. Facilities handling
combustible dust should have a housekeeping program. The housekeeping program should, at a
minimum, contain the following elements:
GCPS 2011 __________________________________________________________________________
1. Equipment should be maintained and operated to minimize fugitive dust emissions.

2. The housekeeping program should include regular cleaning to prevent the
accumulation of combustible dust. Dust accumulations should not exceed an amount
that if lofted and suspended could lead to a dust deflagration. NFPA 654 gives the
following guidance on dust accumulation levels: [1]
For combustible dusts having a bulk density of 75 lbs/ft3 (kg/m3) or more: Dust
accumulations in a 100 ft2 (9 m2) floor area that are in excess of 1/32nd inch (0.8
mm) and cover more than 5% of the surface area would provide a dust cloud with
sufficient concentration for a dust deflagration.
For combustible dusts with a bulk density less than 75 lbs/ft3 (kg/m3): The
following formula may be used to adjust the allowable thickness:
Allowable
thickness (in.) = (1/32)(75) / bulk density (lb/ft3))(kg/m3).
Example: If a 1/32nd inch dust layer of material having a bulk density of 75
lbs/ft3 covered more than 5 feet in a 10x10 room there is a sufficient quantity
of dust, if suspended in air, to produces a deflagration.
Example: If the dust layer has a bulk density of 35 lbs/ft3 it would take a dust
layer 0.067 thick to exceed the hazardous dust thickness:
(75)(1/32)/35=0.067 thick
3. The thickness of dust accumulation that could create a combustible dust cloud for
buildings with room heights in excess of 10 ft (3.05 m) can be calculated using the
following formula:
Tex = HAtot/87.5pAdust
where:
Tex = thickness of dust layer required to create a room explosion hazard
(inches)(cm)
H = height of the room or building (ft)( m)
Atot = total floor area of room or building (ft2)(m2) [use 20,000(ft2) as an upper
limit regardless of the actual room or building area (exception: if dust is evenly
deposited over the entire area, you can use the actual floor area without maximum
limitation)]
p = bulk density of deposited dust (lb/ft3)(kg/m3)
Adust = total area (ft2)( m2) of suspensible dust deposits within the room or
building volume.
Overhead beam and ledges should be considered in the total area of dust deposits.
The available surface area for dust deposits on joists, girders, beams, and other
overhead structures can be roughly estimated to be 5% of floor area.
GCPS 2011 __________________________________________________________________________
4. Surfaces should be cleaned in a manner that minimizes the generation of dust clouds.
Vigorous sweeping or blowing down with steam or compressed air should not be
permitted when such activities can produce a dust cloud. (Use of compressed air for
cleaning is not allowed by OSHA regulations unless the pressure is regulated to less
than 30 psig(2.07 bar)). The use of a central vacuum cleaner system is recommended.
The vacuum cleaner system must be rated for use in Class II areas or for use in the
designated zones as noted:
Zone 20 category 1 equipment
Zone 21 category 1 or 2 equipment
Zone 22 category 1 or 2 or 3 equipment
If the vacuum cleaner system will be used to clean up hybrid dust mixtures that may contain
flammable hydrocarbons, the vacuum system must also be rated for use in Class I areas or
suitable for Zones 0, 1, or 2.
Facilities should ensure that clean up activities do not create additional hazards. Facilities
should evaluate the use of water to wash down chemicals that may form a corrosive solution in
water. If a corrosive solution is generated by washing down activities equipment may be
damaged.
Facilities should ensure proper handling and disposal of waste material that may be created
during cleaning activities.
8.
Process Siting
Processes handling combustible particulate solids should be designed, constructed, equipped, and
maintained to protect occupants not in the immediate proximity of a fire or deflagration.
Buildings and process areas should also be designed to allow time for those in near proximity to
evacuate, relocate, or take refuge in the event of a fire or explosion. This may include building
design that includes weak panels to vent an explosion and adequate structural integrity to
withstand the explosion or fire thus allowing personnel time to evacuate.
A siting study should be performed to evaluate the effects associated with a combustible dust
explosion. The process should be located, designed, constructed, and maintained to minimize
the propagation of fire or explosion to or from adjacent properties and to avoid injury to the
public.
When a process handling combustible particulates is located within a structure the structure
should be designed, constructed, and equipped to maintain its structural integrity in spite of fire
or explosion for the time necessary to evacuate, relocate, or shelter in place occupants not in the
immediate proximity of the ignition.
GCPS 2011 __________________________________________________________________________
Emergency relief vents or panels should relieve to a safe location. Emergency vents should not
relieve inside the building where a secondary explosion may occur from the released dust cloud
or where personnel may be present. Emergency vents should not relieve outside the building to
an area where a secondary dust deflagration may occur or where the pressure wave and burning
material may adversely affect an area where workers may be present or where the pressure wave
may affect process equipment containing hazardous materials.
Where combustible atmospheres can occur, workers should be given visual and/or audible
warnings that conditions exist which could reasonably result in a fire and/or explosion so that
they may evacuate prior to the fire or explosion. This may include optical detectors with alarms
to alert personnel of a significant dust cloud or other appropriate detectors with alarms.
Examples of adequate warnings devices may include such things as alarms that alert personnel
on loss of inerting atmosphere, where inerting is used to prevent a dust deflagration, or an optical
light detector that would alert personnel of the presence of a dust cloud with a concentration
sufficient to have a deflagration.
Exits from the process area should exist and be located and maintained to allow for safe
evacuation.
9.
Fire Protection
Fire protection should be provided for process areas handling combustible particulates. Fire
protection systems should be designed using good engineering practices such as National Fire
Protection Association (NFPA) and applicable Insurance agency requirements.
Where process areas are connected to or are part of warehouse operations, the warehouse should
be provided with adequate fire protection systems or a properly designed firewall with adequate
fire rating is recommended.
Equipment and protective systems designed for use in EU member countries should be compliant
with 94/9/EC.
10.
An inspection, testing, and preventive maintenance program should be developed and

implemented to ensure that equipment, explosion protection systems, and related process
controls perform as designed. The inspection, testing and preventive maintenance program
should include, as applicable, the following:
Fire and explosion protection and prevention equipment,
Dust control equipment
Housekeeping program to identify and correct fugitive dust emissions as soon as

possible
GCPS 2011 __________________________________________________________________________
Identification and control of potential ignition sources inspection for hot bearings,
missing insulation on hot piping, maintenance of trash metal detectors, periodic
alignment checks for rotating equipment, lubrication of bearings, etc.
Electrical, process, and mechanical equipment, including process interlocks,

associated with the combustible dust process
Process changes new equipment should be added to the MI program and inspected
and tested to ensure that the equipment is installed and is working as designed
Inspections, testing and preventive maintenance records should be documented and retained for
the life of the equipment.
Material feeding devices should be maintained to ensure safe operations. Bearings should be
lubricated, as applicable (sealed bearings do not require lubrication but should be inspected and
tested to ensure proper operation. Thermographic imaging can be used to locate a hot bearing.).
Air-moving devices should be inspected to ensure safe operations. The inspection plan for airmoving devices should include the following activities, at a minimum:
Fans, blowers, and compressors are checked for excessive heat and vibration
Lubrication of external bearings should be performed during equipment down time
Bearings should be inspected and tested for excessive wear
Fan housings should be inspected for corrosion/erosion wear
Air-material separators should be inspected to ensure safe operation. The inspection plan for
material separators should include:
The separators should be inspected for erosion/corrosion.
Devices should be adjusted and lubricated per manufacturers recommendations.
The filter media should be replaced as recommended by the manufacturer and based
on plant experience.
Fire and explosion protection systems should be inspected and tested per regulatory and the
insurance agencys recommendations. Testing of fire and explosion protection systems should
always comply with local regulations.
Emergency vents, explosion panels, isolation valves, flame arrestors, and relief valves should be
inspected and tested in compliance with regulatory requirements, manufacturers
recommendations, or they should be inspected on a frequency based on plant practice and
experience.
All explosion prevention systems and inerting systems should be maintained pursuant to the
requirements of NFPA 69, Standard on Explosion Prevention Systems unless said
requirements conflict with local regulatory requirements.[3]
GCPS 2011 __________________________________________________________________________
Grounding and bonding systems should be periodically inspected and tested. Metal components
should have a resistance of less than 1 x106 ohms to ground.
11.
Procedures
Written operating procedures should be developed for processes handling combustible

particulates. Operators should be trained on the written operating procedures. Maintenance
procedures applicable to equipment handling combustible particulates should be developed to
detail safe work practices and to ensure maintenance practices minimize the possibility of
creating combustible dust clouds. Emergency procedures shall be developed for mitigation of
fire and explosion events involving combustible dust, and for the adequate response to these
events, including the safe evacuation of personnel.
12.
12.1
Hazardous Communication and Training

Material Safety Data Sheets (MSDSs)
Company MSDS for a material that can produce a combustible dust should be produced and the
MSDS made available to affected personnel.
12.2
Warning Signs
If required by regulatory bodies in EU countries, warning signs should be located at the entrance
to locations where explosive atmospheres may occur in compliance with 1999/92/EC.[5]
12.2
Training
Operators, maintenance and technical personnel should all be trained on combustible dust
hazards, preventing dust explosion and fires and the safety systems in place to prevent or
mitigate dust explosions. All personnel involved in operating and maintaining the process
should receive initial and refresher training on the process and the plant safe work practices
applicable to their duties. Training should include the following elements, as applicable:
Hazards of their workplace
General orientation, including plant safety rules
Process description
Equipment operation, safe startup and shutdown, and response to upset conditions
The necessity for proper functioning of related fire and explosion protection system
Equipment maintenance requirements and practices
Housekeeping requirements
Emergency response plans
Workers should be trained on emergency procedures and actions to be taken in the event of a fire
or explosion involving combustible dust.
GCPS 2011 __________________________________________________________________________
13.
Conclusions
Recent events such as the Imperial Sugar combustible dust explosion in 2008 continue to identify
the hazards of handling combustible dusts. A company that handles solid particulates must
indentify if there is a hazard present from a combustible dust and if so that company must have a
program to safely manage the hazard. A facility should be designed and maintained for the safe
operation of those processes that handle combustible dust.
Industries that handle materials that can produce combustible dust include food processors,
agricultural product handling, pet food manufactures, sugar manufacturing, chemical plants, and
many more. OSHA continues its national emphasis program (NEP) for the inspection of targeted
industries handling combustible dusts. OSHA has stated that is has plans to promulgate a new
combustible dust standard in 2011.
References
[1]
NFPA 654 Standard for the Prevention of Fires and Dust Explosions from the
Manufacturing, Processing and Handling of Combustible Particulate Solids
[2]
NFPA 68 Guide for Venting of Deflagrations
[3]
NFPA 69 Standard on Explosion Prevention Systems
[4]
Directive 1999/92/EC on minimum requirements for improving the safety and

health protection of workers potentially at risk from explosive atmospheres
[5]
Directive 89/655/EEC concerning the minimum safety and health requirements for
the use of work equipment by workers at work
Additional references not cited:

[6]
NFPA 484 Standard for Combustible Metals
[7]
FM Data sheets 7-76
[8]
CCPS Guidelines for Safe Handling of Powders and Bulk Solids
LAYER of PROTECTION ANALYSIS.

Trainers: Richard Gowland (rgowland-epsc@icheme.org.uk) or
(Rtgowland@aol.com)
Course Notes: To be used in conjunction with:
Presentation Handouts (Microsoft Powerpoint)
Case Studies (Microsoft Word)
Study tool. (Microsoft Excel)
The scope of this course:
It addresses the methodology known as Layer of Protection Analysis. Which is a simplified method of
analysing process risk scenario cases and the existing or planned protective layers ensure that the risk is
adequately controlled. It addresses the simple order of magnitude or basic classic LOPA as described in the
CCPS referred literature. The Process Safety Leadership Group (Buncefield) final report describes in appendix
2 the best practice for Fuel Storage in the U.K. This document is most likely to be used by the regulators in their
Seveso 2 (COMAH) report requirements. http://www.hse.gov.uk/comah/buncefield/fuel-storage-sites.pdf
It refers to International Standards such as IEC 61511 but does not explain them in detail. IEC 61511 does
reference Layer of Protection Analysis as a means of complying with the risk assessment section of the
standard. Literature References are provided at the end of these course notes.
Index:
The Risk Assessment process
Description of LOPA
Scenario definitions, Target Factors, severity, frequency
LOPA Onion
Concept of Protection Layers
The Bow Tie
LOPA as a as simplified tool to reduce complexity
Independent Protection Layers (IPLs)
Structuring LOPA
Acronyms and Definitions (BPCS etc)
The LOPA Process
The LOPA Process Hazard Identification
The LOPA Process Scenarios
The LOPA Process Consequence Estimation and quantification
The LOPA Process Initiating Events
The LOPA Process Conditional Modifiers
The LOPA Process Independent Protection Layers
The LOPA Process Other Safety Related Protection Systems
discussion and resolution
Limitations state of the art what decisions can we support?, What
questions remain?
Appendix
How to decide if enough is enough? Intro to ALARP.
Uncertainty and Sensitivity
Definitions
LOPA spreadsheet tool instructions
References
3
4
4
7
8
9
11
11
11
12
14
17
18
18
20
20
23
25
32
32
34
35
37
39
41
This course covers the analysis method Layer of Protection Analysis to design and manage layers of
protection. It is a tool to be used in processes like
S IM P L IF IE D R IS K
M A N A G E M E N T P R O C E S S
P R O C E S S
D E T E R M IN E
R IS K R E V IE W
R E Q U IR E M E N T S
W HE N
&
W HO
ID E N T IF Y
H AZAR D S
R ED U C E
R IS K
A n a l y z e /A s s e s s
R IS K
W HAT
&
Y E S
HO W
C A N
R IS K B E
R E D UC E D
?
NO
D I S C O N T IN U E
A C T IV IT Y
NO
IS
R IS K
TO LE R AB LE
?
Y E S
M AN AG E
R E S ID U A L R I S K
The course refers to but does not address detail validation, registration and testing requirements
What are we interested in?
A means of analysing and managing risk, reducing it when we believe that it is intolerable.
A very important step must be
Have I defined my risk tolerance criteria or target?
What does this mean?
It is important for the user to have a clear idea of what his targets are. It is recommended that a company sets
its own criteria where there are none set by the governing authorities. Typically, the target is a frequency. In the
LOPA study, the target frequency (the LOPA Target) is the frequency which the user considers to be entering
3
the tolerable region. In Europe several countries have published targets for off site effects such as serious injury
or fatality. (e.g. Netherlands ALARA) . Others do not have specific targets. In U.K. the Health and Safety
Executive suggests some numbers in terms of frequencies but they have the concept of ALARP. ALARA and
ALARP be discussed later. In principle, you need to show that you have considered lowering the risk further
but that it cannot be justified (for example it might involve unreasonable cost) This course suggests some
tolerated frequencies which have been used in Quantitative Risk Assessment. A fundamental step is for targets
to be set. Targets should vary according to an estimate of the severity of an unwanted event. There are several
ways of doing this. In any event, it has to be conceded that the tolerable frequency for a cut finger will be
greater than (more frequent than) a fatality.
The difference between TOLERABLE and ACCEPTABLE?
A personal approach . If a situation is acceptable I have little motivation to improve it. I have accepted it and
am unlikely to seek opportunities to improve it. If a situation is tolerable, I am tolerating it, but am actively
seeking ways to improve it.
The following is an example (but you need to derive your own or use data from the Competent Authorities).
Target
Frequency/yr
Target
Factor
Impact on People
On-site
Off-site
1.00E-02
A minor injury with no permanent

health damage
Nuisance complaint
1.00E-03
Serious permanent injury - one or

more persons
An event requiring neighbours

being told to take shelter indoors.
1.00E-04
Single fatality
An event leading to the need to

evacuate neighbours.
1.00E-05
5 fatalities
Minor (recoverable) injury
1.00E-06
More than 10 fatalities
Neighbour serious injury
1.00E-07
100 fatalities
Fatality
1.00E-08
1.00E-09

fatalities.
fatalities. Business future in
doubt
More than 1 fatality

Multiple fatalities
2nd example:
Target
Frequency/yr
Target
Factor
Impact on People
On-site
Off-site
1.00E-02
Discomfort
1.00E-03
A minor injury with no permanent

health damage
Nuisance complaint.
1.00E-04
Serious permanent injury - one or

more persons
An event requiring neighbours

being told to take shelter indoors
1.00E-05
Single fatality
An event leading to the need to

evacuate neighbours.
1.00E-06
5 fatalities
Minor (recoverable) injury
1.00E-07
More than 10 fatalities
Neighbour serious injury
1.00E-08
100 fatalities
Fatality
1.00E-09

fatalities.
More than 1 fatality
Have we accounted for all the serious scenarios? Need to consider on site and off site effects. There needs to be
a robust Hazard Identification process. The most obvious are processes such as HAZOP. This is a structured
type of brainstorming. In my experience, it has helped to provide users with a standard list to start them out.
One of the greatest challenges on risk analysis is to make sure that all possible scenarios are accounted for.
Does my analysis system indicate if my criteria are met?
The criteria of interest are generally severity and frequency based and have been derived i.e. risk based.
Can we devise a simple method to determine if we have met our risk criteria.? This is what Layer of Protection
Analysis (LOPA) attempts to do. Essentially it is based on a simplified fault tree methodology. The
methodology is fully explained in the course. There are 2 common approaches. The first is the order of
magnitude approach used in U.S. the second attempts more accuracy and is described in the PSLG Final report.
If we know our target frequency how is the final event frequency affected by safety barriers or Protection
Layers?
Once a train of events has been initiated, unless something intervenes the frequency of the final event will be
the same as the frequency of the initiating event. For example, if we know that the tide comes in twice a day and
our piece of beach lies below the high water line, it will go under water twice a day. Nothing has been provided
to intervene so the answer is very obvious. If we believe that it is important to prevent this happening, we can
add a layer of protection to intervene and reduce the frequency of the flooding. If this is a lock gate at the
opening of the bay, we could make a dramatic difference to the frequency of the flooding. This is what has
been done in the Netherlands where much of the land lies below high water and has been reclaimed from the
sea. They wanted a good assurance that the land would not be inundated frequently. At the same time they
5
recognise that such protection is not 100% reliable. It has a probability that it will fail. This is called
Probability of Failure on Demand. In a chemical plant, if the undesired final event is a vessel rupturing as a
result of a gassy decomposition during an uncontrolled runaway reaction we would add layers of protection to
prevent the frequency being as high as an initiating event such as a temperature control loop failure. In such an
example, we would consider
Additional high temperature deviation monitoring and connection to a trip system

Diverse instrumentation loops with safe shut down (e.g. pressure)
Trend monitoring in a parameter such as temperature to show a deviation from normal
Relief systems (e.g. Pressure Safety Valves or Rupture Disks)
Quench or reaction Kill systems
If these measures are effective and independent of each other, they can be considered effectively in a fault tree or in
LOPA. If they are deficient in either effectiveness or independence, further steps are needed. It seems obvious to
state that we should not tolerate major events which are caused by a single failure. However, history reveals that it
does sometimes happen.. There are also some cases where apparent single failures can lead to major events. An
obvious example is the failure of a chlorine sphere pressure tank. These are frequently installed on plants without
any secondary containment. Reliance is placed on:
Sound engineering design practices developed and improved over many years
Inspection systems
Emergency response
Careful Land Use Planning
None of these can be described as layers of protection which prevent the final outcome i.e. release of all or most
of the contained chlorine. The first two are designed to make sure that the frequency of catastrophic failure is
extremely low (< 1e-06) and the latter two are designed to either mitigate the effect or reduce the exposed
population. In cases like these, LOPA may be interesting but may not be the best approach. So do not expect it to
answer every question you can imagine about risk. You may finish up a study with protection gaps which
apparently cannot be closed in cases like this.
And which Protection Layers are applicable? Here is a consideration of the LOPA
The LOPA Onion

Process
Plant Design
Onion
This is a neat depiction of the concept, but there are some items which overlap into more than one layer e.g.
Operator Intervention and BPCS capability.
In the LOPA study we will spend most time looking at the process itself, the control systems, including any
safety functions built in, safety instrumentation and SOME of the others such as relief systems, dikes etc.
This diagram illustrates how independent Protection Layers (IPLs) are credited.
The system is designed to respond in a safe way to an initiating event or demand.
If an event occurs, there are 2 possibilities when the first IPL senses the event, It can fail (hopefully with a low
probability of failure on demand (PFD)) or it can work successfully. The frequency of resulting dangerous
failure is the product of the frequency of the event (the demand) multiplied by the PFD of the first layer.
If it fails, the next layer of protection is required to work, again there are 2 possibilities, failure or success. The
cumulative failure frequency is the product of the original event frequency and the PFDs of the 3 layers of
protection. As each layer is called upon to function, the failure frequency of the entire system becomes
progressively smaller.
Hopefully we can achieve the Risk Tolerance Criteria. This is what it looks like in fault tree format:
P ro te c tio n L a y e r C o n c e p t
IPL1
IPL2
IPL3
Impact Event
Occurs
PFD3 = y3
PFD2 = y2
Impact Event
Frequency,
f3 = x * y 1 * y 2 * y3
f2=x * y1 * y2
PFD1 = y1
success
f 1= x * y 1
Initiating Event
Estimated
Frequency
fi = x
Safe Outcome
success
Safe Outcome
success
Key:
Arrow represents
severity and frequency of
the Impact Event if later
IPLs are not successful
Safe Outcome
Impact
Event
Frequency
Severity
IPL
- Independent Protection Layer
PFD - Probability of Failure on Demand
f
- frequency, /yr
This diagram illustrates how independent Protection Layers are credited.

Each Layer of Protection needs to satisfy the definition:
A layer of protection that will prevent an unsafe scenario from progressing regardless of the initiating
event or the performance of another layer of protection.
This turns out to be straightforward for many types of IPLs such as Safety Instrumented Systems which take the
process to a safe state, but others suffer from the limitation that they may only reduce the scale of the final
event. Examples of this are:
dikes or bunds,
emergency response,
fire protection
water spray vapour absorption,
We shall discuss possible ways of accounting for these.
Description of the bow-tie

The general approach retained is the bow-tie approach which assimilates an accident scenario to a succession of
events.
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
Consequence A
Consequence B
Consequence C
4a
Initiating Event 4
LOPA deals with the ANDs in the fault tree. Perhaps we need to examine the cumulative issues presented by
the ORS later.
Layer of Protection Analysis simplifies the fault tree and event tree from the bow tie for each scenario/initiating
event case by assigning conservative generic values for the frequencies of initiating events (in the fault tree
side) and Probability of Failure on Demand (on the event tree side) for each aspect of the Independent Layers of
Protection. Then running the simple mathematics to arrive at a final unwanted event frequency which can be
compared with the target (tolerable) frequency.
Use of LOPA will indicate if a SIS is needed and if it is, what Safety Instrumented Function and Safety
Integrity Level it needs to achieve.
Reliability Levels required by plant operations and the achievable test intervals for various design
configurations will enable you to choose the architecture for the hardware whilst satisfying the SIL needs:
degrees of redundancy
redundancy arbitration logic (related to shut down function)
Example: a system with dual sensors may have:
9
a) 1 out of 2 logic (system trips if either sensor gives a signal at the trip set point), or
b) 2 out of 2 (system trips after both sensors give a signal at their trip set point)
Note: a) generally will give more false trips than b)
The subject is complex and we need to simplify it.
Complex Mathematical
terms & Systems
Simple
Tools
1 + 1 + 2 = 4 or
0.1 x 0.07 x 0.01 = 0.00007
T1
PFD DU MTTR DD MTTR

2
PFD = Probability of Failure on Demand.

du = dangerous undetected Failure frequency
dd = dangerous detected Failure frequency
MTTR = Mean Time to Repair
The simplified approach that LOPA adopts looks like this:
Initiating event frequency
Conditional Modifier (probability)
1e-01
1e-01
Independent Protection Layers:

PFD of IPL 1
PFD of IPL 2
PFD of IPL 3
1e-01
1e-01
1e-02
Final event frequency
1e-06
This can be compared with the target (tolerable) frequency selected to see if the target is met or exceeded or a
protection gap exists.
This is a simpler approach than fault tree, bow tie and the application of complex calculations for every control
loop involved in a safety scenario.
The whole subject is complex.
Some important definitions:
10
What is an Enabling Event or Conditional Modifier?

This is something which affects the frequency of the final outcome because it reflects such things as the
probability that a hazard will be present at a given time. Examples include:
probability that a flammable leak will be ignited

hazardous unit operations which are running intermittently.
scenarios which involve injury to plant operating staff but which occur in areas which are rarely
occupied a probability of exposure.
These factors should be allowable since they do affect the frequency of the final outcome in the sense that the
hazard is there for less than 12 months a year or that the probability of ignition for fire and explosion cases may not
always be 100%. If the latter two examples are considered, it is important to remind users that the patterns of use
and exposure may change with time. This is just one reason for periodic review.
Allowance for Conditional Modifiers suggested in the course is based on a 10% or 1% probability. Any factor
lying between is always conservatively rounded up. In the case of the probability of ignition, quantities are
suggested. Essentially, if the leak is large enough it is assumed that it will ignite.
It is important to recognize that the subject of conditional modifiers can be a source of much study. This cannot
always be conclusive because they are difficult to simulate and test. However, it should be possible to get expert
advice or to model discharge of flammable liquids to see if the vapour emitted can reach the flammable range and
be above flashpoint. Additionally, it is worth considering the beneficial contribution made by the so called
explosion proof electrical equipment which may be required for the area. Some effort is being made to quantify
this in the U.K. (HSE)
The Independent Protection Layers illustrated above could be:
basic Process Control (BPCS)

alarm and Operator Response
hard wired independent trips
relief systems
other Safety Related Protection Systems
and (possibly)
mitigation such as dikes/bunds and emergency response
The number of layers needed is dictated by
the frequency of the initiating event

the Conditional Modifiers (If any)
the PFDs of the Independent Protection Layers
and
the Target frequency
If the frequency of the final event appears to be greater than the target, a Protection Gap exists. It will need to
be closed. We shall discuss how this might be achieved.
11
Do I need a Safety Instrumented System?

Are there alternatives ?
Whatever is decided upon, a basic rule of thumb is that the system chosen needs to be effective, independent
and testable. This may be more difficult than it appears.
It leads to questions about:
Testing Intervals
Testing methods and protocols
Independence and common cause failure
The effect of Redundancy
Reliability / False Shutdowns
Software programming
Global Consistency & Industry Standards
Internal Requirements
Regulator Requirements
Which are all included in course notes and presentations.

So how do we structure LOPA and what are the tools available?
The ideas simplicity allows a user to derive his own tools. They are also available commercially. This course
illustrates a tool devised for the study.
The following is a means of depicting the fault tree as in a different and simple way.
(see page 13) where tabular form is shown.
12
Layer of Protection Analysis using standard initiating event frequencies and Failure
rates for Independent Layers of Protection
Scenari
o No.
Equipment Scenario Description:

No.
Frequency
/yr (read
comments
in cells)
Reasoning
Consequence
Initiating Event
Frequency
Enabling Event or Condition
Probabili
ty
Factor
Probabili
ty
Factor
Probability of Ignition
Probability that ignition leads to

explosion
Probability that personnel will be in
affected area
Others
Frequency of unmitigated Consequences

BPCS alarm and
operator response*
Pressure Relief
Safety Instrumented
Function A
Safety Instrumented
Function B
Other safety Related
Protection Systems
Total Probability of Failure on demand for all IPLs
Frequency of Mitigated Consequences
Risk Tolerance Criteria Met?

13
You will need to get used to some acronyms:

BPCS:
The Basic Process Control System
Frequency: The number of times in a given period an event occurs.

PFD: Probability of Failure on Demand. The probability that a system or element of a system will fail to act as
required when a demand is made of it. This is normally expressed as between 0 and 1 or a percentage or in
Mathematical terms.
SIS: Safety Instrumented System. A specially designed validated and tested system made up of certified or proven
in service elements. This comprises process deviation sensing element, logic solver and final element which places
the process in a safe sstate.
SIF: Safety Instrumented Function: The designed function of the SIS. (e.g. senses high temperature and isolates
energy supply)
SIL: Safety Integrity Level. A standardized PFD for certified SISs (usually having a PFD of 1E-01, 1E-02 or 1E03)
SIP: Safety Instrumented Programming: The section of any logic solver software devoted to Safety Instrumented
System control.
False Trip: Erroneous trip of process due to a failure of a control loop capable of shutting down the process. This
is particularly important for large continuous plants.
Other Safety Related Protection Systems: These are systems which have been installed by the user to act as layers
of protection which do not fit into the category of BPCS or SIS.
Independent Protection Layer: A layer of protection that will prevent an unsafe scenario from progressing
regardless of the initiating event or the performance of another layer of protection.
Mitigation systems as layers of protection: Systems which do not prevent the scenario development but will reduce
its impact, severity and scale. See Other Safety Related Protection Systems.
Details follow:
BPCS:
The Basic Process Control System
The basic Process Control System can be a conventional instrumented control system, usually electronic which uses
field analysers connected to controllers or switches designed to keep the process within normal operating
parameters. BPCS features often include alarms and trips which act when the process deviates beyond design
allowances. We would normally allow these to be credited as Layers of Protection. It is important to remember that
in a study, the BPCS loop can only appear once as an independent layer of protection, since it may not share any
element with another IPL. In practice this means that an alarm and a trip working within a single loop cannot be
credited twice. When redundancy is considered, the practice of putting more than one sensing element into a single
loop or in separate loops which share the same controller or logic solver or final element does not achieve a
significant increase in safety and certainly does not produce 2 IPLs.
14
Frequency: The number of times in a given period and event occurs.

For the purposes of LOPA we are interested in Dangerous Failures (detected and undetected). The LOPA tool
works from the basis that the number of failures per 10 years is the required input. Most companies have access to
data which would allow them to assign failure frequencies to most control loops. When failures of process
equipment like tubes in heat exchangers are considered, the failures are very much affected by service conditions
and many other factors. Care should be used before relying too much on information which does not directly apply
to the service.
The information used in this LOPA course has been taken from company experience, the Netherlands Purple
Book and industry sources such as OREDA and DNV. In some cases a Competent Authority can give broad
categories of data, but more often than not, they expect you to provide your own and may dispute it. In any event,
even the most authoritative and costly to access data is not guaranteed reliable or up to date.
PFD: Probability of Failure on Demand. The probability that a system or element of a
system will fail to act as required when a demand is made of it. As in the case of frequency data, this is available
from several sources. Reliability of data is again not guaranteed, although with equipment certified for SIL1,2 or 3
there is testing and certification to ensure performance can be validated.
All IPLs have a PFD. Even SIL certified devices have a finite failure probability.
the process in a safe state. By definition, each SIS must meet the requirements of the SIL designation it possesses.
This include the cradle to grave life cycle for the system.
energy supply). Human response cannot be included in a SIS.
The key thing which needs continual emphasis is that the SIF must be effective in stopping the development of a
scenario (and not cause some other event to occur). A good example of this is that a SIS with a block valve as its
final element needs to respond quickly enough to the process deviation (time for - detecting, + transmitting, + fully
closing) to stop the scenario developing.
SIL: Safety Integrity Level. A standardized PFD for certified SISs (usually having a PFD of 1e-01, 1e-02 or 1e03)
IPL loops which contain SIL devices must have an overall dangerous failure meeting the SIL requirements. Of
course this means that each element must perform better than the SIL for which it is designed because the SIL of
the loop is the sum of the failure PFDs for each element. Typically the sensor can contribute
logic solver can contribute
final element can contribute
35%
15%
50%
SIP: Safety Instrumented Programming: The section of any logic solver software devoted to Safety
Instrumented System control. There are special considerations for this. If the SIF is programmed through a PLC or
Process Control system, it needs to have the software program separate from the process control program. It needs
to be locked so that inadvertent or unauthorized change is not possible. It must also be tested and validated.
15
is particularly important for large continuous plants. Unfortunate examples of systems where any one of three
independent loops can trip a plant exist. These give three times as many false trips as single systems do. So the
pursuit of enhanced safety can introduce unexpected frustrations and even new hazards.
of protection which do not fit into the category of BPCS or SIS. Since these may not always stop the scenario
developing (they often mitigate it or reduce its impact) they can be credited only if there is good evidence to show
that they are effective. Debate is ongoing about the effect of Emergency Response, Shelter in Place, Fire
Protection, Water Sprays. If you include these, you need a good case and should be able to demonstrate that the
system is most likely to work. From the experience of many studies the author has discovered that there may be
deficiencies.
regardless of the initiating event or the performance of another layer of protection. This is one of the most
important considerations of the LOPA methodology. LOPA assumes that all allowed IPLs are independent of each
other. So:
A BPCS trip may be independent of a hard wired trip if there are no common elements. Often, the power supply
may appear to be common. There are cases where the loss of the power supply may impair both layers of
protection and leave the process in an unsafe mode, because of the failure of the common element (power). This is
not always the case and needs to be clarified.
A second process sensor attached to a single control loop may appear to give added protection, but in many cases
does not because the governing failure may turn out to be the logic solver or the final element.
A BPCS trip which has an alarm attached makes a lot of sense for the operator to understand what is happening.
However, the operator response cannot be taken as independent from the control loop trip because he needs the
same sensor and logic solver as the BPCS trip action..
Finding Scenarios and cases:
16
The LOPA Process

E VALUATING
F URTHER R ISK
R EDUCTION
S UGGESTIONS
STEP 7:
MAKE RISK
DECISIONS
STEP 1:
IDENTIFY
SCENARIO OF
INTEREST
STE
SELECT
THE NEXT
INITIATING
EVENT
IDENTIFY
CONSEQUENCES
STEP3
IDENTIFY
INITIATING
EVENTS
STEP6:
ADD NEW
IPLS IF
NEEDED
STEP 4
STE
IDENTIFY
EXISTING
IPLS
IDENTIFY
CONDITIONAL
MODIFIERS
HAZOP is an excellent source for scenarios and initiating events

Others include
What-if
FMEA
Checklist
Experience
Past incidents
When you record the Scenarios:

Start with hazard identification information. Describe the consequence as precisely as possible
Agree consequences (scenario) that will be studied. (Some may be better studied by other means e.g. fire
protection
Confirm scenario is developed to the extent that is consistent with LOPA
If you are not sure about the consequence, include it and discussion will help
Study to find possible initiating events (remembers that a single scenario may have several initiating events)
Identify other factors that apply (Conditional modifiers)
e.g.Probability of ignition
Probability of person(s) in area and exposed
Other e.g.Probability of injury or fatality
17
LOPA is not a tool for developing scenarios

The Scenario, along with the Cause-Consequence Pair are an input to LOPA and must be developed before LOPA
can begin
In LOPA, a clear identification of scenario is needed before assessing the target of tolerated event frequency
Team needs to provide relevant information
Plant experiences
Existing HAZOPS, What-if checklist or other qualitative hazard evaluation.
Audit and Risk Review findings
Industry experience
Root Cause investigation
And have an understanding of tolerable risk
A study group is needed like a HAZOP team:
Get the right people involved:
Process knowledgeable people
Process and Control Knowledgeable people
Other technical resources
LOPA Facilitator and Time Manager
Process Safety Specialist
Process Control Engineer
Plant Operations people
Every Scenario must have 5 clearly defined parts:
1. Consequence (Toxic Vapour release, Vapour Cloud Explosion (VCE), fire, etc.). Consider consequent
injuries or environmental concerns
2. Material involved (ethylene, chorine etc.)
3. Process Unit involved (reactor, column, pipe, etc.)
4. Initiating event (operater error, instrument loop failure, control failure, etc.)
5. Conditional Modifiers (probability of ignition, normally unoccupied area, etc.)
Evaluate Process for Hazard Potential

Check lists, Dispersion analysis Seveso or MHI reports
Identify an Item with Hazard Potential
Examples are process equipment containing hazardous material
Using a Brainstorming Procedure:
have the right people in the room
HAZOP, What if, Check list of events, Whatevers effective
Describe the scenario (whats going to happen) and the amount of material involved.
Is it clearly understood? The cause must be readily visible. If not, develop further
18
Use the Piping and Instrument Diagram.

BARR. FLUID
B01-058
FT
PDT
VENT HEADER
B01-053
V-212
B01-037
C
T
PT
BARR. FLUID
B01-058
A
N2
VENT HEADER
B01-053
AT
E-206
AREA MIC
DET.
FT
BLOWDOWN HDR
B01-053
BARR. FLUID
B01-058
BARR. FLUID
B01-058
BARR. FLUID
B01-058
E-205
PSH
T
E-204
C-202
DMS
V-204
B01-025
705
R-203
B01-028
749
N2
A
T
TCB PREMIX
BARR. FLUID
B01-058
BLOWDOWN HDR
B01-053
FT
AREA MIC
DET.
PSH
AT
JT
COLD OIL
B01-037
HOT OIL
B01-037
LSH
A-202AG
R-202 PT
HOT OIL
B01-037
LSH
B
V-206
LIT
LIT
T
COLD OIL
B01-037
PT
PT
N2
760
V-208
DISCHARGE
R-201
763
B01-031
Unit operation to be studied
19
Estimate the consequence of the scenario.

Release of hazardous chemicals
unwanted reactions
consequence analysis or hazard look up tables based on material hazard and quantity
involved
on site effects and off site effects
Is this consequence of concern?
If YES, continue. Otherwise stop, identify another scenario or go to the next item of
concern
Briefly think about initiating events - can this actually happen?
There may be several
A check list of typical initiating events is useful
Initiating Events:
As described before, a single scenario consequence can have several different initiating events.
In order to properly study each scenario fully, you must remember that each scenario may have more than one
initiating event.
Scenario (1) combined with initiating event (0.1) becomes case 1.01
And so on..through the aggregation process to sum all initiating events
When done, move to scenario (2)
And so on..
Very much like HAZOP. Which brings the HAZOP recommendation:
What to consider for initiating events?
4 general types:
External Events,
Hardware failures
Systems failures
Human failures
20
Initiating Event Frequencies for Layers of Protection Analysis
BPCS Instrument Loop Failure

BPCS has single sensor which fails
Control Valve Fails
Regulator Failure
1.E-01
1.E-01
1.E-01
1.E-01
Initiating
Event
Factor
1
1
1
1
Operator Failure (to execute routine procedure, well trained, unstressed,

not fatigued) Action performed more than once a quarter.
1.E-01
1.E-02
1.E-01
1.E-01
1.E-01
1.E-01
1.E-01
1
1
1
1
1
Initiating Event
Operator Failure (to execute routine procedure, well trained, unstressed,

not fatigued). Action performed once/Qtr. or less
Pump Failure
Pump Seal Failure
Cooling Water Failure
Loss of electrical power
General Utility Failure
Initiating Event Frequency

(per year)
External events are difficult to quantify

Hardware failure data may be available internally of from industry databases
Systems failures (e.g. Control Systems Failure) are normally available internally
Human failures are an ongoing study, but authorities such as Swain in the U.S. have published data for specified
cases
External Events:
Third party intervention e.g. vehicle impact, vandalism.

Natural events
Hardware failure:
Pump problems
Pump leaks
Mechanical Seal leaks
Hose or fragile equipment failure
Piping and equipment failure
Systems failures:
Control loop failure
Human Failures:
Infrequent operation
21
Frequent operation
Operation under stress (remember Longford incident in Australia)
The workbook on LOPA has embedded in it a list of initiating events and scenarios used in authors work.
It covers
Pumps
Piping and Hoses
Vessels and Tanks
Reactors
Scrubbers and absorbers
Miscellaneous equipment
And addresses Fire, Explosion and Toxic release and attempts to quantify their effects by reference to an injury
matrix. Matrixes based on chemical quantity and properties are sometimes available, but regulators usually base
their evaluations on potential injuries.
Basic rules for Initiating Events:

1
2
3
4
7
8
9
If BPCS and Alarm IPLs use the same sensor, you can take credit
for one IPL only
The Alarm IPL requires an operator action to prevent the scenario.
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are
not valid credits if they require the failed sensor to function.
If a final element failure is the Initiating Event, BPCS and Operator
action on Alarm IPL are not valid credits if they require the failed
final element to function.
If a BPCS logic solver is an Initiating Event, no credit is taken for
the BPCS or Alarm IPL, unless the Alarm IPL is a completely
separate system.
If an Alarm is an IPL, the operator must have time to prevent the
scenario. No credit should be taken if the operator has less than 15
minutes to respond.
Only one (1) BPCS and one (1) Alarm IPL credit are allowed for a
case.
Sharing of BPCS and SIS elements may be allowed when there is
evidence of adequate independence.
Mechanical safety devices such as over-speed trips are not
Instrumented IPLs. However the may qualify as an Independent
Safety Related Protection System under the Other Safety Related
Protection System column.
22
Enabling Events and Conditional Modifiers:

Enabling Event/Conditional Modifier - An event or condition that makes possible another event.
does not cause a scenario
must be present for the scenario to develop
usually expressed as a probability
May not be applicable for large releases of volatile toxic materials - these already present a problem to exposed
people
Probability of ignition - a gas release ignites becoming a fire or explosion.

Unloading operation carried out infrequently
Event occurring in an infrequently occupied area
A batch reaction can runaway from loss of cooling only at the beginning of the batch
Other credible ..ideas?
Infrequent operations:
What do we think about an operation which apparently poses a high risk during the operation?
Are there other mechanisms to protect the exposed person(s)?
Normally handled with an auditable procedure, Task Safety Analysis or a permit to work system. (proper approval
of method, isolation and protective equipment etc.)
Enabling Events/Conditional Modifiers.

These has at least three dimensions.
The proportion of time when the risk can be present.
The probability that someone will be exposed if the scenario develops fully.
For fire and explosion events the probability of ignition
The proportion of time when the risk can be present.
Take the case of a sensitive exothermic batch process is operating for most of the year. The plant produces 7
batches a day. The exothermic reaction step of the process has a duration of 75 minutes. (dictated by chemistry,
heat exchange capability, batch size and demand). The process is benign for the rest of the time. The scenario of
concern is a reactive chemicals runaway which could rupture the reactor. The risk is thus present for a proportion
of the year approximately.
75x7/60x24 = 36% of the time. This is more than 10% of the time so LOPA assumes that the hazard is always
present. Therefore no Conditional Modifier applies. However, if this operation is run for only 3 months a year, a
different approach might be appropriate for the long term operation.
23
Another example is the case where someone is unloading a raw material into a tank from an unloading station. The
scenario of concern is: The storage tank overflows because there is insufficient space to accommodate the added
material. If this happens very frequently it is in the same category as the first example above. If the loading
operation happens once per week and takes 1 hour the proportion of time when the hazard is present is 1/7x24.
This would obviously affect the final event frequency simply because the opportunities for overflowing the tank via
operator error or instrument loop (level transmitter) failure are limited to a small proportion of the year. In this case
LOPA would allow a Conditional Modifier of 1E-02. The infrequent operation does not relieve the operator from a
proper management of the activity in order the protect people during the operation. In any case the operator who
has such a brief exposure may be exposed to similar hazards during the rest of his work day and we should not
forget the cumulative risk aspects. It would not make any sense to say that all our high severity activities occupy a
small proportion of the day, so we can ignore them! Add them together and see what happens.
Frequency
Range from
Literature
(/yr.)
Enabling
Factor
Probability
Enabling
Factor
Probability of Exposure allowed for processes in operation

for less than 5 weeks/yr or when personnel are seldom
present in area.
1x10-1
Probability of Exposure for rare processing events (occurs

less than 1% of the time) or in remote locations. Tech. Center
and Process Safety concurrance required to use this factor.
1x10-2
The probability that someone will be exposed if the scenario develops fully
Can also be addressed for cases as illustrated by the following example:
A pump is attached to a tank which contains an unstable material. Tests reveal that if the temperature goes higher
than 90oC, a runaway is likely. This will generate high pressure from gas evolution. So the scenario is that the
pump may rupture and the initiating event is that it runs with suction and delivery valves closed. This may sound
an extreme case but there is a history of this. If the pump runs most of the time but is in a remote area of the plant
which is seldom visited except for patrols it should have a Conditional modifier applied. If it is close the plant
Control Room, logically it should not.
Fire and Explosion Events: The probability of ignition:
If a flammable material leaks, there is a probability that it will find a source of ignition. The ATEX regulations in
Europe list the sources to consider. If the material is below its flashpoint, it is a case which may be interesting to
study, but the fire or explosion may not be credible. This conclusion could appear in just this form in a HAZOP
study report and no further action may be taken. Care should be taken to check all possible sources since a hot
surface may contribute to raising the temperature of the material.
If the material leaks at a temperature above its flashpoint, fire or explosion are real possibilities. Advice in LOPA
proposes that the probability of ignition becomes greater with the quantity of the leak. Indeed the advice says that
above a certain quantity, the probability of ignition is 100%. Furthermore, easily ignited material (Minimum
Ignition Energy < 0.3 mJ) has more restricted quantities.
24
Return to Analysis W
Conditional Modifiers for Layer of Protection

Analysis
Ordinary Hydrocarbons Low M.I.E (<0.3 mJ)

materials
Amount of Flammable Material
Released, kg
Probability of
Ignition
Enabling
Factor
Probability
of Ignition
Enabling
Factor
5 - 50
51 - 501
1.0E-02
1.0E-02
2
2
1.0E-02
1.0E-01
2
1
501 - 5000
1.0E-01
After you have accounted for the initiating event frequency and the Conditional Modifiers you have a frequency
which is the frequency of the undesired event if there are no layers of protection to intervene. You have arrived at
the centre of the bow tie.
Now we can examine the possibilities for layers of protection.

First a reminder of an important definition:
Independent Protection Layers:
A layer of protection that will prevent an unsafe scenario from progressing regardless of the initiating event
or the performance of another layer of protection.
Examples:
25
In d e p e n d e n t P r o te c tio n L a y e r s C r e d it F a c to r T a b le
In d e p e n d e n t P r o te c tio n L a ye r
P r e s s u r e R e lie f D e v ic e
PFD s
1 .E -0 2
C r e d it F a c to r
2
S IS - S IL 1
1 .E -0 1
S IS - S IL 2
S IS - S IL 3
1 .E -0 2
1 .E -0 3
2
3
B P C S , w h e n in d e p e n d e n t o f
in itia tin g e v e n t
1 .E -0 1
In te r n a l m e c h a n ic a l s a fe ty tr ip s th a t
a r e in d e p e n d e n t o f th e S IS o r B P C S
1 E -1 to 1 E -2
1 to 2
O p e r a to r r e s p o n s e u n d e r h ig h
s tr e s s , a v e r a g e tr a in in g
5 .E -0 1
O p e r a to r r e s p o n s e to A la r m s a n d
p r o c e d u r e s , lo w s tr e s s , r e c o g n iz e d
event
1 .E -0 1
1 .E -0 2
1 .E -0 1
1 .E -0 2
1 .E -0 3
1 .E -0 1
1 .E -0 2
O p e r a to r r e s p o n s e to
A la r m s a n d p r o c e d u r e s , lo w
s tr e s s , r e c o g n iz e d e v e n t
w ith m o r e th a n 2 4 h o u r s to
r e s o lv e p r o b le m
E n c lo s u r e w ith a n e le v a te d
s ta c k .
E n c lo s u r e w ith a tta c h e d
m itig a tio n d e v ic e s u c h a s a
s c r u b b e r o r o x id is e r .
C o n ta in m e n t B u ild in g
c a p a b le o f w ith s ta n d in g a n y
c r e d ib le r e le a s e .
R e s tr ic te d A c c e s s w h e r e
c o n s e q u e n c e is lim ite d to
D ik e s w h e n c a p a b le o f
m itig a tin g th e in itia tin g
e v e n t. T h is is a n IP L o n ly
fo r e n v ir o n m e n ta l e v e n ts .
N o te s
(0 ) if o n lin e c h a n g e s a llo w e d
(0 ) if o n lin e c h a n g e s a llo w e d
V a lu e c h o s e n d e p e n d s o n
v e r ific a tio n b y v e n d o r a n d te s tin g
fr e q u e n c y.
Details:
The first system to consider is the Basic Process Control System. For many cases the BPCS is a valuable
protection layer. It may have a trip or alarm function built into its loops. When the BPCS is considered it can be
26
credited with a PFD of 1E-01. The guidance in IEC 61511 does not allow a lower (better) PFD unless the system
complies with SIL2 or higher requirements. This is true even if there is a redundant set of sensors in the loop.
Basic Process Control System: These should be used wherever possible, but it is important to remember that if the
initiating event is a failure of a control loop, it is not possible to count any element of that loop as an IPL. It is also
important to make sure that the loop receives the same registration and testing attention as a SIL 1 system.
Basic Process Control System trips:
This is a trip to interrupt the progress of a scenario and put the process into a safe state. A loop can be made up of a
process sensor, logic solver and final element such as a motor starter or isolation switch, an automated block valve.
If the BPCS is used as an IPL it can only be used once. This means that if it is used in a trip function, it cannot be
used as an alarm IPL. In most cases, it makes sense to have the trip function also drive an alarm, simply to make
sure that the operator is aware that a trip has taken place.
Basic Process Control System Alarms:
This is an alarm which instructs an operator to take a preplanned and rehearsed action which will put the process in
a safe condition. If this is allowed as an IPL it needs to:
Be effective
Be feasible
Be independent e.g. not use any element of another IPL
Allow enough time for response
Have a written procedure which is periodically tested
Be effective: It is necessary to make sure that the action will actually interrupt the scenario. In practice there is
nothing special about this type of IPL compared with any other.
Be feasible: It is important to make sure that the operator is able to carry out the required action. This includes
training, access to the final element etc. For example, if the operator has to put himself at risk to carry out the
required intervention it should not be allowed. A dead headed pump is a good case which deals with this.
Be Independent: The alarm and final element should not be part of any other IPL for the same scenario. It is also
important to ask the question If the initiating event is operator error, can the same operator be credible in an IPL
role?
Allow enough time: Some scenarios can be interrupted successfully if the response to an alarm is not immediate.
In practice a good test is to say that 15 minutes will be the minimum reliable time for a 90% reliable response. Be
wary of allowing an operator response if he needs to do so in less than 15 minutes. Good examples of impossible
operator IPLs are vapour cloud explosions and dust explosions. There is no time for effective operator intervention.
Have a written and rehearsed procedure: This must describe the alarm, what it means, what the response must be.
It will need to be tested periodically.
Special care is needed to ensure that if the initiating event the failure of a control system, the alarm function which
might use different process sensors and final elements may be sharing the logic solver of the BPCS. You cannot
assume that this arrangement is satisfactory since there is a potential common cause failure in the shared logic
solver.
27
Basic Rules for BPCS and Alarms

1
2
3
4
5
6
7
8
9
10
If a BPCS (whole loop) is an Initiating Event, no credit is taken for the BPCS
or Alarm IPL unless they are completely separate systems.
If BPCS and Alarm IPLs use the same sensor, you can take credit for one IPL
only.
The Alarm IPL requires a formally recorded and auditable operator action to
prevent the scenario.
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid
credits if they require the failed sensor to function.
If a final element failure is the Initiating Event, BPCS and Operator action on
Alarm IPL are not valid credits if they require the failed final element to
function. (most common could be a control valve.)
If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS or
Alarm IPL, unless the Alarm IPL is a completely separate system.
If an Alarm is an IPL, the operator must have time to prevent the scenario.
No credit shall be taken if the operator has less than 15 minutes to respond.
May be able to take credit if this is a recognized case in the Emergency
Response plan.
Maximum of only one (1) BPCS and one (1) Alarm IPL credit are allowed for a
case.
Sharing of BPCS and SIS elements may be allowed when there is evidence of
adequate independence. (see rules for sharing SIS elements by the BPCS)
Mechanical safety devices such as over-speed trips are not Instrumented IPLs.
However, they may qualify as an Independent Safety Related Protection
System under the Other Safety Related Protection System column.
28
Relief Systems:
If a relief system meets the requirements for effectiveness and is properly maintained etc. it can be credited with a
PFD of 1E-02.
Important aspects to remember are:
The relief system needs to be adequate for the scenario.

The operation of the relief system must not cause another hazard
The only scenarios where relief systems are valid involve overpressure
Care is needed with systems which involve a Rupture Disk and Pressure Safety Valve in series. Reasons for such a
set up include:
Service conditions (corrosion, polymerization)
Fugitive Emissions
It is possible for the disk to develop a pinhole which allows the space between the disk and valve to reach the same
pressure as the process protected. This pressure may interfere with the differential pressure required for the disk to
rupture when it needs to. It is common practice to place a low pressure switch, transmitter, relief valve or tell tale
to deal with this. The PFD of this system is likely to need to be the same as claimed for the relief system.
When there are concerns about downstream discharge hazards a treatment or containment process is needed. These
are briefly described in the example scenarios in the workbook.
We should not allow a LOPA process to eliminate the need for a conventional relief system. There are legal and
industry standards which may require a relief system.
29
1 The Pressure Relief Device either protects or it

doesnt. Partial credit is not allowed.
2 If the Pressure Relief Device discharges to the
atmosphere creating a 2nd hazard (to people, the
environment or equipment), no credit is
allowed. If the release to the atmosphere has an
acceptable risk, credit may be taken
3 If the Pressure Relief Device discharges to a
flare, tank, or scrubber, credit is taken
4 This is not a tool for deciding No Overpressure
Protection Device Needed.
30
Safety Instrumented Systems (SISs):

Safety Instrumented Systems have the following PFDs
SIL 1 requires a PFD between 1E-01 and 1E-02
The certification process ensures that equipment supplied which meets the required standard achieves these PFDs.
As the level of SIS 1-3 (or 4) increases, the capital cost and the maintenance and inspection effort increases. So it
rarely makes sense to add conservatism to a process safety system by adding extra SIL functions. Basic traditional
LOPA usually assumes that a SIS performs at its highest PFD and not somewhere in the more optimistic part of its
certified range. More advanced LOPA may specify that the PFD of the SIS is nearer the top performing (lowest
PFD) of the range.
Some guidance on the inspection required is shown in the table which follows:
Testing frequency tables are discussed in the course and are illustrated in the presentation material
See IEC 61511
Examples are discussed in training
If a SIS is applied, generally it should not share any elements with any other IPL. It may share a sensor or a final
element so long as basic rules are adopted:
the sharing is to control a second scenario unrelated to the first.

if a sensor is shared with BPCS and this sensor fails, it is an allowed set up so long as the process fault
tolerance time is greater than the element fault detection time plus the system reaction time (safe shutdown
initiated) (i.e. you are able to trip the process before it goes into a dangerous state)
the SIS shall be able to trip the process safely
a shared sensor must be connected to both the BPCS and SIS
the diagnostic coverage factor of the measured process variable must be minimum 90%
the BPCS must select the signal which is closer to the dangerous limit
When entering the information into a LOPA study and its results:
SIS entries are considered last and then only if necessary to close the protection gap
A non-zero, positive value in the Protection Gap column indicates a SIS is needed.
The required SIL of the SIS is the value which closes the Protection Gap
A SIL value greater than 3 should not be allowed. Additional non-SIS IPLs are required. - or there is
something wrong with the process
A zero or negative value in the Protection Gap column indicates a SIS is not needed.
A SIS with a SIL of 2 or 3 can be replaced with a combination ofSISs with lower SIL provided they are
independent from each other.
SIL 1 + SIL 1 = SIL 2 ; SIL 1 + SIL 2 = SIL 3
Two (2) SIS IPLs used in the same case require separate sensors, logic solver and final element.
Independent paths through the same SIS logic solver must be used.
31
Other Safety Related Protection Systems:
Systems that are not Pressure Relief Devices and are not
considered as SRPS.
instrumented systems are
o Dikes and Bunds are not always IPLs for safety cases - no credit allowed since they may only
reduce the consequences (and are thus may be accounted for in the scenario). For a business
case involving an environmental scenario, dikes and bunds may reduce the frequency of
environmental damage - credit allowed.
o Includes containment buildings or enclosures, if present.
o Unlisted systems need a lot of care and approvals.
o Emergency Response can be considered for Off site scenarios
o How to treat Shelter in place?
o Enhanced inspection or replacement processes
Dikes and Bunds need to be discussed question do they reduce the scale of the scenario?
If they do have the designed and desired effect can we adopt a higher tolerated frequency.
Limitations with my present state of knowledge:

Mechanical system loss of containment:
Pipes,
Flanges,
Vessels
For no defined reason: includes corrosion, erosion, material fault etc. i.e. not overpressure
How to credit mitigation systems water sprays, fire protection, emergency response, shelter in place.
Explosions
Fire effects
32
Release and other events which cannot be interrupted by SISs e.g. generic vessel failures
What may be a suitable approach?
Recognise that some initiating events may cause scenarios where there are no conventional true IPLs available; e.g.
vessel rupture for no anticipated reason. If events like this occur, there is no instrumented or any other system
which can stop the event once it has occurred. In a sense, this type of event can be predicted, simply because they
have happened. It would be wrong to eliminate the possibility. All that you can do is to MITIGATE it.
The problem with assessing mitigation systems is that they are difficult to test in a real sense.
The LOPA ONION mentions physical barriers such as dikes or bunds. There are other effective means such as
water sprays, fire protection, containment buildings. It also mentions Emergency Response. This is very difficult
to assess, but should not be ignored.
These do not fit well into the definition of an IPL. Is there another approach?
If we consider the target for the scenario. This is essentially used in LOPA as a frequency, but is based on a
severity. Reminder: The severity of a scenario is used to set its tolerated frequency so in most senses the severity
and frequency are the same integer.
If we address the severity for the assumed scenario, the mitigating system is designed to reduce the severity.
So a suitable approach is to carry out 2 cases for this type of scenario/cause.
a) ignoring the MITIGATION system
To derive the protection gap
b) accounting for the MITIGATION by reducing the target severity (and thus the tolerated frequency) to
see if the protection gap remains.
Credible Versus Non Credible events:
For example:
Is a fire a credible event if a flammable material is released below its flashpoint temperature?
Is it credible for a dike to fail?
We all have an opinion perhaps, but in many cases the Competent Authority may dictate what we consider.
33
How to decide when enough is enough

The U.K. H.S.E. has a concept of ALARP (As Low As Reasonably Practicable)
This is a far from ideal process when several different stakeholders use it, but within a group of like minded people
it has value.
When you have an understanding of the frequency of an event, you need to ask the question:
Have I done enough?
How do I justify not adding extra features to protect?
If you estimated the frequency from the LOPA exercise and have closed the protection gap, you can
estimate the frequency for the scenario if another layer of protection was added with an extra PFD.
For example:
If the target frequency achieved is 1e-06 what would the impact be of adding another IPL with a PFD of
1E-01 over the life of the plant?
The improvement of frequency will be 9 x 1E-07 events per year
So the reduction in the number of events over the life of the plant (say 25 years)
Is: 25 x 9 x 1E-07
If the value of the risk reduction is 1,000,000 per event (e.g. a fatality)
So the value of the risk reduction = 25 x 9 x 1e-07 x 1,000,000 = 22.50
Supposing the cost of the added layer of protection was 2,000 over the life of the plant.
It would seem that the cost grossly outweighs the benefit.
Another example:
If the target frequency achieved is 1E-05 what would the impact be of adding another IPL with a PFD of
1E-01 over the life of the plant?
The improvement of frequency will be 9 x 1e-06 events per year
So the reduction in the number of events over the life of the plant (say 50 years)
Is: 50 x 9 x 1e-06
If the value of the risk reduction is 1,000,000 per event (e.g. a fatality)
So the value of the risk reduction = 50 x 9 x 1e-06 x 1,000,000 = 450
34
Supposing the cost of the added layer of protection was 2,700 over the life of the plant.
It would seem that the cost does not grossly outweigh the benefit. This is how it might look in a spreadsheet.
Consideration of other layers of protection - only to be used if gap is closed

and you need to do cost benefit on further IPLs! (e.g.test for ALARP)
Description
Independent Trip of steam supply with block valve linked to independent

temperature loop.
200
50

1.00E+01
50
1000
2700
9.00E-06
450.00
6.00
And it is recommended to address:

Uncertainty and Sensitivity:
Uncertainty: Where in the study in the study have we uncertain knowledge of (e.g.) frequencies or
probabilities or effectiveness which might affect the outcome?
Sensitivity: Which items in the study have the biggest impact if we have inaccurate information? Usually,
these are items which are expected to have very low failure rates.
It is suggested that each study case includes statements about both the Uncertainty and Sensitivity:
UNCERTAINTY
Case
Scenario Initiating Event
1.0
R 101
rupture
due to
runaway
reaction
Conditional
Modifier
Failure rate data Capacity of
of Temperature facility will
Control loop
always dictate
well known and that the
documented
hazard is
present <10%
of the time
IPL
Action
Recent
history of
fouling on
Relief Valve
places a
doubt on
PFD
Modify
entry to
relief
section to
ensure
incoming
solvent
cleans
35
nozzle every
batch. Add
quarterly
inspection.
HOWEVER: The biggest UNCERTAINTY is: Have we accounted for all hazardous events?
SENSITIVITY
Case
Scenario Initiating Event
1.0
R 101
rupture
due to
runaway
reaction
Conditional
Modifier
Failure rate data Capacity of
of Temperature facility will
Control loop
always dictate
well known and that the
documented
hazard is
present <10%
of the time
IPL
Action
Relief Valve
action PFD
is 1e-02
indicates
that there is
a heavy
reliance on
this IPL.
Failure to
function on
demand has
a major
effect on
frequency of
top event
Modify
entry to
relief
section to
ensure
incoming
solvent
cleans
nozzle every
batch. Add
quarterly
inspection.
36
Definitions:
Aggregation: Using the study to calculate a scenario frequency when there is more than one initiating event
BPCS: The Basic Process Control System
Frequency: The number of times in a given period an event occurs.
PFD: Probability of Failure on Demand. The probability that a system or element of a system will fail to act as
required when a demand is made of it.
the process in a safe sstate.
energy supply)
SIL: Safety Integrity Level. A standardized PFD for certified SISs (usually having a PFD of 1e-01, 1e-02 or 1e-03)
SIP: Safety Instrumented Programming: The section of any logic solver software devoted to Safety Instrumented
System control.
is particularly important for large continuous plants.
of protection which do not fit into the category of BPCS or SIS.
regardless of the initiating event or the performance of another layer of protection.
Mitigation systems as layers of protection: Systems which do not prevent the scenario development but will reduce
its impact, severity and scale. See Other Safety Related Protection Systems.
Definitions:
Basic Process Control System (BPCS) A combination of Sensors, Logic Solvers and Final elements
which automatically regulate the process within normal production limits.
Independent Layer of Protection (IPL) - A layer of protection that will prevent an unsafe scenario from
progressing regardless of the initiating event or the performance of another layer of protection.
37
Layers of Protection Analysis (LOPA) - A process of evaluating the effectiveness of Independent

Protection Layers in reducing the likelihood or severity of an undesirable event to meet organizational needs.
Logic Solver - The element of the BPCS or SIS that implements one or more logic functions.
Probability of Failure on Demand (PFD) - The probability that a system will fail to perform a specified
function on demand.
Reliability Level (RL) - A measure of the reliability requirement for avoidance of false trips.
Safety Instrumented Function (SIF) - The complete action which the SIS is designed to perform from
sensing to the final control element
Safety Integrity Level (SIL) A measurement of the integrity requirements for the Safety Instrumented
System
Safety Integrity Program (SIP) - The safety related program for the logic solver
Safety Instrumented System (SIS) - A combination of Sensor, Logic Solver and Final Elements that detects
an out-of-limit (abnormal) condition and brings it to a safe condition without human intervention (performs the
required safety functionality).
PFD = Probability of Failure on Demand.
DU = Undetected Dangerous Failure frequency
DD = Detected Dangerous Failure frequency
MTTR = Mean Time to Repair
38
Tools:
An Excel worksheet with all required tables incorporated has been developed by course trainer and is made
available with the course materials.
Work procedure:
LOPA starts with the identification of a hazardous scenario and the potential amount of involved chemicals
or other risk resulting in the target factor (unwanted event severity/frequency if we imagine it does occur .
1. Enter the scenario identifier and description at the top of the worksheet.
2. Enter the Target Factor in the Risk Tolerance Criteria cell in the frequency column.
3. Enter a description of the initiating event and its frequency
4. Enter descriptions of any Conditional Modifiers and their probability in the appropriate row.
5. Now the Independent Protection Layers (IPLs) are entered
6. All applicable Independent Protection Layers need to be defined and their function described in the
appropriate column. Also the credit factor needs to be determined and inserted in the PFD cells
7. Consider the need to aggregate for the case that a single scenario may have more than one initiator
If you leave the SIS A and SIS B column empty for the first pass, you will find the resulting protection
Gap automatically calculated in its column.
If the protection gap is >zero you need to add protection, perhaps Safety Instrumented Systems.
When the Protection Gap is brought to zero, this may be as a result of the basic Process Control System
performance or by specifying one or more SISs or by adding an alternative IPL such as a PSV and containment
system or other safety related protection systems. When the Protection Gap is zero or less, the Risk Tolerance
Target you started with have been met/achieved.
The spreadsheet is:
not password protected
adaptable
freely shared with course participants
your responsibility in use
able to aggregate final event frequency allowing for the fact that most scenarios have more than
one initiating event. In other words it takes account of the whole of the left hand side of the bow
tie.
Most of this guide is written to support basic LOPA where orders of magnitude are proposed for initiating events,
independent layers of protection and other factors. This principle embodies the original aims of the originators of
LOPA. More complex forms of LOPA are explained in the I Chem E training course and in the Final report on the
39
Consequence
Temperature Control loop

fails
Heat input to start

exothermic reaction.
Temperature control
fails and heating
continues into exo
reaction stage
Buncefield accident published 11 Dec. 2009 Refer to appendix 2: Link

http://www.hse.gov.uk/comah/buncefield/fuel-storage-sites.pdf
40
Based on fatality on site

Single fatality is taken

to be worse case
recognising plant
manning etc.
Initiating Event
Frequency
Enabling Event or Condition
1
Probability/LOPA
'credit'
Not needed
0
Probability that personnel

will be in affected area
Others
Operator always
present
Reaction is operating
less than 10% of year
0
1
Frequency of unmitigated Consequences

BPCS alarm and operator
response*
Pressure Relief
Safety Instrumented
Function A
Safety Instrumented
Function B
Other safety Related
Protection Systems e.g.
Emergency Response,
Passive Barriers, Active
Mitigation systems
2
PFD/LOPA
'credit'
1
0
2
Total Probability of Failure on demand for all IPLs
Frequency of Mitigated Consequences
Risk Tolerance Criteria Met?
YES
Alternative spreadsheets allowing several cases to be recorded on the same sheet are made available and
demonstrated in the course. In he tools illustrated the data entry is horizontal rather than vertical.
41
References:
Guidelines for Quantitative Risk Assessment CPR 18E (Purple Book) Published by the Netherlands
Committee for Prevention of Disasters.
Layer of Protection Analysis American Institute of Chemical Engineers Center for Chemical Process
Safety. (CCPS) ISBN 0-8169-0811-7
42

PrintedManual RGowland OMV PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

PrintedManual RGowland OMV PDF

Caricato da

Copyright:

Formati disponibili

Incidents and History

Graduated as Mechanical Engineer 1966

1972 Physical and Chemical Technology RUG

Relevant Experience in Process Safety:

Basic risk assessment

The Facts about Industrial Accidents

The Facts about Industrial Accidents

Some approximate statistical comparisons

Most of Chemical Industry is performing with

an average accident rate of less than 1 per

Chemical Industry accident (Lost Time

Significant milestones in improving safety and lowering risk

Finding a way to identify what can go wrong

go wrong, what role they have in preventing it and if

KEY roles of the CEO, Board of Directors and Business Leaders

Understand the risks for each business

Transparency putting your CEO reputation on the line!

Tell the world that todays performance is not

The MARS database2 records that,

Why Process Safety?

Corporate Ethics and

Major events in Chemicals, Oil and Gas

U.S.: O.S.H.A. PSM 1910

Link to Corporate Responsibility Details

Reference Director Responsibilities.pdf

Basic Responsibilities under the U.K. law

Companies and organisations that take their

The ethical dimension

People want to work for ethical

Industry initiative in 1990

Responsible Care - originated in

A Typical Company Responsible Care Policy statement

And public reporting

Up to 2005 a simple standard system

Responsible Care in North America

Loss of Primary Containment

Where does all this lead?

The strategy for the company What

Decisions at the top of the company

(example) Chief Executive sets

Agrees with Business Leaders (Vice

Decisions at the top of the company

Business leaders takes advice

How does a proper system inform leadership?

Business leaders ARE accountable for their

Process Safety Code

Annualized for Current Year

At the periodic Director or Vice President meetings

EH&S results for each business are

Business comparisons at Leadership level

Loss of Primary Containment

POLYOLEFINS & ELASTOMERS

HYDROCARBONS & ENERGY AND EO/EG

STYRENICS & ENGINEERED PRODUCTS

Dow AgroSciences EH&S

How does this translate into an effective

Existing Operations and new projects

Progressive Process Risk Management

Summary diagram of a progressive system adjusted for typical ops

with a sub set)

Contracted out operations

New product scale up