Do I need a safety instrumented system?

The number one goal of any safety system or device is to protect people and do it while remaining unnoticed. Sensors and activation mechanisms for automobile airbags are safety systems. On commercial airplanes, flight attendants explain that a sudden cabin depressurization will automatically cause oxygen masks to drop from the overhead compartments.

By Paul Gruhn, Moore Process Automation Solutions January 1, 2000

The number one goal of any safety system or device is to protect people and do it while remaining unnoticed. Sensors and activation mechanisms for automobile airbags are safety systems. On commercial airplanes, flight attendants explain that a sudden cabin depressurization will automatically cause oxygen masks to drop from the overhead compartments. In our homes, smoke and carbon monoxide detectors, ground fault protectors, and automatic garage-door reversal mechanisms are each a form of a safety system.

At work, light curtains protect us from crushing our arms and hands in presses, dikes provide liquid containment if a vessel ruptures, relief valves and rupture-disk protect against overpressuring vessels, and flammable gas and low oxygen detectors alert of unsafe conditions.

Deciding if safety instrumented systems are necessary may be as simple as determining if the process is covered by U.S. Occupational Safety and Health Administration (OSHA, Washington, D.C.) regulations such as 29 CFR 1910.119 “Process Safety Management of Highly Hazardous Chemicals (PSM).” But responsible companies don’t require regulations to do the right thing. Responsible companies already know it’s better for business tangibles and intangibles to avoid accidents. Companies manage risk and safety by assessing the process, identifying and quantifying risk, and defining the independent safety layers that may exist or could be used.

What’s this all mean?

It begins when a company defines their tolerable level of risk. Tolerable risk (death) is a taboo subject, especially in the U.S., but juries place dollar amounts on life every day using a subjective rationalization that transcends engineering or science.

A simple definition of risk is “potential for injury and/or death” but that definition requires more detail. What is a tolerable level of risk? What is a tolerable injury or death rate? How many people can a company tolerate killing? (The answer is not “zero.” No company is willing to permanently close their doors if there is a single accidental death.)

The English promote a concept called ALARP (As Low As Reasonably Practical). If the risk is above a certain threshold, it must be reduced. If the risk is below a different threshold, it is low enough to be considered acceptable. When the risk is somewhere in between, further considerations to lower the risk are required.

Managing risk and safety

Common sense tells us which industries have high risk. We all know of major nuclear accidents in the U.S., Soviet Union, and now Japan. Many of us live near refineries that have gone “boom.” There have been major chemical plant accidents in Flixborough, England; Seveso, Italy; Bhopal, India; and Pasadena and Channelview, Texas.

When OSHA 29 CFR 1910.119 PSM was enacted in 1992, OSHA estimated 25,000 U.S. facilities would be affected and 264 deaths and 1,534 injuries/illnesses would be avoided annually.

To avoid confusion about which facilities were covered by the regulations, OSHA provided high-risk industries a simple definition; any U.S. facility site with over 10,000 pounds of flammable material, toxic materials exceeding defined thresholds, or any explosive materials is covered by the OSHA PSM regulation.

So how do you lower the risk of a facility to a tolerable level?

The chemical industry has promoted the concept of “inherently safe” designs for over a decade. Designing inherently safe processes requires balancing the risk to workers and surrounding community with economics. For example, the early manufacture of nitroglycerin was a batch process. Operators watched a single gauge to ensure the process remained in the safe operating range. Occasionally operators fell asleep, resulting in a search for a replacement operator. Accident investigation identified the operator going to sleep as the root cause. The solution was to provide the operator a one-legged stool. Real nitroglycerin manufacturing safety was achieved through a process redesign. Changing from batch to a small volume, continuous reaction process reduced the amount of material and resulted in an inherently safe design.

Part of designing inherently safe processes requires identifying hazards and operating problems and assigning quantified levels of risk to each identified hazard well before the process design is complete.

If the risk is above a certain threshold, it must be reduced.

Before adding complex safety instrumented systems, consider simple, noninstrumented safety protection layers. For example, an overflow vessel, dike, or containment wall could prevent a spill. Extra heavy vessel walls or pressure relief valves could prevent a pressurized vessel from bursting. These simple devices may reduce the risk to a tolerable level.

Now you’re prepared to answer the question, “Do I need a safety instrumented system?” If the risks of your process can be controlled to a tolerable level without a safety instrumented system—no. If the risks cannot be controlled to an acceptable level by the application of noninstrumented layers, then—yes.

Do you have a safety instrumented system question? E-mail dharrold@cahners.com

Author Information

Paul Gruhn is a safety-systems specialist at Moore Process Automation Solutions

What belongs in risk ranking models?

Managing risk requires identifying and quantifying risk uniformly throughout the enterprise. It’s permissible to use different ranking models, but the criteria needs to remain consistent. For example, the severity of worker injuries resulting in lost workdays should be the same in every plant in every country.

Risk ranking models generally examine an event’s frequency (likelihood) and the severity (impact) of the event on different domains.

Frequency is most commonly defined in occurrences per year. For example, a company might define a low frequency event as one expected to occur once in 50 years and a high frequency as an event that occurs once per year.

Severity rankings examine the following domains:

Public safety and health;

Site safety and health;

Environmental impact;

Liability costs;

Business interruptions and quality issues; and

Equipment damage and repair costs.

Events that expose the public to the potential of injury, illness, or death should always receive high severity rankings.

Some will argue site workers and the public should be treated equally, but the idea in separating the two domains is because the public is less prepared than site workers and thus require additional consideration.

Environmental impact is defined as minor or localized; significant, including regulatory violations; and major, causing long-term damage.

Some risk ranking models combine domains. Legal experts advise not to combine domains that result in mixing dollar amounts with injury, death, and environmental issues. When injury, death, environment, and dollar information is combined and presented to a jury, it appears the “evil” company has established dollar values on human life and/or the environment.

Liability cost is frequently lumped with production or equipment costs, but lumping cost together leads to underestimated total costs.

Liability, business interruptions, and equipment damage are defined in dollars. For example, major might be defined as >$10,000,000 for liability, >$200,000 for production interruptions, and >$100,000 for equipment damage.

Regardless of the risk-ranking model used, the model needs to be reviewed at least annually and updated to reflect current corporate risk assessment philosophies.

Similarly, how personnel use the model requires monitoring for consistency, especially as part of an event (incident or accident) investigation. For example, if the same or similar event occurs twice in five years and the event was ranked as likely to occur once in 50 years, those persons assigning the ranking may require additional training, but for sure the event needs to be reassessed.

When events are regularly “under ranked,” companies open themselves up to media criticism, increased scrutiny from regulatory agencies, and possible liability. Establishment, consistent usage, and maintenance of a risk assessment model brings users one step closer to understanding how to manage risk and remain in business.