Industrial Safety(Course Book for Diploma in Fire and Industrial Safety)

UNIT 1 Fundamentals of industrial safety- safety policy and safety terminology- work permit systems UNIT 2 Job safety analysis (jsa)- hazop study- fault tree analysis UNIT 3 Safety inventory systems- occupational health hazards

UNIT 4 Safety organization and duties of a safety officer- safety committee and accident investigation UNIT 5 Safety management systems

1

UNIT 1Fundamentals of industrial safetyFundamentalsSafety is the state of being "safe" (from French sauf), the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm or any other event which could be considered non-desirable. Safety can also be defined to be the control of recognized hazards to achieve an acceptable level of risk. This can take the form of being protected from the event or from exposure to something that causes health or economical losses. It can include protection of people or of possessions. Industrial safety is a category of management responsibility in places of employment. To ensure the safety and health of workers, managers establish a focus on safety that can include elements such as, Management leadership and commitment Employee engagement Accountability Safety programs, policies, and plans Safety processes, procedures, and practices Safety goals and objectives Safety inspections for workplace hazards Safety program audits Safety tracking & metrics Hazard identification and control2

Safety committees to promote employee involvement Safety education and training Safety communications to maintain a high level of awareness on safety

DIFFERENT TYPES OF SAFETY SYSTEMS AND EQUIPMENTSIndustrial safety systems are crucial in any hazardous plants such as oil and gas plants and nuclear plants. They are used to protect human, plant, and environment in case the process goes beyond the control margins. As the name suggests, these systems are not intended for controlling the process itself but rather protection. Process control is performed by means of process control systems (PCS) and is interlocked by the safety systems so that immediate actions are taken should the process control systems fail. Process control and safety systems are usually merged under one system, called Integrated Control and Safety System (ICSS). Industrial safety systems typically use dedicated systems that are SIL 2 certified at minimum; whereas control systems can start with SIL 1. SIL applies to both hardware and software requirements such as cards, processors redundancy and voting functions.

TYPES OF INDUSTRIAL SAFETY SYSTEMSThere are three main types of industrial safety systems in process industry. Process Safety System or Process Shutdown System, (PSS).

3

Safety Shutdown System (SSS): This includes Emergency Shutdown-(ESD) and Emergency Depressurization-(EDP) Systems. Fire and Gas System (FGS). These systems may also be redefined in terms of ESD/EDP levels as: ESD level 1: In charge of general plant area shutdown, can activate ESD level 2 if necessary. This level can only be activated from main control room in the process industrial plants. ESD level 2: This level shuts down and isolates individual ESD zones and activates if necessary EDP. ESD level 3: Provides "liquid inventory containment".

SSSThe Safety Shutdown System shall shutdown the facilities to a safe state in case of an emergency situation, thus protecting personnel, the environment and the asset. Safety Shutdown System shall manage all inputs and outputs relative to Emergency Shut Down (ESD) functions (environment & personnel protection). This system might also be fed by signals from the main fire and gas system. Weatherfords CS7X electro-hydraulic safety shutdown system is a low power, highly reliable, microprocessor based, integrated wellhead control system. By providing operation of wellheads and other production functions using standard application modules the system achieves a high level of safety and control. The system is optimized for controlling offshore platforms. Low power requirements are ideal for production applications

4

where conventional power sources are not available. Integrated hydraulic/pneumatic logic provides quick dedicated safety monitoring. SCADA systems easily link with the system to allow for remote monitoring and control.

FEATURESIntegrated wellhead process control and SCADA Low power remote operation Scalable system design Easily programmable ESD logic Intelligent diagnostics and alarming

FGSThe main objectives of the fire and gas system are to protect personnel, environment, and plant (including equipment and structures). The FGS shall achieve these objectives by: Detecting at an early stage, the presence of flammable gas, Detecting at an early stage, the liquid spill (LPG and LNG), Detecting incipient fire and the presence of fire, Providing automatic and/or facilities for manual activation of the fire protection system as required, Initiating signals, both audible and visible as required, to warn of the detected hazards, Initiating automatic shutdown of equipment and ventilation if 2 out of 2 or 2 out of 3 detectors Initiating the exhausting system.

5

Process Safety of Industrial

ESDEmergency Shut Down-(ESD) systems are aimed at isolating (closing) any hazardous valves in a process due to abnormal conditions Traditionally risk analyses has concluded that the Emergency Shut Down system is in need of a high Safety Integrity Level, typically SIL 2 or 3. Basically the system consists of fieldmounted sensors, valves and trip relays, system logic for processing of incoming signals, alarm and HMI units. The system is able to process input signals and activating outputs in accordance with the Cause & Effect charts defined for the installation.

TYPICAL ACTIONS FROM AN EMERGENCY SHUT DOWN SYSTEMShut down of part systems and equipment Isolate hydrocarbon inventories6

Isolate electrical equipment *) Prevent escalation of events Stop hydrocarbon flow Depressurize / Blow down Emergency ventilation control *) Close watertight doors and fire doors *) *) May alternatively form part of the fire/gas detection and protection system.

EDPDue to closing ESD valves in a process, there may be some trapped flammable fluids, and these must be released in order to avoid any undesired consequences (such as pressure increase in vessels and piping). For this, emergency depressurization (EDP) systems are used in conjunction with the ESD systems to release (to a safe location and in a safe manner) such trapped fluids.

PSVPressure Safety Valves or PSVs are mechanical devices and are usually used as a final safety solution when all previous systems fail to prevent any further pressure accumulation and protect vessels from rupture due to overpressure.

SISA Safety Instrumented System (SIS) is a form of process control usually implemented in industrial processes, such as those of a factory or an oil refinery. The SIS performs specified functions to achieve or maintain a safe state of the process when unacceptable or dangerous process conditions are detected. Safety instrumented systems are separate and independent from regular control systems but are composed of similar elements, including sensors, logic solvers, actuators and support systems.7

The specified functions, or safety instrumented functions (SIF) are implemented as part of an overall risk reduction strategy which is intended to reduce the likelihood of identified hazardous events involving a catastrophic release. The safe state is a state of the process operation where the hazardous event cannot occur. The safe state should be achieved within one-half of the process safety time. Most SIF are focused on preventing catastrophic incidents. The correct operation of an SIS requires a series of equipment to function properly. It must have sensors capable of detecting abnormal operating conditions, such as high flow, low level, or incorrect valve positioning. A logic solver is required to receive the sensor input signal(s), make appropriate decisions based on the nature of the signal(s), and change its outputs according to user-defined logic. The logic solver may use electrical, electronic or programmable electronic equipment, such as relays, trip amplifiers, or programmable logic controllers. Next, the change of the logic solver output(s) results in the final element(s) taking action on the process (e.g. closing a valve) to bring it to a safe state. Support systems, such as power, instrument air, and communications, are generally required for SIS operation. The support systems should be designed to provide the required integrity and reliability.

THE NEED FOR SAFETY INSTRUMENTATIONManaging and equipping industrial plant with the right components and sub-systems for optimal operational efficiency and safety is a complex task. Safety Systems Engineering (SSE) describes a disciplined, systematic approach, which encompasses hazard identification, safety requirements specification, safety systems design and build, and systems operation and maintenance over the entire lifetime of plant. The foregoing activities form what has become known as the safety Life-cycle model, which is at the core of current and emerging safety related system standards.

8

ICSIndustrial Control System (ICS) is a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as skid-mounted programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. ICSs are typically used in industries such as electrical, water, oil, gas and data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions.

DCSA Distributed Control System (DCS) refers to a control system usually of a manufacturing system, process or any kind of dynamic system, in which the controller elements are not central in location (like the brain) but are distributed throughout the system with each component sub-system controlled by one or more controllers. The entire system of controllers is connected by networks for communication and monitoring. DCS is a very broad term used in a variety of industries, to monitor and control distributed equipment. Electrical power grids and electrical generation plants Environmental control systems Traffic signals Radio signals Water management systems Oil refining plants9

Chemical plants Pharmaceutical manufacturing Sensor networks Dry cargo and bulk oil carrier ships

DCSs are used to control industrial processes such as electric power generation, oil and gas refineries, water and wastewater treatment, and chemical, food, and automotive production. DCSs are integrated as a control architecture containing a supervisory level of control, overseeing multiple integrated sub-systems that are responsible for controlling the details of a localized process. Product and process control are usually achieved by deploying feed back or feed forward control loops whereby key product and/or process conditions are automatically maintained around a desired set point. To accomplish the desired product and/or process tolerance around a specified set point, only specific programmable controllers are used. ELEMENTS A DCS typically uses custom designed processors as controllers and uses both proprietary interconnections and communications protocol for communication. Input and output modules form component parts of the DCS. The processor receives information from input modules and sends information to output modules. The input modules receive information from input instruments in the process (a.k.a. field) and transmit instructions to the output instruments in the field. Computer buses or electrical buses connect the processor and modules through multiplexer or de-multiplexers. Buses also connect the distributed controllers with the central controller and finally to the Human-Machine Interface (HMI) or control consoles.

10

APPLICATIONS Distributed Control Systems (DCSs) are dedicated systems used to control manufacturing processes that are continuous or batch-oriented, such as oil refining, petrochemicals, central station power generation, fertilizers, pharmaceuticals, food & beverage manufacturing, cement production, steelmaking, and papermaking. DCSs are connected to sensors and actuators and use set point control to control the flow of material through the plant. The most common example is a set point control loop consisting of a pressure sensor, controller, and control valve. Pressure or flow measurements are transmitted to the controller, usually through the aid of a signal conditioning Input /Output (I/O) device. When the measured variable reaches a certain point, the controller instructs a valve or actuation device to open or close until the fluidic flow process reaches the desired set point. Large oil refineries have many thousands of I/O points and employ very large DCSs. Processes are not limited to fluidic flow through pipes, however, and can also include things like paper machines and their associated quality controls (see Quality Control System QCS), variable speed drives and motor control centers, cement kilns, mining operations, ore processing facilities, and many others. A typical DCS consists of functionally and/or geographically distributed digital controllers capable of executing from 1 to 256 or more regulatory control loops in one control box. The input/output devices (I/O) can be integral with the controller or located remotely via a field network. Todays controllers have extensive computational capabilities and, in addition to proportional, integral, and derivative (PID) control, can generally perform logic and sequential control. Modern DCSs support also neural networks and fuzzy application. DCSs may employ one or several workstations and can be configured at the workstation or by an off-line personal computer. Local communication is handled by a control network with transmission over twisted pair, coaxial, or fiber optic cable. A

11

server and/or applications processor may be included in the system for extra computational, data collection, and reporting capability.

PLCA Programmable Logic Controller (PLC) or programmable controller is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or lighting fixtures. PLC is used in many industries and machines. Unlike general purpose computers, the PLC is designed for multiple inputs and output arrangements, extended temperature ranges, immunity to electrical noise, and resistance to vibration and impact. Programs to control machine operation are typically stored in battery-backed or nonvolatile memory. A PLC is an example of a real time system since output results must be produced in response to input conditions within a bounded time, otherwise unintended operation will result.

PLC System Overview

HISTORYThe PLC was invented in response to the needs of the American automotive manufacturing industry. Programmable logic controllers were initially adopted by the automotive industry where

12

software revision replaced the re-wiring of hard-wired control panels when production models changed. Before the PLC, control, sequencing, and safety interlock logic for manufacturing automobiles was accomplished using hundreds or thousands of relays, cam timers, and drum sequencers and dedicated closed-loop controllers. The process for updating such facilities for the yearly model change-over was very time consuming and expensive, as electricians needed to individually rewire each and every relay. In 1968 GM Hydromantic (the automatic transmission division of General Motors) issued a request for proposal for an electronic replacement for hard-wired relay systems. The winning proposal came from Bedford Associates of Bedford, Massachusetts. The first PLC, designated the 084 because it was Bedford Associates' eighty-fourth project, was the result. Bedford Associates started a new company dedicated to developing, manufacturing, selling, and servicing this new product: Modicon, which stood for modular digital controller. One of the people who worked on that project was Dick Morley, who is considered to be the "father" of the PLC. The Modicon brand was sold in 1977 to Gould Electronics, and later acquired by German Company AEG and then by French Schneider Electric, the current owner. One of the very first 084 models built is now on display at Modicon's headquarters in North Andover, Massachusetts. It was presented to Modicon by GM, when the unit was retired after nearly twenty years of uninterrupted service. Modicon used the 84 moniker at the end of its product range until the 984 made its appearance. The automotive industry is still one of the largest users of PLCs.

13

DEVELOPMENTEarly PLCs were designed to replace relay logic systems. These PLCs were programmed in "ladder logic", which strongly resembles a schematic diagram of relay logic. This program notation was chosen to reduce training demands for the existing technicians. Other early PLCs used a form of instruction list programming, based on a stack-based logic solver. Modern PLCs can be programmed in a variety of ways, from ladder logic to more traditional programming languages such as BASIC and C. Another method is State Logic, a very high-level programming language designed to program PLCs based on state transition diagrams. Many early PLCs did not have accompanying programming terminals that were capable of graphical representation of the logic, and so the logic was instead represented as a series of logic expressions in some version of Boolean format, similar to Boolean algebra. As programming terminals evolved, it became more common for ladder logic to be used, for the aforementioned reasons. Newer formats such as State Logic and Function Block (which is similar to the way logic is depicted when using digital integrated logic circuits) exist, but they are still not as popular as ladder logic. A primary reason for this is that PLCs solve the logic in a predictable and repeating sequence, and ladder logic allows the programmer (the person writing the logic) to see any issues with the timing of the logic sequence more easily than would be possible in other formats.

PROGRAMMINGEarly PLCs, up to the mid-1980s, were programmed using proprietary programming panels or special-purpose programming terminals, which often had dedicated function keys representing the various logical elements of PLC programs. Programs were stored on cassette tape cartridges. Facilities for printing and

14

documentation were very minimal due to lack of memory capacity. The very oldest PLCs used non-volatile magnetic core memory. More recently, PLCs are programmed using application software on personal computers. The computer is connected to the PLC through Ethernet, RS-232, RS-485 or RS-422 cabling. The programming software allows entry and editing of the ladder-style logic. Generally the software provides functions for debugging and troubleshooting the PLC software, for example, by highlighting portions of the logic to show current status during operation or via simulation. The software will upload and download the PLC program, for backup and restoration purposes. In some models of programmable controller, the program is transferred from a personal computer to the PLC though a programming board which writes the program into a removable chip such as an EEPROM or EPROM.

FUNCTIONALITYThe functionality of the PLC has evolved over the years to include sequential relay control, motion control, process control, distributed control systems and networking. The data handling, storage, processing power and communication capabilities of some modern PLCs are approximately equivalent to desktop computers. PLC-like programming combined with remote I/O hardware, allow a general-purpose desktop computer to overlap some PLCs in certain applications. Regarding the practicality of these desktop computer based logic controllers, it is important to note that they have not been generally accepted in heavy industry because the desktop computers run on less stable operating systems than do PLCs, and because the desktop computer hardware is typically not designed to the same levels of tolerance to temperature, humidity, vibration, and longevity as the processors used in PLCs. In addition to the hardware limitations of desktop based logic, operating systems such as Windows do not lend themselves to deterministic logic execution, with the result that the logic may not always respond to changes in logic state or input status with the

15

extreme consistency in timing as is expected from PLCs. Still, such desktop logic applications find use in less critical situations, such as laboratory automation and use in small facilities where the application is less demanding and critical, because they are generally much less expensive than PLCs. In more recent years, small products called PLRs (programmable logic relays), and also by similar names, have become more common and accepted. These are very much like PLCs, and are used in light industry where only a few points of I/O (i.e. a few signals coming in from the real world and a few going out) are involved, and low cost is desired. These small devices are typically made in a common physical size and shape by several manufacturers, and branded by the makers of larger PLCs to fill out their low end product range. Popular names include PICO Controller, NANO PLC, and other names implying very small controllers. Most of these have between 8 and 12 digital inputs, 4 and 8 digital outputs, and up to 2 analog inputs. Size is usually about 4" wide, 3" high, and 3" deep. Most such devices include a tiny postage stamp sized LCD screen for viewing simplified ladder logic (only a very small portion of the program being visible at a given time) and status of I/O points, and typically these screens are accompanied by a 4-way rocker push-button plus four more separate push-buttons, similar to the key buttons on a VCR remote control, and used to navigate and edit the logic. Most have a small plug for connecting via RS-232 or RS-485 to a personal computer so that programmers can use simple Windows applications for programming instead of being forced to use the tiny LCD and push-button set for this purpose. Unlike regular PLCs that are usually modular and greatly expandable, the PLRs are usually not modular or expandable, but their price can be two orders of magnitude less than a PLC and they still offer robust design and deterministic execution of the logic.

16

FEATURESControl panel with PLC (grey elements in the center). The unit consists of separate elements, from left to right; power supply, controller, relay units for in- and output The main difference from other computers is that PLCs are armored for severe conditions (such as dust, moisture, heat, cold) and have the facility for extensive input/output (I/O) arrangements. These connect the PLC to sensors and actuators. PLCs read limit switches, analog process variables (such as temperature and pressure), and the positions of complex positioning systems. Some use machine vision. On the actuator side, PLCs operate electric motors, pneumatic or hydraulic cylinders, magnetic relays, solenoids, or analog outputs. The input/output arrangements may be built into a simple PLC, or the PLC may have external I/O modules attached to a computer network that plugs into the PLC.

PLC COMPARED WITH OTHER CONTROL SYSTEMSPLCs are well-adapted to a range of automation tasks. These are typically industrial processes in manufacturing where the cost of developing and maintaining the automation system is high relative to the total cost of the automation, and where changes to the system would be expected during its operational life. PLCs contain input and output devices compatible with industrial pilot devices and controls; little electrical design is required, and the design problem centers on expressing the desired sequence of operations. PLC applications are typically highly customized systems so the cost of a packaged PLC is low compared to the cost of a specific custom-built controller design. On the other hand, in the case of mass-produced goods, customized control systems are economic due to the lower cost of the components, which can be optimally chosen instead of a "generic" solution, and where the non-recurring engineering charges are spread over thousands or millions of units.

17

For high volume or very simple fixed automation tasks, different techniques are used. For example, a consumer dishwasher would be controlled by an electromechanical cam timer costing only a few dollars in production quantities. A microcontroller-based design would be appropriate where hundreds or thousands of units will be produced and so the development cost (design of power supplies, input/output hardware and necessary testing and certification) can be spread over many sales, and where the end-user would not need to alter the control. Automotive applications are an example; millions of units are built each year, and very few end-users alter the programming of these controllers. However, some specialty vehicles such as transit busses economically use PLCs instead of custom-designed controls, because the volumes are low and the development cost would be uneconomic. Very complex process control, such as used in the chemical industry, may require algorithms and performance beyond the capability of even high-performance PLCs. Very high-speed or precision controls may also require customized solutions; for example, aircraft flight controls. Programmable controllers are widely used in motion control, positioning control and torque control. Some manufacturers produce motion control units to be integrated with PLC so that G-code (involving a CNC machine) can be used to instruct machine movements. PLCs may include logic for single-variable feedback analog control loop, a "proportional, integral, derivative" or "PID controller". A PID loop could be used to control the temperature of a manufacturing process, for example. Historically PLCs were usually configured with only a few analog control loops; where processes required hundreds or thousands of loops, a distributed control system (DCS) would instead be used. As PLCs have

18

become more powerful, the boundary between DCS and PLC applications has become less distinct. PLCs have similar functionality as Remote Terminal Units. An RTU, however, usually does not support control algorithms or control loops. As hardware rapidly becomes more powerful and cheaper, RTUs, PLCs and DCSs are increasingly beginning to overlap in responsibilities, and many vendors sell RTUs with PLClike features and vice versa. The industry has standardized on the IEC 61131-3 functional block language for creating programs to run on RTUs and PLCs, although nearly all vendors also offer proprietary alternatives and associated development environments. A control system is a device or set of devices to manage, command, direct or regulate the behavior of other devices or systems. There are two common classes of control systems, with many variations and combinations: logic or sequential controls, and feedback or linear controls. There is also fuzzy logic, which attempts to combine some of the design simplicity of logic with the utility of linear control. Some devices or systems are inherently not controllable

LOGIC CONTROLLogic control systems for industrial and commercial machinery were historically implemented at mains voltage using interconnected relays, designed using ladder logic. Today, most such systems are constructed with programmable logic controllers (PLCs) or microcontrollers. The notation of ladder logic is still in use as a programming idiom for PLCs. Logic controllers may respond to switches, light sensors, pressure switches, etc., and can cause the machinery to start and stop various operations. Logic systems are used to sequence mechanical operations in many applications. Examples include

19

elevators, washing machines and other systems with interrelated stop-go operations. Logic systems are quite easy to design, and can handle very complex operations. Some aspects of logic system design make use of Boolean logic.

ONOFF CONTROLFor example, a thermostat is a simple negative-feedback control: when the temperature (the "process variable" or PV) goes below a set point (SP), the heater is switched on. Another example could be a pressure switch on an air compressor: when the pressure (PV) drops below the threshold (SP), the pump is powered. Refrigerators and vacuum pumps contain similar mechanisms operating in reverse, but still providing negative feedback to correct errors. Simple onoff feedback control systems like these are cheap and effective. In some cases, like the simple compressor example, they may represent a good design choice. In most applications of onoff feedback control, some consideration needs to be given to other costs, such as wear and tear of control valves and maybe other start-up costs when power is reapplied each time the PV drops. Therefore, practical onoff control systems are designed to include hysteresis, usually in the form of a deadband, a region around the setpoint value in which no control action occurs. The width of deadband may be adjustable or programmable.

LINEAR CONTROLLinear control systems use linear negative feedback to produce a control signal mathematically based on other variables, with a view to maintaining the controlled process within an acceptable operating range.

20

The output from a linear control system into the controlled process may be in the form of a directly variable signal, such as a valve that may be 0 or 100% open or anywhere in between. Sometimes this is not feasible and so, after calculating the current required corrective signal, a linear control system may repeatedly switch an actuator, such as a pump, motor or heater, fully on and then fully off again, regulating the duty cycle using pulse-width modulation.

PROPORTIONAL CONTROLWhen controlling the temperature of an industrial furnace, it is usually better to control the opening of the fuel valve in proportion to the current needs of the furnace. This helps avoid thermal shocks and applies heat more effectively. Proportional negative-feedback systems are based on the difference between the required set point (SP) and process value (PV). This difference is called the error. Power is applied in direct proportion to the current measured error, in the correct sense so as to tend to reduce the error (and so avoid positive feedback). The amount of corrective action that is applied for a given error is set by the gain or sensitivity of the control system. At low gains, only a small corrective action is applied when errors are detected: the system may be safe and stable, but may be sluggish in response to changing conditions; errors will remain uncorrected for relatively long periods of time: it is over-damped. If the proportional gain is increased, such systems become more responsive and errors are dealt with more quickly. There is an optimal value for the gain setting when the overall system is said to be critically damped. Increases in loop gain beyond this point will lead to oscillations in the PV; such a system is under-damped.

PID CONTROLApart from sluggish performance to avoid oscillations, another problem with proportional-only control is that power application is always in direct proportion to the error. In the21

example above we assumed that the set temperature could be maintained with 50% power. What happens if the furnace is required in a different application where a higher set temperature will require 80% power to maintain it? If the gain was finally set to a 50 PB, then 80% power will not be applied unless the furnace is 15 below setpoint, so for this other application the operators will have to remember always to set the setpoint temperature 15 higher than actually needed. This 15 figure is not completely constant either: it will depend on the surrounding ambient temperature, as well as other factors that affect heat loss from or absorption within the furnace. To resolve these two problems, many feedback control schemes include mathematical extensions to improve performance. The most common extensions lead to proportional-integralderivative control, or PID control (pronounced pee-eye-dee).

COMMUNICATIONSPLCs have built in communications ports, usually 9-pin RS-232, but optionally EIA-485 or Ethernet. Modbus, BACnet or DF1 is usually included as one of the communications protocols. Other options include various fieldbuses such as DeviceNet or Profibus. Other communications protocols that may be used are listed in the List of automation protocols. Most modern PLCs can communicate over a network to some other system, such as a computer running a SCADA (Supervisory Control And Data Acquisition) system or web browser. PLCs used in larger I/O systems may have peer-to-peer (P2P) communication between processors. This allows separate parts of a complex process to have individual control while allowing the subsystems to co-ordinate over the communication link. These communication links are also often used for HMI devices such as keypads or PC-type workstations

22

SAFETY POLICY AND SAFETY TERMINOLOGYA safety policy is an outline of the company's commitment to health and safety and indicates the company's objectives, the organization of responsibilities and arrangements in place for achieving the objectives. The amount of detail will be dependent on the size of the company and the associated risks. Consequently a small office with one site and eight employees may only require a simple statement whereas a small retailer with six outlets may need to provide more detail taking account of additional staff being employed at different locations. The aim however is that it remains a working document rather than a paper exercise. The Health and Safety at Work Act 1974 places responsibility on both employers and employees for the health and safety of persons at work and others who may be affected by such work. The law requires a written statement of policy on health and safety to be prepared by all organizations employing five or more persons (not necessarily at the same site). The policy must be brought to the attention of all employees and reviewed periodically.

OBJECTIVES OF SAFETY POLICYTo give highest priority to safety, in selection of plants & equipment's, erection and commissioning activities To develop operating manuals for each process, with safety provisions duly highlighted To provide safety training to employees and contract workers and to ensure use of PPE and safe work practices

23

To inculcate safety culture in the organization where safety is manifested in each employees mind, thought and expression To strictly adhere to the safety related laws, rules, procedures framed by the Govt. and to take appropriate action in case of violation To identify and eliminate risk related process by carrying out safety audits To ensure, prepare and update Disaster Management Strategies and organize mock drills to keep the concerned personnel in preparedness To give priority to occupational health of its employees To continuously strive for improvement in safety performances

INDIA SAFETY POLICYEmploying ICAO standards and recommended practices, as minimum international standards and recommended practices, Directorate General of Civil Aviation (DGCA) will ensure the highest level of safety in the Indian aviation system. Mindful of Indias State Safety Programme (SSP), DGCA will maintain an integrated set of regulations and activities aimed at enhancing aviation safety. DGCA will implement proactive and as far as possible predictive strategies encouraging all stakeholders/ service providers to understand the benefits of a safety culture, which should be based on an inclusive reporting culture. DGCA will foster and assist stakeholders in developing comprehensive Safety Management Systems (SMS) and will develop preventive safety strategies for the aviation system in an environment of a just culture.

24

DGCA COMMITS TO:Develop and embed a safety culture across all aviation industries that recognizes the importance and value of effective aviation safety management and acknowledges at all times that safety is paramount; Support the management of safety in India through an effective safety reporting and communication system; Develop general rulemaking and specific operational policies that build upon safety management principles; Ensure that the DGCA financial and human resources are sufficient for implementation, establishment and maintenance of SSP and that personnel have the proper skills and are trained for discharging their responsibilities, both safety related and otherwise. That these personnel are specialists in their functional areas and competent in safety regulation of operators and service providers; Clearly define for all regulatory staff, their responsibilities and accountabilities for the implementation, establishment and maintenance of SSP and its performance; Conduct both performance-based and complianceoriented activities, supported by analyses and prioritized resource allocation based on safety risks levels (proactively targeting regulatory attention on known areas of high risk); Ensure that acceptable levels of safety for aviation operations within the State are being set, measured and25

achieved, and expressed in terms of safety performance indicators and safety performance targets; Continually improve the SSP and safety performance; Interact effectively with service providers in the resolution of safety concerns; Ensure that operators and service providers establish and maintain the Safety Management

SYSTEM (SMS) IN THEIR OPERATION;Establish provisions for the protection of safety data, collection and processing systems, so that people are encouraged to provide essential safety-related information on hazards, and there is a continuous flow and exchange of safety management data between DGCA and service providers; and Promulgate an enforcement policy that ensures that no information derived from any safety data, collection and processing systems, established under the SMS will be used as the basis for enforcement action, except in the case of gross negligence or wilful deviation; and Achieve the highest levels of safety standards and performance in aviation operations. This policy must be understood, implemented and observed by all staff involved in activities related to the State Safety Program. 1. General Statement of Policy This should be signed by a Director of the company or the senior partner.

26

2. Responsibilities Ultimate responsibility for health and safety rests at Director level, with delegation of duties to managerial employees. Those named must be fully aware of their duties, details of which should be included in their job description. Employees must also be reminded that they have responsibilities under the law to take care of the health and safety of themselves and others and to co-operate with you in doing that. 3. Training All employers have an obligation to provide induction training to all staff. This should cover general safety including such matters as accident reporting, first aid, means of escape in case of a fire as well as restrictions etc. There may also be a need to provide specialist training covering specific types of equipment or changes to the method of working that may only be applicable to certain members of staff. 4. Accidents First aid treatment must be available to all employees whilst they are at work, whether they are at their normal base or working away. The standard of first aid treatment will vary depending upon the size of the organization and the activities carried out at the premises. Employees must be made aware of the first aid treatment available and records must be kept of treatment administered. Certain incidents may also be reportable under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR). 5. Fire Safety The fire fighting equipment and the means of escape are covered by the Fire Precautions Act and the local Fire Officer should be contacted for advice and guidance. Fire safety should however form part of your overall management of health and safety and details should be included in your safety policy. 6. Electrical Equipment Electrical systems must be maintained to prevent danger and consequently there will be a need to carry out regular visual examination of electrical equipment by competent staff as well as interim examination and where

27

applicable, testing of electrical systems by other competent persons.

Electrical Equipment of motorcycle

7. Housekeeping Housekeeping is an important area and there are general obligations regarding such matters as cleanliness, safe storage and safe access. 8. Machinery/Equipment Machinery/equipment must be designed for the purpose, suitably maintained and operators must be suitably trained. Some machinery equipment may need to be fitted with guards and safety devices to dangerous parts and certain machinery e.g. lifts and pressure vessels must be examined and certified fit for use by a competent person at prescribed intervals.

28

9. Dangerous and Hazardous Substances Hazards may be biological, chemical or physical and will include fire and explosion. Risks must therefore be identified and all possible steps taken to eliminate or reduce those risks. 10. Fluids/Gases under Pressure Under certain conditions some fluids/gases under pressure can ignite or explode. It is therefore important to identify such equipment and ensure that clear rules relating to use and maintenance are applied. 11. Personal Protective Equipment Where personal protective equipment is provided it must be of the correct type, suitably maintained and where applicable, the employee must be suitably trained in its use. It should however be noted that an employer has a duty to eliminate or control risk so far as is reasonably practicable before resorting to personal protective equipment (i.e. PPE must be a last resort). 12. Noise Excessive noise impairs hearing and in certain circumstances there will be a need to reduce the noise level or provide personal protective equipment. 13. Contractors and Visitors You have obligations to ensure the health and safety of both contractors and visitors and in turn contractors will have obligations to ensure the safety of your staff as well as visitors. It is therefore important that clear rules are set out covering such people. You will need to know what the contractor will be doing on your premises and similarly you will need to inform them of any activities taking place on your premises that may affect their employees. 14. Advice and Consultancy Advice is freely available, but you may also have other people that you have access to for certain purposes.

WORK PERMIT SYSTEMSA work permit system consists primarily of a standard procedure designed to ensure that potentially hazardous routine29

and non routine work on industrial installations can be carried out safely. The procedure should define the need for the following essential steps: Details of the necessary preparatory work Clear definition of responsibilities Appropriate training of the work force Provision of adequate safety equipment A formal work permit with or without attached specific checklists. This work permit, 1. Specifies the work to be accomplished and authorizes it to be started under the strict observance of consigned work and safety procedures. 2. After information and agreement of all other concerned parties (process, safety, customers, suppliers).

Work Permit

THE WORK PERMIT SYSTEM: WHEN?1. For all non-routine works, 2. For hazardous routine works not covered by procedures,30

3. When work is performed: by your employees and/or third parties

THE WORK PERMIT SYSTEM: FOR WHAT KIND OF WORK?A work permit is required in case of: Potential oxygen deficiency or enrichment Potential flammable/explosive atmosphere Potential high temperature/pressure Potential hazardous chemicals, e.g.: toxic substances Confined space entry, e.g.: tanks, cold box, pit, normally closed vessels Bypassing or removing/altering safety devices or equipment Elevated works Introduction of ignited sources where not permanently allowed (fire permit), e.g.: open flame, welding, grinding, Electrical troubleshooting or repair on live circuits Or also in case of:Work Permit area

31

Manual or powered excavations Use of mobile cranes Insulation or catalysts handling Use of adapters Product conversion of stationary or mobile or portable vessels and containers Temporary or permanent changes, alterations, modification of equipment or processes, Exposure to traffic, Exposure to moving/rotating machinery In proximity of vents, liquid of gas On process lines with gas release

THE WORK PERMIT SYSTEM: WHY?1. Because: In charge of the work, you don't know everything about the site and the process around about the work. Safety measures have to be prepared. You cannot start the work without the OK of the production personnel or the customer or the supplier. The production needs your OK in order to re-start the plant after your work is achieved. 2. To obtain a safe as well as a quick and cost effective work

THE WORK PERMIT SYSTEM: WITH WHOM?In order to define the scope of work for concerned/involved by and during the work, the Work Permit must be prepared with: everyone

32

The person responsible for the work The person(s) in charge of the production, the customer or supplier, who will release the process before the work starts The other work bodies The person in charge of HSE measures

THE WORK PERMIT SYSTEM: HOW?1. Before issuing the Work Permit, you must: Describe the work to be done List all the specifications and drawings which are required Issue detailed planning with all involved entities Determine the logging and tagging procedures 2. Fill-in together the work permit and signs, 3. The start of the work must be authorized by production and/or user, 4. The re-start of the process must take place after the work is finished. The Work Permit System: Review of flow sheets, drawings and specifications Purpose of the review is to ensure all key persons involved in job planning have a thorough understanding of the job. It should include: Process fluids and materials involved, Degree of isolation, Effect of other processes, Power supply isolation, Specialist advice,33

Location of underground services and pipes, Location of elevated power cables, Location of elevated pipelines and walkways, Purging and lock-out requirements, Pressure, Temperature, Valve Identification, Equipment Specification, Operating and maintenance instructions, Materials of construction and compatibilities

THE WORK PERMIT SYSTEM: WORK SITE INSPECTIONAnyone involved and signing the Safe Work Permit must visit the work place in order: To inspect the work area Neighboring activities, site rules, overhead, underground, access, natural hazards (flood, rain, snow), etc, To identify potential hazards Flammable, oxygen, toxic substances, confined spaces, electricity, pressure, temperature, moving objects, traffic, falls/trips/slips, etc.

34

Work site inspection

THE WORK PERMIT SYSTEM: DEVELOPMENT OF WORK PROCEDURESPreparation of a detailed work procedure is essential to ensure that the work will proceed safely in a planned and logical manner: Following requirements to be considered: Reference drawings, Timing of various operations, Details of any special equipment, Needs to inform local authorities, safety precautions and equipment, Emergency procedures, etc,. The procedure should include: Logging and tagging procedures: Electricity, process fluids Instrumentation, utilities (water, air, oil,) Depressurizing, Draining, Venting, Purging, Flushing, Isolating, Atmosphere checking, Disassembly of equipment, Method of repair, Reassembly and installation, Quality control, Pressure and leak testing, Reinstatement of equipment, Hand-back procedure, etc.

35

Review questions Five Marks 1. What industrial safety? 2. Mention the different types of safety system in industries. 3. Write a short note on ESD. 4. Write a short note on ICS. 5. Write a short note on SIS. 6. Write a short note on SSS 7. Draw the block diagram for PLC system. 8. Define safety policy. 9. Why the work permit system is needed? 10. For what kind of work permit system is required in industries? Fifteen Marks 1. Explain the different types of industrial safety system? 2. Explain PLC? 3. .Explain the concepts of ICS and DCS? 4. Write a short note on the following: i) FGS ii) EDP iii) PSV 5. Explain safety policy and safety terminology in detail. 6. Explain the concept of work permit system. 7. When the work permit system is needed? Explain its concepts.

36

8. Explain the terms to be considered before issuing work permit. 9. Why work permit system is needed? Explain its concepts. 10. Explain the development of work procedures in the work permit system.

37

UNIT IIJob safety analysisA Job Safety Analysis (JSA) is a method that can be used to identify, analyze and record 1) the steps involved in performing a specific job, 2) the existing or potential safety and health hazards associated with each step, and 3) the recommended action(s)/procedure(s) that will eliminate or reduce these hazards and the risk of a workplace injury or illness. Job Safety Analysis is one of the safety management tools that can be used to define and control the hazards associated with a certain process, job or procedure. Job Safety Analysis is a term used interchangeably with Job Hazard Analysis and Risk Assessment. The purpose of a JSA is to ensure that the risk of each step of a task is reduced to ALARP.

Job hazard analyses

38

The analysis starts with a summary of the whole job process. This is broken down into smaller steps and listed in table form. The hazards involved in each single step are identified, and then the control measures to eliminate, reduce or mitigate each hazard are identified and described. By this means every aspect of the whole process is analyzed and safe methods of work determined. Job Safety Analysis (JSA), also known as Job Hazard Analysis (JHA), Activity Hazard Analysis (AHA) or Risk Assessment (RA), is a safety management tool in which the risks or hazards of a specific job in the workplace are identified, and then measures to eliminate or control those hazards are determined and implemented. More specifically, a job safety analysis is a process of systematically evaluating certain jobs, tasks, processes or procedures and eliminating or reducing the risks or hazards to as low as reasonably practical (ALARP) in order to protect workers from injury or illness. The JSA process is documented and the JSA document is used in the workplace or at the job site to guide workers in safe job performance. The JSA document is also a living document that is adjusted as conditions warrant. The JSA process begins with identification of the potential hazards or risks associated with a particular job. Once the hazards are understood, the consequences of those hazards are then identified, followed by control measures to eliminate or mitigate the hazards. A more detailed JSA can be performed by breaking the job into steps and identifying specific hazards and control measures for each job step, providing the worker with a documented set of safe job procedures. Some JSA processes also include a risk assessment that lists the probability of each hazard occurring and the severity of the consequences, as well as the effectiveness of the control measures. The U.S. Army Corps of Engineers uses a risk assessment code (RAC) to analyze the level of risk associated with each job step. For more information on RAC, see USACE AHA FORMAT.

39

The end result of a JSA is an easy to understand document that can be shared with workers as part of pre-job and safety meetings, and/or included as part of worker job descriptions. The JSA process can be used to help refine safe work procedures described in safety manuals or standard operating procedures, and the JSA document can serve as a useful tool in training new employees. It is important to remember that a JSA is not simply a piece of paper; it is a process. Workers and management need to understand that a piece of paper will not make the job safe. Rather, workers and management must understand the risks and hazards associated with the job and know how to utilize the chosen controls in such a way as to eliminate or mitigate those risks. The JSA documents the decisions of this process.

WHY IS JSA IMPORTANT?Many workers are injured and killed at the workplace every day in countries all around the world, both in industrialized and non-industrialized countries. Protecting safety and health is critical to employee lives, jobs and business. Systematically looking at workplace operations, establishing proper job procedures and ensuring all employees are properly trained can help mitigate and prevent workplace injuries and illnesses. This is also likely to result in not only fewer worker injuries and illnesses, but also safer and more effective work methods, reduced workers legal claims, increased productivity and fewer injury and lost time costs.

JSA AS A LEADING INDICATORThere is a growing trend among companies today to go beyond measurement of past safety performance and incident reports in developing their safety programs, and move into more proactive measurements of safety. Measurement of past incidents, successes and failures happens after the fact and is considered a lagging indicator. Measurement of future performance, or commitment to tangible goals, is considered a leading indicator.

40

Performing a job safety analysis (JSA) can help workers and management identify potential hazards before they occur, and implement corrections so that they do not occur. Setting tangible goals to perform safety analyses of all jobs, or to correct all hazards so that they reach a specific minimal level of risk are other examples of using leading indicators to drive a safety program, as opposed to lagging indicators, which measure past performance.

JSA USE IN INCIDENT INVESTIGATIONIn the event of an incident, documentation of the job safety analysis is critical to the team investigating the incident. By reviewing the process and understanding the hazards, controls, job steps and safe practices defined and implemented, incident investigators can gain valuable insight, leading to a better incident investigation, and in turn, better process, safer controls and safer work practices. The JSA document may also be helpful in event of legal remedies sought by aggrieved parties, as it provides a record of how the job is supposed to be performed safely, and the workers who signed off on it.

WHO SHOULD CONDUCT/CREATE THE JSA?Often, employers, foremen, supervisors and health and safety professionals conduct job safety analyses, which are then reviewed with and/or by workers performing the job. At other times, workers may discover a task on the job site which does not have a written JSA, and may conduct their own JSA on the job site before beginning the task.

HOW DO I CONDUCT/CREATE A JSA?1. Involve your employees. It is very important to involve your employees in the hazard analysis process. They have a unique understanding of the job, and this knowledge is invaluable for finding hazards. Involving employees will help minimize oversights, ensure a quality analysis, and get workers to "buy in" to the solutions because they will share ownership in their safety and health program.41

2. Review your accident history. Review with your employees your worksites history of accidents and occupational illnesses that needed treatment, losses that required repair or replacement, and any "near misses" -- events in which an accident or loss did not occur, but could have. These events are indicators that the existing hazard controls (if any) may not be adequate and deserve more scrutiny. 3. Conduct a preliminary job review. Discuss with your employees the hazards they know exist in their current work and surroundings. Brainstorm with them for ideas to eliminate or control those hazards. If any hazards exist that pose an immediate danger to a workers life or health, take immediate action to protect the worker. Any problems that can be corrected easily should be corrected as soon as possible. Do not wait to complete your job safety analysis. This will demonstrate your commitment to safety and health and enable you to focus on the hazards and jobs that need more study because of their complexity. For those hazards determined to present unacceptable risks, evaluate types of hazard controls. 4. List, rank, and set priorities for hazardous jobs. List jobs with hazards that present unacceptable risks, and rank them based on those most likely to occur and those with the most severe consequences. These jobs should be your first priority for analysis. 5. Outline the steps or tasks. Nearly every job can be broken down into job tasks or steps. When beginning a job safety analysis, watch the employee perform the job and list each step as the employee takes it. Be sure to record enough information to describe each job action without getting overly detailed. Avoid making the breakdown of steps so detailed that it becomes unnecessarily long or so broad that it does not include basic steps. You may find it valuable to get input from other workers who have performed the same42

job. Later, review the job steps with the employee to make sure you have not omitted something. Point out that you are evaluating the job itself, not the employees job performance. Include the employee in all phases of the analysis -- from reviewing the job steps and procedures to discussing uncontrolled hazards and recommended solutions. Be sure to document your findings in order to create a written record of your JSA. Sometimes, in conducting a job safety analysis, it may be helpful to photograph or videotape the worker performing the job. These visual records can be handy references when doing a more detailed analysis of the work. Management and workers may also find it useful to assign a probability and severity ranking to each hazard in the job, denoting how likely or probable the hazard is to occur, and the severity of the consequences should it occur. It is important to remember that the JSA should be performed prior to the start of work, updated as conditions change and reviewed periodically to ensure its accuracy. Many organizations perform and document their JSAs a day or so in advance, and then review them with workers that morning, prior to start of work. This helps ensure that they have taken the time to thoroughly analyze for hazards or risks, and have the appropriate controls in place to eliminate or minimize those hazards before arriving at the job site. When conditions such as changes in job requirements, site conditions (e.g., weather), manpower or equipment operations (e.g., malfunctions, new equipment) present themselves, it is important to stop and re-analyze the job for potential new hazards created by these changes. New controlling measures should then be put in place to eliminate or minimize the new hazard. If new controls cannot be implemented on the job to reduce the hazard to an acceptable risk level or ALARP, new engineering and

43

administrative controls may need to be devised by job management or supervisors before returning to work.

WHEN IS A JSA REQUIRED?Some type of risk analysis should be performed before every job. Some tasks are routine and the hazards and controls well understood. For routine tasks consider using a Standard Operating Procedure, a set of standing orders that control the known hazards. For tasks that are complex, unusual, difficult, require the interaction of many people or systems or involve new tools or methods, a JSA should be performed.

HOW IS JSA CREATED?The JSA or JHA should be created by the work group performing the task. Sometimes it is expedient to review a JSA that has been prepared when the same task has been performed before but the work group must take special care to review all of the steps thoroughly to ensure that they are controlling all of the hazards for this job this time. The JSA is usually completed on a form. The most common form is a table with three columns (although each company has a variation with many having five or six columns). The headings of the three columns are (1) Job Step (2) Hazard (3) Controls. A Hazard is any factor that can cause damage to personnel, property or the environment (some companies include loss of production or downtime in the definition as well). A Control is any process for controlling a hazard. The work group firstly breaks down the entire job into its component steps. Then, for each step, hazards are identified. Finally, for each hazard identified, controls are recorded in

44

WHAT ARE THE BENEFITS OF DOING A JOB SAFETY ANALYSIS?One of the methods used in this example is to observe a worker actually perform the job. The major advantages of this method include that it does not rely on individual memory and that the process prompts recognition of hazards. For infrequently performed or new jobs, observation may not be practical. One approach is to have a group of experienced workers and supervisors complete the analysis through discussion. An advantage of this method is that more people are involved in a wider base of experience and promoting a more ready acceptance of the resulting work procedure. Members of the joint occupational safety and health committee must participate in this process. Initial benefits from developing a JSA will become clear in the preparation stage. The analysis process may identify previously undetected hazards and increase the job knowledge of those participating. Safety and health awareness is raised, communication between workers and supervisors is improved, and acceptance of safe work procedures is promoted.

45

A JSA, or better still, a written work procedure based on it, can form the basis for regular contact between supervisors and workers. It can serve as a teaching aid for initial job training and as a briefing guide for infrequent jobs. It may be used as a standard for health and safety inspections or observations. In particular, a JSA will assist in completing comprehensive accident investigations.

AFTER THE JSA WORKSHEET IS COMPLETEDAfter the JSA worksheet is completed, the work group that is about to perform the task should have a toolbox talk, and discusses the hazards and controls, delegate responsibilities, ensure that all equipment and PPE described in the JSA are available, that contingencies such as fire fighting are understood, communication channels and hand signals are agreed etcetera. Then, if everybody in the work group feels that it is safe to proceed with task, work should commence. If at any time during the task circumstances change, then work should be stopped (sometimes called a "timeout for safety"), and the hazards and controls described in the JSA should be reassessed and additional controls used or alternative methods devised. Again, work should only recommence when every member of the work group feels it is safe to do so. When the task is complete it is often of benefit to have a close-out or "tailgate" meeting, to discuss any lessons learned so that they may be incorporated into the JSA the next time the task is undertaken. Tips and Tricks It is vitally important that workers understand that it is not the JSA form that will keep them safe on the job, but rather the process it represents. It is of little value to identify hazards and devise controls if the controls are not put in place. Workers should never be tempted to "sign on" the bottom of a JSA without first reading and understanding it. JSAs are quasilegal documents, and are often used in incident investigations, contractual disputes, and court cases.

46

Everybody in the workforce should be involved in creating the JSA. The more minds, the more year of experience applied to analyzing the hazards in a job, the more successful the work group will be in controlling them.

HAZOP STUDYA Hazard and Operability (HAZOP) study is a structured and systematic examination of a planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment, or prevent efficient operation.

Hazard and Operability The HAZOP technique was initially developed to analyze chemical process systems, but has later been extended to other types of systems and also to complex operations and to software systems. A HAZOP is a qualitative technique based on guidewords and is carried out by a multi-disciplinary team (HAZOP team) during a set of meetings.

WHEN TO PERFORM A HAZOP?The HAZOP study should preferably be carried out as early in the design phase as possible - to have influence on the design. On the other hand; to carry out a HAZOP we need a rather complete design. As a compromise, the HAZOP is usually carried47

out as a final check when the detailed design has been completed. A HAZOP study may also be conducted on an existing facility to identify modifications that should be implemented to reduce risk and operability problems. HAZOP studies may also be used more extensively, including: At the initial concept stage when design drawings are available When the final piping and instrumentation diagrams (P&ID) are available During construction and installation to ensure that recommendations are implemented During commissioning During operation to ensure that plant emergency and operating procedures are regularly reviewed and updated as required

TYPES OF HAZOPProcess HAZOP The HAZOP technique was originally developed to assess plants and process systems Human HAZOP A family of specialized HAZOPs. More focused on human errors than technical failures Procedure HAZOP Review of procedures or operational sequences sometimes denoted SAFOP - Safe Operation Study

48

Software HAZOP Identification of possible errors in the development of software

Responsibilities of HAZOP team leader:Define the scope for the analysis Select HAZOP team members Plan and prepare the study Chair the HAZOP meetings

Responsibilities of HAZOP secretary:Prepare HAZOP worksheets Record the discussion in the HAZOP meetings Prepare draft report(s)

HAZOP meetingProposed agenda: 1. Introduction and presentation of participants 2. Overall presentation of the system/operation to be analyzed 3. Description of the HAZOP approach 4. Presentation of the first node or logical part of the operation 5. Analyze the first node/part using the guide-words and parameters 6. Continue presentation and analysis (steps 4 and 5) 7. Course summary of findings Focus should be on potential hazards as well as potential operational problems

49

Each session of the HAZOP meeting should not exceed two hours.

HAZOP PROCEDURE1. Divide the system into sections (i.e., reactor, storage) 2. Choose a study node (i.e., line, vessel, pump, operating instruction) 3. Describe the design intent 4. Select a process parameter 5. Apply a guide-word 6. Determine cause(s) 7. Evaluate consequences/problems 8. Recommend action: What? When? Who? 9. Record information 10. Repeat procedure (from step 2)

50

MODES OF OPERATIONThe following modes of plant operation should be considered for each node: Normal operation Reduced throughput operation Routine start-up Routine shutdown Emergency shutdown Commissioning Special operating modes

PROCESS PARAMETERSProcess parameters may generally be classified into the following groups: Physical parameters related to input medium properties Physical parameters related to input medium conditions Physical parameters related to system dynamics Non-physical tangible parameters related to batch type processes Parameters related to system operations These parameters are not necessarily used in conjunction with guide-words: Instrumentation Relief Start-up / shutdown

51

Maintenance Safety / contingency Sampling

REPORT CONTENTSSummary 1. Introduction 2. System definition and delimitation 3. Documents (on which the analysis is based) 4. Methodology 5. Team members 6. HAZOP results Reporting principles Classification of recordings Main results Appendix 1: HAZOP work-sheets Appendix 2: P&IDs (marked)

ADVANTAGESSystematic examination Multidisciplinary study Utilizes operational experience Covers safety as well as operational aspects Solutions to the problems identified may be indicated Considers operational procedures52

Covers human errors Study led by independent person Results are recorded

WORKSHEET ENTRIES NODEA node is a specific location in the process in which (the deviations of) the design/process intent are evaluated. Examples might be: separators, heat exchangers, scrubbers, pumps, compressors, and interconnecting pipes with equipment.

DESIGN INTENTThe design intent is a description of how the process is expected to behave at the node; this is qualitatively described as an activity (e.g., feed, reaction, sedimentation) and/or quantitatively in the process parameters, like temperature, flow rate, pressure, composition, etc.

DEVIATIONA deviation is a way in which the process conditions may depart from their design/process intent.

PARAMETERThe relevant parameter for the condition(s) of the process (e.g. pressure, temperature, composition).

GUIDEWORDA short word to create the imagination of a deviation of the design/process intent. The most commonly used set of guide-words is: no, more, less, as well as, part of, other than, and reverse. In addition, guidewords like too early, too late, instead of, are used; the latter mainly for batch-like processes. The guidewords are applied, in turn, to all the parameters, in order to identify

53

unexpected and yet credible deviations from the design/process intent.

CAUSEThe reason(s) why the deviation could occur. Several causes may be identified for one deviation. It is often recommended to start with the causes that may result in the worst possible consequence.

CONSEQUENCEThe results of the deviation, in case it occurs. Consequences may both comprise process hazards and operability problems, like plant shut-down or reduced quality of the product. Several consequences may follow from one cause and, in turn, one consequence can have several causes

SAFEGUARDFacilities that help to reduce the occurrence frequency of the deviation or to mitigate its consequences. There are, in principle, five types of safeguards that: Identify the deviation (e.g., detectors and alarms, and human operator detection) in case of overfilling it. These are usually an integrated part of the process control) Prevent the deviation from occurring (e.g., an inert gas blanket in storages of flammable substances) Prevent further escalation of the deviation (e.g., by (total) trip of the activity. These facilities are often interlocked with several units in the process, often controlled by computers) Relieve the process from the hazardous deviation (e.g., pressure safety valves (PSV) and vent systems)54

Compensate for the deviation (e.g., an automatic control system that reduces the feed to a vessel

FAULT TREE ANALYSISFault tree analysis (FTA) is a failure analysis in which an undesired state of a system is analyzed using Boolean logic to combine a series of lower-level events. This analysis method is mainly used in the field of safety engineering to quantitatively determine the probability of a safety hazard.

HISTORY OF FAULT TREE ANALYSIS (FTA)Fault Tree Analysis (FTA) is another technique for reliability and safety analysis. Bell Telephone Laboratories developed the concept in 1962 for the US Air Force for use with the Minuteman system. It was later adopted and extensively applied by the Boeing Company. Fault tree analysis is one of many symbolic "analytical logic techniques" found in operations research and in system reliability. Other techniques include Reliability Block Diagrams (RBDs).

METHODOLOGYFTA methodology is described in several industry and government standards, including NRC NUREG0492 for the nuclear power industry, an aerospace-oriented revision to

55

NUREG0492 for use by NASA,[11] SAE ARP4761 for civil aerospace, MILHDBK338 for military systems[12] for military systems. IEC standard IEC 61025[13] is intended for cross-industry use and has been adopted as European Norm EN 61025. Since no system is perfect, dealing with a subsystem fault is a necessity, and any working system eventually will have a fault in some place. However, the probability for a complete or partial success is greater than the probability of a complete failure or partial failure. Assembling a FTA is thus not as tedious as assembling a success tree which can turn out to be very time consuming. Because assembling a FTA can be a costly and cumbersome experience, the perfect method is to consider subsystems. In this way dealing with smaller systems can assure less error work probability, less system analysis. Afterward, the subsystems integrate to form the well analyzed big system. An undesired effect is taken as the root ('top event') of a tree of logic. There should be only one Top Event and all concerns must tree down from it. Then, each situation that could cause that effect is added to the tree as a series of logic expressions. When fault trees are labeled with actual numbers about failure probabilities (which are often in practice unavailable because of the expense of testing), computer programs can calculate failure probabilities from fault trees.

ANALYSISMany different approaches can be used to model a FTA, but the most common and popular way can be summarized in a few steps. Remember that a fault tree is used to analyze a single fault event and that one and only one event can be analyzed during a single fault tree. Even though the fault may vary dramatically, a FTA follows the same procedure for an event, be it a delay of 0.25 m sec for the generation of electrical power, or the random, unintended launch of an ICBM.56

Fault tree analysis diagram FTA analysis involves five steps:

DEFINE THE UNDESIRED EVENT TO STUDYDefinition of the undesired event can be very hard to catch, although some of the events are very easy and obvious to observe. An engineer with a wide knowledge of the design of the system or a system analyst with an engineering background is the best person who can help define and number the undesired events. Undesired events are used then to make the FTA, one event for one FTA; no two events will be used to make one FTA.

OBTAIN AN UNDERSTANDING OF THE SYSTEMOnce the undesired event is selected, all causes with probabilities of affecting the undesired event of 0 or more are studied and analyzed. Getting exact numbers for the probabilities leading to the event is usually impossible for the reason that it may be very costly and time consuming to do so. Computer software is used to study probabilities; this may lead to less costly system analysis.

57

System analysts can help with understanding the overall system. System designers have full knowledge of the system and this knowledge is very important for not missing any cause affecting the undesired event. For the selected event all causes are then numbered and sequenced in the order of occurrence and then are used for the next step which is drawing or constructing the fault tree.

CONSTRUCT THE FAULT TREEAfter selecting the undesired event and having analyzed the system so that we know all the causing effects (and if possible their probabilities) we can now construct the fault tree. Fault tree is based on AND and OR gates which define the major characteristics of the fault tree.

EVALUATE THE FAULT TREEAfter the fault tree has been assembled for a specific undesired event, it is evaluated and analyzed for any possible improvement or in other words study the risk management and find ways for system improvement. This step is as an introduction for the final step which will be to control the hazards identified. In short, in this step we identify all possible hazards affecting in a direct or indirect way the system.

CONTROL THE HAZARDS IDENTIFIEDThis step is very specific and differs largely from one system to another, but the main point will always be that after identifying the hazards all possible methods are pursued to decrease the probability of occurrence.

WHAT IS A FAULT TREE DIAGRAM (FTD)?Fault tree diagrams (or negative analytical trees) are logic block diagrams that display the state of a system (top event) in terms of the states of its components (basic events). Like reliability block diagrams (RBDs), fault tree diagrams are also a graphical

58

design technique, and as such provide an alternative to methodology to RBDs. An FTD is built top-down and in term of events rather than blocks. It uses a graphic "model" of the pathways within a system that can lead to a foreseeable, undesirable loss event (or a failure). The pathways interconnect contributory events and conditions, using standard logic symbols (AND, OR etc). The basic constructs in a fault tree diagram are gates and events, where the events have an identical meaning as a block in an RBD and the gates are the conditions.

EMERGENCY PLANNINGMajor incidents and disruptive challenges requiring urgent action can strike suddenly, unexpectedly and anywhere. Many agencies have a part to play in dealing with these emergencies and their aftermath. Emergency Planning is the process whereby the Council prepares to deal with major emergencies and incidents and assist in the welfare and recovery of the community. The aim of Emergency Planning is to maintain appropriate arrangements and procedures that enable the council to respond to and manage major incidents.

HOW DOES THE COUNCIL PROVIDE EMERGENCY PLANNING?The Civil Contingencies Act, 2004 is the primary legislation that underpins the responses of the Emergency Services and other primary responders, including local authorities like Leicester City Council. The Emergency Planning service coordinates the planning, training, exercising, activation and the management of the Council's response to emergencies. The service works in collaboration with the emergency services, adjoining local authorities, voluntary agencies and the many other varied responders who have a role to play, to ensure there is a cocoordinated and effective response. Emergency Planning falls into four broad categories:59

Planning - The Council is continually assessing the risks posed within Leicester and developing and maintaining plans to ensure that procedures are in place to control and mitigate their impact. Training and Exercising - The service conducts a program of training and exercises for our staff and partner agencies to make them aware of the need to plan. Training and exercising helps provide an effective response. Liaison - the service works closely with partner agencies and stakeholders to share information and ensure dovetailing of plans and procedures thereby providing a co-coordinated and integrated response to emergency incidents. Operational - The Council provides a 24-hour, 365 day response to major incidents.

DIFFERENT TYPES OF EMERGENCY PLANNINGHazardous Materials Response Plans Oil Spill Response Planning All Hazard Plans Emergency Operations Center (EOC) Support EOC Layout and Design Emergency Preplans Crisis Management Planning Response Training

60

Review Questions Five Marks 1. Define JSA. 2. When JSA is required? 3. How to create JSA? 4. Write a short note on HAZOP. 5. Write the types of HAZOP. 6. What are the responsibilities of HAZOP team member? 7. Draw the flow chart for HAZOP modes of operation. 8. What are work sheet entries? 9. Write a short note on fault tree analysis. 10. Draw the diagram for fault tree analysis. Fifteen Marks 1. Explain briefly about JSA. 2. Explain the duties of safety manager after the JSA work sheet is completed. 3. Explain the concept of HAZOP Study 4. Explain the types of HAZOP in detail. 5. Explain briefly about HAZOP Modes of operation. 6. What are worksheet entries? Explain its concepts. 7. Explain the concepts of fault tree analysis. 8. How does the council provide energy planning? 9. What are the steps involved in fault tree analysis 10. Explain the different types of emergency planning.

61

UNIT IIISAFETY INVENTORY SYSTEMSAFETY STOCKSafety stock (also called buffer stock) is a term used by logisticians to describe a level of extra stock that is maintained to mitigate risk of stock outs (shortfall in raw material or packaging) due to uncertainties in supply and demand. Adequate safety stock levels permit business operations to proceed according to their plans. Safety stock is held when there is uncertainty in the demand level or lead time for the product; it serves as an insurance against stock outs

Safety stock

With a new product, safety stock can be utilized as a strategic tool until the company can judge how accurate their forecast is after the first few years, especially when used with a material requirements planning worksheet. The less accurate the forecast, the more safety stock is required. With material requirements planning (MRP) worksheet a company can judge how much they will need to produce to meet their forecasted sales demand without relying on safety stock. However, a common strategy is to try and reduce the

62

level of safety stock to help keep inventory costs low once the product demand becomes more predictable. This can be extremely important for companies with a smaller financial cushion or those trying to run on lean manufacturing, which is aimed towards eliminating waste throughout the production process. The amount of safety stock an organization chooses to keep on hand can dramatically affect their business. Too much safety stock can result in high holding costs of inventory. In addition, products which are stored for too long a time can spoil, expire, or break during the warehousing process. Too little safety stock can result in lost sales and, thus, a higher rate of customer turnover. As a result, finding the right balance between too much and too little safety stock is essential.

REASONS FOR SAFETY STOCKSafety stocks enable organizations to satisfy customer demand in the event of these possibilities: Supplier may deliver their product late or not at all The warehouse may be on strike A number of items at the warehouse may be of poor quality and replacements are still on order A competitor may be sold out on a product, which is increasing the demand for your products Random demand (in reality, random events occur) Machinery breakdown Unexpected increase in demand

REDUCING SAFETY STOCKSafety stock is used as a buffer to protect organizations from stock outs caused by inaccurate planning or poor schedule adherence by suppliers. As such, its cost (in both material and63

management) is often seen as a drain on financial resources which results in reduction initiatives. In addition, time sensitive goods such as food, drink, and other perishable items could spoil and go to waste if held as safety stock for too long. Various methods exist to reduce safety stock; these include better use of technology, increased collaboration with suppliers, and more accurate forecasting [3][4] In a lean supply environment, lead times are reduced which can help minimize safety stock levels thus reducing the likelihood and impact of stock outs. Due to the cost of safety stock, many organizations opt for a service level led safety stock calculation; for example, a 95% service level could result in stock outs, but is at a level which is satisfactory to the company. The lower the service level, the lower the requirement for safety stock. An Enterprise Resource Planning system (ERP system) can also help an organization reduce its level of safety stock. Most ERP systems provide a type of Production Planning module. An ERP module such as this can help a company develop highly accurate and dynamic sales forecasts and sales and operations plans. By creating more accurate and dynamic forecasts, a company reduces their chance of producing insufficient inventory for a given period and, thus, should be able to reduce the amount of safety stock which they require. In addition, ERP systems use established formulas to help calculate appropriate levels of safety stock based on the previously developed production plans. While an ERP system aids an organization in estimating a reasonable amount of safety stock, the ERP module must be set up to plan requirements effectively.

INVENTORY POLICYThe size of the safety stock depends on the type of inventory policy that is in effect. An inventory node is supplied from a "source" which fulfills orders for the considered product after a certain replenishment lead time. In a "periodic review" inventory policy the inventory level is checked periodically (such64

as once a month) and an order is placed at that time if necessary; in this case the risk period is equal to the time until the next review plus the replenishment lead time. On the other hand, if the inventory policy is a "continuous review" policy (such as an Order point-Order Quantity policy or an Order Point-Order Up To policy) the inventory level is being check continuously and orders can be placed immediately, so the risk period is just the replenishment lead time. Therefore "continuous review" inventory policies can make do with a smaller safety stock.

SAFETY SURVEYSafety Survey - a systematic review, to recommend improvements where needed, to provide assurance of the safety of current activities, and to confirm conformance with applicable parts of the safety management system. (ESARR3)

Safety Survey

OBJECTIVE OF SAFETY SURVEYTo provide a flexible and cost-effective method to identify areas for safety improvement within the aviation service provider organization.

65

REGULATORY PROVISIONSAlthough there is no explicit ICAO recommendation to the aviation service provider organizations to schedule and conduct safety surveys, these are considered best practice. ICAO Doc 9859 Safety Management Manual states that organizations pursuing a proactive strategy for safety management should actively seek systemic unsafe conditions using safety surveys to elicit feedback from front-line personnel about areas of dissatisfaction and unsatisfactory conditions that may have accident potential. The provisions in Commission Regulation 2096 establishing common requirements for the provision of air navigation services and in ESARR 3 mandate air traffic service providers to carry out safety surveys within the scope of their safety assurance activities. Safety surveys shall be carried out as a matter of routine.

DESCRIPTION OF SAFETY SURVEYSurveys are complementary to incident investigation, since they examine systems under normal conditions to identify weaknesses that have not yet been seen to contribute directly or indirectly to a safety occurrence. Also, the role of a safety survey is quite similar to the one performed by quality audits in quality management systems. Both activities are conducted to check compliance with standards (or targets) and procedures, detect problems and facilitate the identification of solutions and improvements. Safety surveys generally are cost-effective, easy to administer and flexible method for identifying hazards by sampling the workforce opinion within an organization. Surveys are used as a safety monitoring tool to assess whether an existing situation or organizational aspect is satisfactory. Surveys may also be used to review particular areas of safety concerns where hazards are suspected; therefore they can be important part of the hazard identification process within the SMS. In all cases, the principles and procedur