Across many types of safety assessment activities, we are invited to consider how a hazard scenario would play out in the absence of controls. The Consequence column of a HAZOP, for example, should record this. The consequence shown on the far right of a bowtie is also the outcome that might occur with all controls having failed. It’s important to identify these consequences without their controls, to fully understand the role that those controls play: The reason this shutdown trip is important is that without it, such-and-such could happen.
Sometimes, this mental deletion of controls is easy. An ‘active control’ that lies in wait, with no function to serve until it is called upon, and that then ‘does’ something obvious when it is needed – that’s unambiguously a control measure, and mentally separable from the rest of the system. A relief valve, for example, is obviously a control measure: most of the time it just sits there with no job to do, but it makes a clear change from closed to open on demand.
At other times, it can be harder to separate a ‘passive control’ from something that just is. For a tank overfill, should we say the consequence is a spill to the tank bund? Or do we say it’s a spill to ground – but don’t worry, we have a bund as a control? The line between ‘control measure’ and ‘just part of how it is’ gets even hazier with immutable features that were decided all the way back at the design stage. Is ‘steel piping system’ a control? (Should we really be patting ourselves on the back for not building it out of wet cardboard?)
There’s a downside to misjudging this cutoff point, in both directions:
If we treat something as a mere plant feature, not a control measure, it may not be on our radar to maintain it effectively. It may fall into disrepair and be unavailable when we need it most.
On the other hand, if we call it a control when it’s really only ‘part of the furniture’, we may fool ourselves into thinking the situation is more heavily protected than it is. You may have seen Bowties swarming with so-called controls like ‘separation distance’. At a glance, these scenarios look thoroughly protected. There’s no way a hazard could ‘Swiss cheese’ its way through these twenty barriers, right? But look closer, and you might find that only one or two are doing all the heavy lifting.
So where do we draw the line? Here are a few tests to apply, to decide whether some feature in question is really a control – whether it should be set aside, when describing a consequence, or whether we’re better to factor it into the inherent reality of that consequence:
Can it single-handedly stop (or substantially mitigate) the chain of events?
If the consequence isn’t averted, even when the item in question fulfils its design intent, then it may just be a sub-component of a control, or a means of maintaining the actual control.
Does it ‘do’ something on demand?
If something undergoes any noticeable change of state or behaviour between ‘normal’ and ‘intervening’, there’s a good chance it’s a control. Instruments go from healthy to tripped, relief valves go from closed to open, operators go from their normal duties to launching a response, and so on. This isn’t true of all controls, but when it is true, there’s a good chance you’re looking at a control.
|
|
|
|
| THIS online INTRODUCTION TO BOWTIES course is suitable for anyone who may use or develop bowties. | Find out about our upcoming in-person BOWTIE Training Course HERE! | Our 2-day HAZOP LEADER course is IChemE approved, find out more HERE! |
Can we imagine the alternative?
If there really wasn’t any choice but for the system to be the way it is, it may be more straightforward to treat that as the intrinsic state of play. It’s just not very useful, for example, to treat primary containment as a control measure. What else were we going to do, just leave the stuff sloshing on the ground?! Trying to imagine the consequence that would have happened, in this farfetched alternative, is more confusing than helpful.
Can it become degraded?
This is the key practical consideration to separate a control, in the present day, from a fortunate circumstance or a decision made once upon a time. All controls can fail if we turn our back for long enough. So as a rule of thumb: if it cannot go away, it’s not a control. For example, it may be fortuitous that two tanks are separated some distance apart – a canny piece of foresight by the designer! But we will never come back tomorrow and find that those tanks have crept up on each other. Likewise, it may have been prescient to specify stainless steel piping, but we don’t need to monitor the metallurgy in case it now decides to turn into carbon steel. In cases like these, the Safety Management System can offer supporting administrative controls (asset integrity management, change control, and so on), but the original design decision is not the control.
Are we double-counting?
If we choose to describe the consequence in terms that already account for inherent design features, we cannot also credit those features as controls. If the designer chose to set the piping design pressure higher than what the pump can deliver, then we might describe the consequence of deadheading as ‘pump damage’ but not ‘over-pressure and rupture’. However, we cannot then also take a relief valve set at that design pressure, and credit it as a control against pump damage – that’s already baked in.
In the end, identifying control measures is only a worthwhile activity if it leads us to take practical steps to maintain those controls. And separating controls from consequences is only a worthwhile activity to the extent that it helps us realise how important that maintenance is. How we choose to frame the hazardous scenarios on paper, therefore, should always be structured to uphold the ultimate goal of focusing our actions in the real world.
Want to sharpen your team’s ability to identify real controls in your HAZOPs and Bowties?
Explore our PROCESS SAFETY TRAINING COURSES or GET IN TOUCH to schedule an in-house session. We're here to help.