Within the shadows of every high hazard site lurks a multitude of process safety threats which have the potential to result in catastrophic incidents.

Industry, safety trainers and the regulator must pull these threats from the shadows, wrapping them tightly in layers of protection.

So what are layers of protection? Well, layers of protection encircle robust process safety management systems. These factors include:

• Design and engineering
• Effective emergency response
• Good maintenance
• Clear procedures
• Well trained and competent workforce
• Commitment from all

In the event that one of these layers of protection fails under the weight of a threat, the next layer of protection stands tall to stop the threat in its track. Should all layers fail, the outcome could be a disaster on the scale of Buncefield or, more recently, West Texas.

Breaking down layers of protection

Prevention

The design and development of Basic Process Control Systems (BPCS) is crucial to the safety of high hazard sites. We must ensure operational personnel, procedures and engineering hum in a rhythmic harmony that The Royal Philharmonic Orchestra would be proud of.

Controlling Escalation

Controlling Escalation centres on the safe recovery or close down of a process in the event that it starts to operate outside of key parameters (its safe operating envelope). This can be achieved through two key areas:

1. Operator intervention could come from warning systems, level indicators or alarms but, in most cases, usually requires direct operator intervention to bring a system back under control i.e. the operator hears an alarm and stops the vessel discharging.
2. Independent Emergency Shutdown is provided through a Safety Instrumented System (SIS) which is independent of the main process control system – i.e an independent high level alarm linked to a Remotely Operated Shut Off Valve.

Mitigation

Mitigation focuses on reducing the impact of the event and covers three key areas:

1. Active Protection deals with any part of the system that will exert influence or change on the event. Relief valves or rupture discs, for example, could provide a relief point to prevent catastrophic tank failure through over pressure.
2. Passive Protection can be seen as containment within the site boundary such as impermeable bunds, dikes, drainage and interceptors.
3. Emergency Response minimises ongoing damage should an event occur. It includes initial response, roles, responsibilities, offsite response and emergency services. The response should be prioritised on the principle of PEAR.

Review of Layers of Protection

There are many different layers of protection we can harness to prevent or mitigate the fallout of large-scale incidents.

What happens when the layers of protection fail?

In this incident, a systematic toppling of each layer of protection led to a tank overfill.

 

Why did the layers of protection fall short?

As each layer peels away it increases the risk of an incident until eventually hazard realisation occurs and safety is breached. In this case the:

• Product receipt plan was not completed and communicated
• Tank flow was not verified
• Tank rise was not monitored effectively
• Alarms did not work
• No automatic shutdown

Related reading:

• UK press “mocks” health and safety says HSE chair
• HSE chair puts leadership at the heart of process safety
• 5 things employers should know about oil and gas workers
• Free personal protective equipment training for your site
• The art of industrial safety: personal protective equipment