Guidelines for Safe and Reliable Instrumented Protective Systems E-Book

Contents

Cover

Half Title page

Title page

Copyright page

Acknowledgements

Preface

List of Figures

List of Tables

Chapter 1: Introduction

1.1 Purpose

1.2 Target Audience

1.3 Book Road Map

1.4 Management Commitment

Chapter 2: Planning

2.1 Protective Management System Lifecycle

2.2 Why It Makes Good Business Sense

2.3 Documentation

2.4 Good Engineering Practices

2.5 Key Management System Elements

2.6 Special Topics

Chapter 3: Risk Assessment

3.1 Intended Audience

3.2 Input Information

3.3 Basic Work Process

3.4 Output Documentation

3.5 Key Management System Elements

3.6 Special Topics

Chapter 4: Design

4.1 Intended Audience

4.2 Input Information

4.3 Basic Work Process

4.4 Output Documentation

4.5 Process Requirements

4.6 I&E Requirements

4.7 Functional Assessment

4.8 Key Management System Elements

4.9 Special Topics

Chapter 5: Engineering, Installation, Commissioning and Validation

5.1 Intended Audience

5.2 Input Information

5.3 Basic Work Process

5.4 Output Documentation

5.5 Hardware

5.6 Software

5.7 Factory Acceptance Test

5.8 Installation Plans

5.9 Commissioning Plans

5.10 Verify Operator and External Interfaces

5.11 Validation

5.12 Management of Change

Chapter 6: Operational and Mechanical Integrity

6.1 Intended Audience

6.2 Input Information

6.3 Basic Work Process

6.4 Output Documentation

6.5 Operating Procedures

6.6 Bypass Management Procedure

6.7 Maintenance Procedures

6.8 Training

6.9 Managing Changes

6.10 Monitoring Performance

Chapter 7 :Continuous Improvement

7.1 Intended Audience

7.2 Input Information

7.3 Basic Work Process

7.4 Output Documentation

7.5 Determining Path Forward

A: Definitions

B: Protection Layers

B.1 Inherently Safer Design

B.2 Control

B.3 Supervisory

B.4 Preventive

B.5 Mitigative

B.6 Barriers

B.7 Limitation

B.8 Response

C: Core Attributes

C.1 Independence

C.2 Functionality

C.3 Integrity

C.4 Reliability

C.5 Auditability

C.6 Access Security

C.7 Management of Change

D: Understanding Failure

D.1 Caution-It’s A Benchmark

D.2 A “Bathtub” Viewpoint

D.3 Failure Types

D.4 Failure Classification

D.5 IPF Performance Metrics

D.6 Spurious Trip Rate

D.7 Example Application

E: Process Equipment Reliability Database

F: User Approved Equipment and Practices

F.1 User Approved

F.2 Evolution of Plant Automation

F.3 Logic Solver Considerations

F.4 Field Device Considerations

F.5 Utilities

F.6 Wiring Practices

F.7 Communications and Interconnectivity

F.8 Prescriptive Designs

G: References

H: Acronyms and Abbreviations

I: Index

Guidelines For Safe And Reliable Instrumented Protective Systems

This book is one in a series of process safety guideline and concept books published by the Center for Chemical Process Safety (CCPS). Please go to www.wiley.com/go/ccps to see the full list of titles.

Copyright © 2007 by American Institute of Chemical Engineers. All rights reserved.

A Joint Publication of the Center for Chemical Process Safety of the American Institute of Chemical Engineers and John Wiley & Sons, Inc.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty. While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic format. For information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data is available.

ISBN 978-0-471-97940-1

It is sincerely hoped that the information presented in this document will lead to an even more impressive safety record for the entire industry; however, neither the American Institute of Chemical Engineers, its consultants, CCPS Technical Steering Committee and Subcommittee members, their employers, their employers’ officers and directors, nor SIS-Tech Solutions LP and its employees warrant or represent, expressly or by implication, the correctness or accuracy of the content of the information presented in this document. As between (1) American Institute of Chemical Engineers, its consultants, CCPS Technical Steering Committee and Subcommittee members, their employers, their employers’ officers and directors, and SIS-Tech Solutions LP and its employees, and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the consequence of its use or misuse.

ACKNOWLEDGEMENTS

The American Institute of Chemical Engineers (AIChE) wishes to thank the Center for Chemical Process Safety (CCPS) and those involved in its operation, including its many sponsors whose funding made this project possible and the members of the Technical Steering Committee who conceived of and supported this Guidelines project. The members of the Guidelines for Safe and Reliable Instrumented Protective Systems Subcommittee deserve special recognition for their dedication and technical contributions leading to the creation of this useful addition to the CCPS process safety Guidelines series.

The members of the Subcommittee were:

Adrian L. Sepeda was the CCPS staff liaison and was responsible for overall project administration. Adrian also wrote the book preface.

The task of preparing the text from Subcommittee input was entrusted to Dr. Angela Summers, President, SIS-TECH Solutions LP, and principal book author. She and selected members of her capable staff organized and drafted the concepts and emphasis areas requested. Dr. Michela Gentile and Susan Wiley assisted with book drafting and review. Laurie Mayes-Fisher was responsible for typesetting and graphic design.

A special thanks and appreciation to Ken Bond, Shell (retired), Bernard Michaux, Total (retired), and Vic Maggioli, IEC 61511 Chairman, for input and council during the drafting of the book.

CCPS also gratefully acknowledges and thanks those who peer reviewed the draft and offered meaningful comments and suggestions. These peer reviewers were:

Their insights, comments, and suggestions helped ensure a balanced perspective for the Guideline.

Lastly, we wish to express our special appreciation for the guidance, counsel, and contributions of Dr. Arthur Schwartz, committee member, who passed away before the book was published. Art was a scholar and a gentleman.

PREFACE

The American Institute of Chemical Engineers (AIChE) has a more than 50 year history of involvement with process safety as it relates to chemical processing facilities. Through its strong ties with process designers, builders, operators, safety professionals and academia, AIChE has enhanced communication and fostered improvement in the already high safety standards of the industry. AIChE publications and symposia have become a recognized valuable information resource for the engineering profession on the causes of accidents and means of prevention.

The Center for Chemical Process Safety (CCPS), an Industry Technology Alliance of AIChE, was established in 1985 to develop and disseminate technical information for use in the prevention of major chemical accidents. CCPS is supported by a diverse group of industrial sponsors in the chemical industry and related industries who provide the necessary funding and professional guidance for its projects. The CCPS Technical Steering Committee and the technical subcommittees oversee individual projects selected by CCPS. Professional representatives of the sponsoring companies staff the subcommittees, with a member of the CCPS staff coordinating subcommittee activities.

Since its founding, CCPS has published many volumes in its “Guidelines” series and in its smaller “Concept” series texts. These CCPS books address not only scientific techniques, practices and issues faced by engineers in plant design, operations and maintenance, they also cover the broader subject of chemical process safety management. Successful process safety programs and management systems are the products of committed and active participation of personnel at all levels who apply a systematic approach to process safety as an integral part of operations management.

This Guideline explains the decision-making processes for the management of instrumented protective systems (IPS) throughout a project’s life cycle. It uses IEC and ISA standards as a basis for the work processes used to achieve safe and reliable process operation. It establishes a framework for a protective management system that can be used to design and manage those specific instrumented systems. By walking the reader through a project’s life cycle, engineering, maintenance, and operations disciplines can easily focus on their responsibilities and duties. Using this approach, the book is useful as a primer, guidelines reference and resource manual. Examples are used to provide “real-world” experience applications. This book is a companion publication to the earlier published CCPS book, “Guidelines for Safe Automation of Chemical Processes.”

CCPS hopes that the guidance and examples provided herein will aid in promoting safer and more reliable IPSs.

LIST OF FIGURES

Figure 2.1. Planning Phase.

Figure 2.2. System Relying on Personnel Training and Experience. (adapted From Reason 1997)

Figure 2.3. System Relying on Procedures and Practices. (adapted from Reason 1997)

Figure 2.4. System Relying on Establishing and Monitoring Core Attributes. (adapted from Reason 1997)

Figure 2.5. ISA 84.01/IEC 61511 Lifecycle.

Figure 2.6. Lifecycle Illustrating Functional Assessment Stages.

Figure 2.7. Example Instrumented Safety System Classification.

Figure 3.1. Risk Assessment Phase.

Figure 3.2. Protection Layers.

Figure 3.3. Risk Reduction Triangle.

Figure 3.4. Hazard and Risk Analysis Work Process.

Figure 3.5. Using IPLs to Close Risk Gap.

Figure 3.6. Risk Assessment Process.

Figure 3.7. Example Showing Risk Matrices Using Qualitative (A), Semi-Quantitative Frequency (B), and Semi-Quantitative Frequency and Severity (C).

Figure 3.8. Example Risk Screening Process.

Figure 3.9. Initiating Cause Challenging Four IPLs.

Figure 3.10. Initiating Cause Challenging Four IPLs With Vulnerabilities.

Figure 3.11. Control Function Fails Leading to Challenge on IPLs.

Figure 3.12. Initiating Cause Due to Failure Within BPCS.

Figure 3.13. Initiating Cause Leads to Hazardous Event due to Multiple IPL Failure.

Figure 4.1. Design Phase.

Figure 4.2. Overall Work Process.

Figure 4.3. Process Requirements Work Process.

Figure 4.4. Process Condition Changes With Time.

Figure 4.5. I&E Requirements Work Process.

Figure 4.6. Separate and Independent Protection Layers.

Figure 4.7. Supervisory Function Implemented in BPCS with Separate SIS.

Figure 4.8. Separate BPCS with Combined Supervisory Function and SIF.

Figure 4.9. Combined Control Function, Supervisory Function and SIF.

Figure 4.10. BPCS with Control and Supervisory Functions and SIS with PIF and SIF.

Figure 4.11. BPCS with Control and Supervisory Functions and Separate SIS and PIS.

Figure 4.12. Scope of IPS.

Figure 4.13. Impact of MTTFD on the PFDAVG of Equipment Assuming the Simplified Equation, λDTI/2.

Figure 4.14. Common Voting Architectures.

Figure 4.15. Effect of Architecture on the PFDAVG for Proof Test Intervals Between 1 and 7 Years.

Figure 4.16. 2003 Dual Voting Architecture

Figure 4.17. 2003 Voting Architecture With Single Failure in the Normal Range.

Figure 4.18. 2003 Voting Architecture With Single Failure Toward the Trip State.

Figure 4.19. Voting Considerations. (adapted from Englund and Grinwis 1992)

Figure 4.20. Effect of Diagnostic Coverage on the PFDAVG

Figure 4.21. Effect of Test Interval on Average Probability of Failure on Demand.

Figure 4.22. Illustration of Control Room Display. (Nimmo 2006)

Figure 5.1. Engineering, Installation, Commissioning, and Validation Phase.

Figure 5.2. Relative Cost of Making Design Changes.

Figure 5.3. Engineering, Installation, Commissioning and Validation Work Process.

Figure 5.4. Response Time.

Figure 5.5. Commissioning Activities.

Figure 6.1. Operational and Mechanical Integrity Phase.

Figure 6.2. Operational and Mechanical Integrity Work Process. (adapted from IEC 61511)

Figure 7.1. Iceberg Illustrating the Direct and Indirect Costs of Injuries

Figure 7.2. Protective Triangle.

Figure 7.3. Continuous Improvement Phase.

Figure 7.4. Overview Illustrating the Complexity of the Decision Making Process. (adapted from Reason 1990)

Figure 7.5. Lifecycle Illustrating Information Collected at Each Phase.

Figure B.1. Protection Layers.

Figure B.2. Ability to Cost Effectively Influence Inherent Risks.

Figure B.3. Control Function and Supervisory Function Implemented in the BPCS.

Figure C.1. PIS and BPCS are Separate and Independent

Figure C.2. PIS and BPCS are not Independent or Separate.

Figure C.3. Cyber-security risks. (Nelson 2006)

Figure D.1. Overall Bathtub Curve (A) and Components of the Bathtub Curve (B).

Figure D.2. Hypothetical Device’s Random Failure Rate is Constant (A), However Other Non-Random Failure Sources Affect the Observed Failure Rate of the Device (B).

Figure D.3. Taxonomy of Common Cause Factors (CCF) and Methods for Their Analysis. (see Table D.1)

Figure D.4. Components of the Total Random Failure Rate.

Figure D.5. States of a Device.

Figure D.6. Typical Saw Tooth Shape for the PFD(t).

Figure D.7. Effect of Partial Testing on PFD(t).

Figure D.8. Example Architecture Illustrating an Independent Control System and Protective Instrumented System (PIS).

Figure E.1. PERD Process.

Figure F.1. Example SIL 1 SIS.

Figure F.2. Example High Reliability SIL 1 SIS.

Figure F.3. Example SIL 2 SIS.

Figure F.4. Example High Reliability SIL 2 SIS.

Figure F.5. Example SIL 3 SIS.

Figure F.6. Example High Reliability SIL 3 SIS.

LIST OF TABLES

Table 1.1. Target Audience and Essential Knowledge.

Table 1.2. Road Map by Target Audience.

Table 2.1. Objectives, Inputs and Outputs by Lifecycle Phase.

Table 3.1. Examples of Quantitative Targets.

Table 3.2. Hazard Analysis Methods.

Table 3.3. Risk Analysis Methods.

Table 3.4. Example of Frequency (or Likelihood) Rankings.

Table 4.1. Example Ranges of MTTFD and MTTFSP for Field Equipment. (SIL Solver 2006)

Table 4.2. Example Ranges of MTTFD and MTTFSP for Logic Solvers. (SIL Solver 2006)

Table 4.3. Voting Considerations.

Table 5.1. Example Operating Environment Conditions.

Table 6.1. Categories of Human Error. (Mostia 2003)

Table B.1. Examples of Operator or Supervisory Activity RRF.

Table B.2. Examples of Operator Response to Alarm RRF. (adapted from ISA TR84.00.04-2005 Appendix B)

Table B.3. Integrity Level Relationships.

Table B.4. Examples of Mechanical Mitigation Device RRF.

Table B.5. Examples of Limitation System RRF.

Table D.1. Methods Used to Address the Different Types of Common Cause Failures. (see Figure D.3)

Table D.2. Example Failures, Modes and Effects for an Electronic Pressure Transmitter.

Table D.3. Failure Rate Data Used in the Examples.

Table D.4. Hazard Rate Results for Figure D.8 Architecture.

Table D.5. PFDAVG Results for Figure D.8 Architecture.

Table D.6. STR Results for Figure D.8 Architecture.

CHAPTER 1

INTRODUCTION

Instrumented Protective Systems (IPS) implement protective functions that detect abnormal or unacceptable operating conditions and take action on the process to achieve or maintain a safe state. IPSs are used to reduce the process risk associated with health and safety effects, environmental impacts, loss of property and business interruption costs.

Safe operation cannot be achieved in isolation. The risk reduction strategy must also consider the owner/operator’s business needs. Personnel are expected to operate process units to achieve target production rates, product quality, and cost performance. Balancing safety and production goals can be challenging when the IPS design and management does not adequately address the operational needs. The following can add significantly to this challenge:

It is well understood that plant productivity and operability improves when quality control processes are applied to process equipment operation. Given the potential problems associated with IPS implementation, it simply makes sense to apply the same quality control processes across the IPS lifecycle.

Quality control processes rely on the use of appropriate metrics to verify compliance with the work process expectations. For IPS design and management, these metrics are associated with core attributes that are considered essential for an instrumented safeguard to be classified as an IPS. Seven core attributes should be achieved by the IPS design and supported by appropriate management practices:

These core attributes are periodically assessed to determine the degree to which they are being maintained and improved. Quality control processes, such as verification, assessment, auditing, and validation, are necessary to ensure the required attributes are achieved throughout the IPS life. The level of rigor employed in the quality control limits the performance which can be reasonably achieved by the IPS.

IPS implementation and continuous improvement involve the effort of many stakeholders, e.g., management, process safety, process, instrumentation and electrical, operations, maintenance, and manufacturers. Projects are often iterative processes requiring careful consideration of each discipline’s needs and the core attributes.

This guidelines book intends to:

1.1 PURPOSE

The process industry has made great strides toward improving process unit performance and safe operation. It has made and continues to make significant investment to address process risk using a variety of approaches aimed at identifying and controlling risk. These approaches often must fit within a regulatory framework, which relies on the use of recognized and generally accepted good engineering practices to define the minimum requirements.

Many governments (e.g., the United States of America, the European Union, the United Kingdom, Germany, The Netherlands, Korea, Taiwan, and Brazil) have regulations concerning the prevention of releases of hazardous chemicals that pose serious injury or life threatening consequences. Although each government uses unique terminology to describe such events, the concept of process safety management is well known throughout the world. It is widely supported even by governments that do not have specific regulations mandating its implementation. Most require, at a minimum, that an owner/operator demonstrate compliance with the good engineering practices applicable to the manufacturing process and its associated hazards.

The application of control and shutdown equipment to manage hazardous events was first discussed in Guidelines for Safe Automation of Chemical Processes (CCPS/AIChE 1993, referred to as Safe Automation). In particular, Safe Automation provided information for the design and implementation of the Basic Process Control System (BPCS) and the SIS. It established for the process industry many of the fundamental concepts used today, such as independent protection layer (IPL), safety integrity level (SIL), separation and diversity of the BPCS and SIS, access security, and fault tolerance.

Safe Automation was later referenced by the Instrumentation, Systems and Automation (ISA) society standard, ANSI/ISA 84.01-1996, Application of Safety Instrumented Systems (SIS) for the Process Industry. This standard provided good engineering practices for the SIS lifecycle, starting with the design phase and continuing through decommissioning.

The globalization of the process industry resulted in demand for international practices. Numerous good engineering practices, previously considered national or regional, are being modified, updated, harmonized, and issued as international practices. One such standard is IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, which expanded the requirements of ANSI/ISA 84.01-1996.

IEC 61511 is the first sector standard issued using the lifecycle framework established by IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems and covers the complete SIS lifecycle for the process sector. It was developed and is maintained by the International Electrotechnical Commission (IEC) with volunteer support from organizations worldwide, including ISA and CCPS/AIChE.

IEC 61511 was accepted in 2004 by the European Committee for Electrotechnical Standardization (CENELEC) as EN IEC 61511 and the American National Standards Institute (ANSI) as ANSI/ISA 84.00.01-2004 Parts 1–3. In 2005, ISA published, Guidelines on the Implementation of ANSI/ISA 84.00.01-2004, to provide guidance to owners/operators concerning the application of the SIS standard to new and existing equipment. To recognize the contribution of both ISA and IEC to the documentation of good engineering practices for SIS, this book refers to the standard as ISA 84.01/IEC 61511.

ISA 84.01/IEC 61511 uses the SIL concept to benchmark the integrity of the instrumentation and controls used to achieve the required performance from the SIS. The required SIL is defined during a risk assessment process, which examines the process risk and identifies IPLs. ISA 84.01/IEC 61511 requires that the SIL be quantitatively verified using estimates of the random hardware failure rate of the SIS components in the intended operating environment.

Since ISA 84.01/IEC 61511 is an instrumentation and controls standard, it places a great deal of emphasis on the functionality and integrity of the hardware. The assignment and verification of SIL establishes a robust relationship between hardware design and risk reduction. It also provides justification for separation, fault tolerance, and proof test intervals. However, the SIS’s capability to achieve or maintain a safe state is dependent on more than the sum of its hardware components.

Integrity and functionality are essential performance attributes, but excess attention on these can result in a loss of focus on other core attributes. While weak links in the hardware design may be identified during a numerical analysis of the SIS equipment, the ability of the installed SIS to achieve the SIL is generally limited by human performance against practices and procedures. Independence, reliability, auditability, access security, and management of change must receive as much, if not more, attention to detail.

The core attributes support the SIS throughout its life by ensuring appropriate focus on minimizing the potential impact of human error on the SIS performance. The absence of a rigorous management system can lead to discrepancies between the desired functionality and integrity and what is achievable in actual operation.

As process units become increasingly automated, integrated and complex, the deliberate and intentional act of implementing IPLs becomes more important. SISs are only one IPL of many that can be used to achieve and maintain safe operation. Other IPLs, such as relief devices and protective alarms, may be identified and should be managed appropriately. The management system ensures that protective equipment are designed, inspected, maintained, tested, and operated in a safe manner. Many incidents in the process industry have been caused by poor management systems that allowed systematic errors to erode safe operation to the point of catastrophic release.

This book uses the seven core attributes, namely, independence, functionality, integrity, reliability, auditability, access security, and management of change, to define the required performance for the human and equipment systems necessary for safe operation. Following in the footsteps of Safe Automation, this book is intended for use by people who are familiar with the manufacture and use of chemicals. It expands the work processes to cover the major activities executed by the various disciplines supporting the SIS lifecycle.

With such an encompassing scope, no single book can possibly cover all of the detailed tasks required for safe and reliable operation. Instead, this book concentrates on the overall work processes, task intent, input information, considerations, and output deliverables. When necessary, the book provides references to other technical publications for greater detail and guidance on specific topics.

1.2 TARGET AUDIENCE

A performance-based management system relies on metrics to support prudent business decisions. Performance-based systems only work in a safety culture nurtured and directed by top management. Sustainable performance requires long-term vision, consistent focus and attention, and financial commitment from senior management. Consensus and participation of personnel are necessary to support the operational and strategic objectives, as well as foster a safe working environment.

The target users of this book are the various disciplines responsible for safe and reliable operation in the process industry. At any given facility, these disciplines may be represented by individuals, departments, or organizations. At some facilities, one person may be responsible for the activities listed for multiple disciplines. The site management system should specify the individuals, departments, or organizations responsible for work activities.

Table 1.1 provides the essential knowledge to be gained by reading this book for seven disciplines. Chapters 3 through 7 include a target audience section that identifies the essential tasks to be discussed for each discipline:

Table 1.1 Target Audience and Essential Knowledge.

1.3 BOOK ROAD MAP

The book is organized using a project lifecycle with six major phases:

These phases are shown in Table 1.2, which also provides a road map for the book listed by the target audience (see Section 1.2). An “X” is an indication that the chapter contains material that is important to that resource, e.g., a discussion of fundamental principles or specific task responsibility.

The protective management system discussed in Chapter 2 reduces the systematic errors through quality management processes and good engineering practices. Chapter 3 provides an overview of the risk assessment phase, which uses a variety of hazard and risk analysis techniques to identify and classify IPSs.

Chapters 4 and 5 address work processes for IPS design and implementation. Chapter 4 discusses the development of the design basis, which must achieve the intent of the risk assessment and the core attributes defined for each IPS. Chapter 5 covers the engineering, installation, commissioning and validation phase, where the design basis is turned into an installed and operational IPS.

Long-term operational and mechanical integrity is supported by an operating basis, discussed in Chapter 6, which addresses IPS operating and maintenance procedures and personnel training. Chapter 6 also discusses the importance of bypass management, compensating measures, periodic proof testing, and configuration management in achieving the core attributes. Finally, in Chapter 7, long-term performance is monitored and options for improvement are periodically considered.

Table 1.2 Road Map by Target Audience.

1.4 MANAGEMENT COMMITMENT

Management must make it a priority to develop a protective management system that ensures safe operation of their facilities. Management must support and approve the documentation of policies, practices, and procedures, which provide the work processes and metrics essential to effective risk management. Global competition also demands that the end result of these work processes yield reliable and cost effective IPS operation. Work processes should address significant classes of business risk, that is, safety, environmental, business interruption, and asset, to obtain the greatest value.

Many different management systems are used in the process industry to achieve safety and business risk goals. Consistent performance is directly related to the relevance of the prescribed practices to actual work tasks and the rigor employed to achieve quality workmanship.

In general, the management system should:

Management must be fully committed and engaged in the development and implementation of the management system. Management responsibility includes establishing safe and reliable operation as a priority and providing the resources, tools and training required to get the job done. Successful execution requires decision criteria be clearly stated and consistently followed. For efficient implementation, these criteria should be embedded into each project and operational phase so that safety and reliability issues are considered a normal part of doing business. The best results are obtained when personnel who are responsible for safe and reliable operation:

CHAPTER 2

PLANNING

In the book, Lessons from Disaster: How organizations have no memory and accidents recur (Kletz 1993), Trevor Kletz states that “listing…human error as the cause of an accident is about as helpful as listing gravity as the cause of a fall. It may be true, but it does not lead to constructive action.” When a bridge collapses, the incident investigation report does not say that the incident was the result of the force of gravity. It is understood that gravity is a fundamental property considered in the bridge’s design and construction. The incident report will refer to improper steel specification, inadequate support structure, etc. Gravity is not listed as the cause, because it is obvious that given the right conditions all things succumb to gravity.