Issues With Managing Process Hazard Analysis (PHA) Data

Issues With Managing Process Hazard Analysis (PHA) Data


 National and local regulations require that all process operations have a formal Hazards Analysis performed on the original installation as well as for all modifications to the facility. Most regulations also require that the Process Hazard Analysis (PHA) of record be re-validated at regular intervals, such as the 5-year re validation cycle required in the US. 

PHA is a complex tool used during the lifecycle of a facility and two of the biggest issues with them are coordination and consistency (see figure 1 below).  A PHA of Record represents a point in time, but in reality plant cycles are not static.  They are actually very dynamic with multiple independent modifications in progress. Some records are implemented even though the plant is in operation while a backlog of modifications are scheduled for the next turnaround.  They start collecting the day the plant is started up after its last turn around. Every time a plant is modified, some form of PHA is performed. The scope of these modifications can range from a small in-house modification to large projects that expand, de-bottleneck, or fix the process.

Figure 1:

So, in a real plant environment, the Process Safety Management (PSM) Teams are faced with the almost impossible task of monitoring and collecting all of the completed Hazard Assessments and incorporating them into the PHA of Record as the modifications are implemented. If this hasn’t been done as time goes along, the PSM team then has an even bigger job of collecting all the incremental changes and identifying how they relate to the PHA of Record before they start the Re-validation process. All is a lot of work and consumes several full-time equivalents of work just to keep up. Most places don’t have these resources, so they make due as best they can.

Data Integrity, Why Do You Need It?

Data Integrity, Why Do You Need It?

What is Data Integrity?

Many of us may remember playing a game as a child, commonly referred to as Telephone, where everyone would sit in a circle with the sole responsibility of passing along a message to the next player. The goal of this game was to successfully pass the original message back to the first player without any changes to the original message. If your experiences were anything like mine, you would agree that the final message rarely made it back to the first player in the same state that it left in.  In some cases, the final message was so far from the original that it would induce laughter throughout the whole group. Although this game was supposed to provide laughter and enjoyment during our childhood, it was also a good teaching moment to reinforce the importance of detail and attention. This exercise is a simple demonstration of the importance of data integrity and communication and their reliance on each other.

Data Integrity in the Process Industry

In the human body, blood transports oxygen absorbed through your lungs to your body’s cells with assistance from your heart, while the kidneys are continuously filtering the same blood for impurities. In this example, three systems (heart, kidneys, lungs) are working together to ensure adequate maintenance of the body. Much like the human body, the process industry is complex and requires multiple systems working together simultaneously to achieve their goal. If any system were to break, it would result in reduced performance and possibly, eventual failure. These data integrity challenges are very similar, regardless of whether tasked with designing a new site or maintaining existing facilities.

Chemical plants, refineries, and other process facilities maintain multiple documents that are required to operate the facility safely. Any challenges with maintaining these documents and work processes could result in process upsets, injuries, downtime, production loss, environmental releases, lost revenue, increased overhead, and many more negative outcomes. Below are just a small example of the critical documents that must be updated to reflect actual engineering design:

  • P&IDs
  • Electrical One-Lines
  • Cause & Effects
  • Instrument Index
  • Loop Diagrams
  • Control Narratives
  • Wiring Diagrams
  • Process Control Logic

There are many processes and workflows that may trigger required changes to the above documentation, such as PHAs, LOPAs, HAZOPs, MOCs, SRSs, Maintenance Events, and Action Items, to name a few. Each of these processes requires specific personnel from multiple groups to complete. As the example earlier in this blog pointed out, it can be a challenge to communicate efficiently and effectively in a small group, much less across multiple groups and organizations. Data integrity can easily be compromised by having multiple processes and multiple workgroups involved in decisions affecting multiple documents.


When starting a new project or becoming involved in a new process, it is essential to consider how the requested changes will affect other workgroups and their respective documentation. Will your change impact others? Could understanding how your changes affect other data and workgroups minimize rework or prevent incidents? Could seeing the full picture help you to make better decisions for your work process? Below are some approaches to consider to improve data integrity and communication in your workspace:

  • Understand how changes you make may affect others
  • Identify duplicated data that exist across multiple databases or files
  • Look for ways to consolidate data and processes
  • Create Procedures to audit required changes
  • Designate Systems of Record (SOR) for all data
  • Implement roles to follow guidelines and maintain integrity and communication


Moving Existing Data into the SLM® solution

Moving Existing Data into the SLM® solution

When considering whether to move Safety Lifecycle Management into the SLM® solution, the question “What do I do with my existing data?” arises. This was a significant concern when the SLM® software was being developed and has thus been addressed. SLM® software has an Adapter Module that provides the tools for importing data into the SLM® system and exporting data to external systems. Import Adapters use an intermediate .csv file, typically created in Excel, to organize data so that the SLM® software can read the data, create the correct object hierarchy, and then import the data into SLM® software data fields. The software import process is illustrated in the figure below


During planning for an SLM® software installation, the user and Mangan Software Solution staff will review the data that is available for import and identify what Adapters are needed to support data import. During this review, the linkages between Modules and data objects should be reviewed to ensure that after import objects such as HAZOP Scenarios, LOPA’s, IPL Assets, and Devices are properly linked. If large amounts of data from applications for which an Adapter has not yet been created, it usually is advisable to have the MSS team create a suitable Adapter instead of attempting to use a Generic Import Adapter.

Once the user’s data has been exported to the intermediate .csv file a data quality review and clean up step is advisable. Depending upon the data source, there are likely to be many internal inconsistencies that are much easier to correct prior to import. These may be things as simple as spelling errors, completely wrong data, or even inconsistent data stored in the source application. I recall a colleague noting after a mass import from a legacy database to a Smart Plant Instrument database – “I didn’t realize how many ways there were to incorrectly spell Fisher.”

Once the data has been imported, correcting such things can be very tedious unless you are able to get into the database itself. For most users, errors such as this get corrected one object at a time. However, editing these types of problems out of the .csv file is pretty quick and simple as compared to post import clean up.

To Import the data, the User goes to the Adapter Module and choses the desired Import Adapter and identifies the .csv file that contains the data. The SLM® solution does the rest.
It should also be noted that SLM® software is capable of exporting data too. The User selects data types to export along with the scope (e.g. a Site or Unit). The exported data is in the form of a .csv file. This can be used to import data into a 3rd party application, or to use a data template to import more data.

Rick Stanley has over 40 years’ experience in Process Control Systems and Process Safety Systems with 32 years spent at ARCO and BP in execution of major projects, corporate standards and plant operation and maintenance. Since retiring from BP in 2011, Rick has consulted with Mangan Software Solutions (MSS) on the development and use of MSS’s SLM Safety Lifecycle Management software and has performed numerous Functional Safety Assessments for both existing and new SISs.

Rick has a BS in Chemical Engineering from the University of California, Santa Barbara and is a registered Professional Control Systems Engineer in California and Colorado. Rick has served as a member and chairman of both the API Subcommittee for Pressure Relieving Systems and the API Subcommittee on Instrumentation and Control Systems


Digitalizing Safety Information into Intelligence

Digitalizing Safety Information into Intelligence

What is Digital Transformation and how can the SLM® system help?
Digital Transformation is the process of converting non-digital or manual information into a digital (i.e. computer-readable) format. For an organization, a phase of digital transformation is a great opportunity for organizations to take a step back and evaluate everything they do, from the basic operations to complex workflows.

Digital transformation is a time to understand the potential opportunity involved in a technology investment. It’s an ideal time to ask questions, such as ‘Can we change our processes to allow for great efficiencies that potentially allow for better decision making and cost savings.’ A perfect example could be trending data to identify optimum test intervals based on degradation over time. This could provide cost savings in fewer required tests.

Advantages of Digital Transformation

The key tactical benefit of digital transformation is to improve the efficiency of core business processes. In the image below, you can see the efficiencies provided by digital data broken down into three key module areas:

SLM benefits

As you can clearly see, the opportunities provided by digitalization are vast and for this reason Digitalization Demands an Integrated Safety Lifecycle Management System A lot of tools in the market today are single purpose and do not share or exchange data in a way suited to a Safety Lifecycle Management system

Common problems

A lot of organizations we speak with are struggling with lagging indicators and poor reporting systems. This degradation has only gotten worse over time, and this points to a lack of clear and accurate data, overly complex workflows and restrictions brought about by company culture.

At any given point in time organizations are unable to identify the current health of their plant and assets. Bad actors are exceedingly difficult to identify and experience is diminishing with retirements and a reduction in the numbers of subject matter experts.

Digital Transformation Solution

Process Safety and Functional Safety is more than just hardware, software, testing and metrics. Taking a holistic approach and instilling a culture of safety requires a complete end-to-end system that can manage from Initial Hazard Analysis to the final Operations & Maintenance. The SLM® system is the only enterprise platform proven to bring together all aspects of the Safety Lifecycle through digital transformation.

Let SLM® be your digital twin

Let SLM® be your digital twin

Digital twins are powerful virtual representations to drive innovation and performance. Imagine it as a digital replica of your most talented product technicians with the most advanced monitoring, analytical, and predictive capabilities at their fingertips. It is estimated that companies who invest in digital twin technology will see a 30 percent improvement in cycle times of critical processes.

A digital twin captures a virtual model of an organization and helps accelerate strategy. This could be in products, operations, services, and can even help drive the innovation of new business. The model can identify elements that are hindering or enabling strategy execution and suggests specific recommendations based on embedded pattern recognition. Digital twin technology is used to collect more dots and connect them faster, so you can drive to better solutions with more confidence.



Today’s organizations are complex, evolving systems, built on the collective ambitions and talents of real people operating in a dynamic culture. The world is increasingly defined by data and machine learning, however, there is no simple way to measure human motivation or clear-cut formula for building an effective future.

In a nutshell a digital twin is a tool that can be used to analyze your business to identify potential concerns in any area, and show you how those issues link together. Armed with that information, you can build solutions immediately and overcome the most important obstacles – all before they happen. Get in touch and let our Safety LIfecycle Management tools manage your digital needs.

SLM® for Process Safety Solution

SLM® for Process Safety Solution

Mangan Software Solutions (MSS) is a leading supplier in the Process Safety and Safety Lifecycle software industry. For the past decade, MSS has been leading the market in innovative technologies for the Refining, Upstream Oil & Gas, Chemical, Pipeline, and Biopharmaceutical industries, transforming Process Safety Information into Process Safety Intelligence. MSS’ engineers and programmers are experts in the fields of Safety Lifecycle Management and Safety Instrumented Systems. With a scalable software platform and years of experience working with the premier energy companies in the world, MSS has established itself as the leader in software solutions engineered specific to the clients’ needs.


Process Safety Solutions



With our market leading SLM® software our clients are able to conduct, review, report, and approve HAZOP studies in one place without tedious work in Excel or other closed toolsets that keep you from your data.

The SLM® HAZOP module ensures HAZOP Study uniformity across the enterprise and ensures reporting is standardized and consistent.  It allows direct comparison of hazard and risk assessment between sites or units.

Using our SLM® Dynamic Risk Matrix visually identifies enterprise hazards and risk.. The HAZOP Study data can be filtered based on site, unit, health & safety, commercial, or environmental criteria.


SLM® LOPA Module

The SLM® LOPA module now provides intuitive worksheets to standardize your LOPA process and conduct IPL assessments. The Dynamic Risk Matrix is configurable to your risk ranking system and severities and offers real-time risk monitoring and identification. Dynamic reports and KPIs reveal unmitigated risks to allow for IPL gap closure scheduling and progress status. These reports offer unprecedented review of risk mitigation strategies.



SLM® Action Item Tracker Module

Identify risks and safeguards and track them with action items from HAZOP meetings through to the implementation of an IPL. The SLM® Action Item Tracker module is a centralized area where users can access assigned action item information pulled from all modules for action or reporting. Data relating to the action item is linked across modules and readily available for reference purposes. Customized reports and KPIs are available with a click of the mouse.


SLM® Functional Safety Assessment Module

The SLM® Functional Safety Assessment (FSA) module allows you to readily complete a Stage 1 through Stage 5 FSA in a standardized format – ensuring consistency throughout your organization. This tool allows you to define requirements for an FSA and then use the application to improve the effectiveness and efficiency of execution.


Digitalization Demands

Digitalization Demands

Part 2 – Hazard Identification and Allocation of Safety Functions

Digitalization Demands An Integrated Safety Lifecycle Management System (part 1) of this blog series, the general organization of the Safety Lifecycle, as described in IEC 61511, was discussed.  Part 1 highlights the difficulties the application of tools typically used in the day to day operations have with effectively administrating the Safety Lifecycle.

In Part 2 of this blog series, the discussion moves on to a more detailed view of Safety Lifecycle Management for the Requirements Identification phases of the Safety Lifecycle as illustrated in the modified IEC 6111 Figure 1 below.


Hazard Identification and Allocation of Safety Functions

While IEC 61511 does not specify procedures, it does require that a hazard and risk assessment be performed and that protective functions that prevent the hazard be identified and allocated as appropriate to Safety Instrumented Functions.

In practice this is usually accomplished by performing a hazard assessment using HAZOP or similar techniques. Scenarios that have a high consequence are then further evaluated using LOPA or similar techniques.

The LOPA studies identify protective functions or design elements that prevent the consequences of the scenario from occurring. These functions and design elements are generally designated as Independent Protection Layers (IPLs) and may take the form of instrumented functions such as Alarms, BPCS and Interlock functions, Physical design elements or Safety Instrumented Functions.

The Traditional Way

The market has a number of Process Hazards Assessment (PHA) software available. However, these software tools are all focused on performing PHAs or associated studies such as LOPAs and are almost always stand-alone tools. The capabilities have generally met the needs of Process Safety Engineers yet have had their limitations. Some of the available packages have attempted to extend their functionality to other phases of the Safety Lifecycle, yet they still tend to fall short of being a complete Safety Lifecycle Management function due to their original PHA focus.




Stand Alone

The biggest issues with stand-alone PHA and LOPA software packages is the fact that they are “stand alone”. They are self-contained and some of them have such draconian licensing restrictions, that sharing of PHA and LOPA data is extremely limited and often limited to transfer of paper copies of reports. Licensing costs are extremely high which results in organizations restricting the number of licenses that are available. Usually, the PHA and LOPA data can only be accessed from a very limited number of computers (often only one or two within an organization), even in view mode.

Difficult to link PHA and LOPA

A second major issue is that it is difficult, if not impossible to link PHA and LOPA data for a series of PHA and LOPA studies done on the same process. The typical life cycle of PHA and LOPA studies is that initial studies are done during initial design of a process plant, and then a revalidation of those studies is done every 5 years. Within the 5-year cycle, multiple sub-studies may be done if there are any significant revisions done to the process.

HAZOP of Record

Larger projects may use the same HAZOP tools as used for the HAZOP of Record, but they are usually considered in complete isolation from the HAZOP of Record. Often new nodes are defined that are numbered quite differently than the HAZOP of Record and may not contain the same equipment. As many of these studies are done at an engineering contractor’s office, the same licenses may also not be used. Many smaller modifications may be made that do not use the formal PHA procedure but use perceived simpler methods such as checklists and what-if analysis. The simpler methods are usually resorted because of the extreme licensing limitations noted above.


The Independence Mess of Traditional HAZOP Tools

Over a typical 5-year HAZOP cycle, a large number of additional hazard assessments are done, each independent, and often inconsistent with the HAZOP of Record. Project based HAZOPs may be performed on sections of the process with completely different node identifications and node scopes. In effect, there is no current HAZOP of Record as it is partially superseded by these incremental HAZOPs and other hazard assessment. At the time of the 5-year revalidation, integration of all of these independent studies with the prior HAZOP of Record is a major undertaking.

As these applications are stand-alone applications, any associations of Safeguards and IPLs identified during Hazard Analysis with the real Plant Assets used to implement those items must be done externally, if it is done at all. This results in a layer of documentation that is often difficult to manage, of limited availability and not very useful to the operations and maintenance personnel that really need the data

Top 3 Issues with traditional Hazard Identification methods:

  • Licensing restrictions

Licensing restrictions often severely limit access to the data. Furthermore, personnel that need to understand the reasons for various IPLs do not have access to the necessary data.

  • No Clearly Defined Data

IPLs and other Safeguards are usually identified in general terms and often do no clearly define what Plant Assets such as Alarms, BPCS Functions, Interlock Functions and Safety Instrumented Functions correspond to the identified IPLs. This is even more of a gap when a User needs to link an existing Plant Asset back to a specific IPL and PHA scenario.

  • Separate HAZOP and LOPA files

There is no way to integrate HAZOP and LOPAs of Record with incremental HAZOPs, LOPAs, and MOC hazard assessments. This leads to multiple, inconsistent versions of HAZOP and LOPA which then need to be manually resolved, and often are not integrated with the HAZOPs and LOPAs of Record.

5 Major Benefits of Digitalization

An Integrated Safety Lifecycle System, provides functionality that addresses the shortcomings of a system that is based upon single purpose HAZOP and LOPA software. Among the functions that are not provided by traditional PHA and LOPA software are:

  • The HAZOP and LOPA modules in the software provide functionality to link HAZOPs and LOPAs that are performed as part of Management of Change activities back to the current HAZOP of Record. This assures that Management of Change PHA’s are consistent with the HAZOP of Record in that the same Nodes, Equipment and Scenarios are copied to the MOC PHA’s and become the basis for the hazard assessments.

  • MOC hazard assessment data may be easily integrated back into the HAZOP of Record when the changes are actually integrated. The original versions are kept as archive records, but the HAZOP of Record may be kept up to date and reflect the actual state of the process, and not what it was several years ago. As the incremental HAZOPs and LOPAs are integrated back into the HAZOP and LOPAs of Record as changes are implemented, there is no large task of sorting out all of the studies done since the last HAZOP of Record into a new HAZOP of Record.

  • Integrated Safety Lifecycle Management applications have global access. Licensing restrictions do not limit access to HAZOP and LOPA data to a few licensed computers. However the Integrated Safety Lifecycle Management applications do contain security functions that allow restriction of data access to authorized Users.

  • IPLs identified by LOPAs are linked directly to the HAZOP scenarios and may also be linked directly to the Plant Assets what implement the IPLs. This means that the Process Safety basis for all IPLs is immediately available to all authorized personnel.

  • Checklists may be associated with IPLs to provide validation of the IPLs ability to mitigate the hazard and its independence from causes and other IPLs. Checklists are available at both the IPL functional level (when an IPL is identified by a LOPA) and a design level (when the Plant Assets that perform the IPLs functions are designed).


The traditional tools used for Process Hazards Analysis severely limit access to Process Hazards data and do not support other activities required to manage the Safety Lifecycle. Process Hazards data is fragmented and requires major efforts to keep the data current.

In an integrated Safety Lifecycle Management application, HAZOP and LOPA data is readily available to any authorized User. This includes the current HAZOP and LOPAs of Record as well as a full history of prior risk assessment studies. The linking of LOPA identified IPLs to real Plant Assets allow for access of the risk assessment basis for all Plant Assets that perform IPL functions from the Plant Asset data. So an operations or maintenance user can clearly understand why various IPL functions exist and the risks that they are mitigating.

Digitalization Demands An Integrated Safety Lifecycle Management System (part 1)

Digitalization Demands An Integrated Safety Lifecycle Management System (part 1)

An integrated safety lifecycle management system is crucial to properly manage the entire safety lifecycle from cradle to grave. Anyone who has attempted to manage the Safety Lifecycle has quickly realized that the tools that a typical processing facility uses are wholly unsuited to meet the requirements of the Safety Lifecycle.

Most tools available are single purpose and don’t exchange or share information. The tools available are directed towards managing things such as costs, labor management, warehouse inventory management, and similar business-related functions. The systems upon which these functions are based generally use a rigid hierarchy of data relationships and have little flexibility.

An Integrated Safety Lifecycle Management program must supplement or replace the traditional tools to even be considered.  Otherwise, the result is a mix of paper files (or image files on network drives)and a variety of independent word processor and spreadsheet files.  Not to mention the procedures for data collection that fall outside of what the traditional plant management tools will do. This places an unreasonable and unsustainable burden on plant personnel. These systems may be forced to work for awhile, but don’t perform well over time.  Also, its necessary to consider changes of personnel in various positions that occur.

Safety Lifecycle Management

The Safety Lifecycle is a continuous process that originates with the conceptual design of a processing facility and continues throughout the entire service life of that process. Process Safety related functions start their life during the initital Hazard Assessments when potential hazards and their consequences are evaluated. Protective functions are designed to prevent the consequences of the hazards from occurring and their lifecycle proceeds through design, implementation and operation. As plant modifications occur, the existing functions may need to be modified,may be found to no longer be necessary, or new functions are identified as being required. This results in another trip through the lifecycle as illustrated below.

The Safety Lifecycle IEC Regulations  

 IEC 61511, defines the processes that are to be followed when developing, implementing and owning of Safety Instrumented Systems (SIS). While the scope of IEC 61511 is limited to SIS, the concepts also apply to other Protective Functions that have been identified such as Basic Process Control Functions, Interlock, Alarms or physical Protective Functions such as barriers, drainage systems, vents and other similar functions.

The Safety Lifecycle as described in IEC 61511 is shown in the figure below. This figure has been excerpted from IEC 61511 and annotated to tie the various steps with how Process Safety Work is typically executed. These major phases represent work that is often executed by separate organizations and then is passed onto the organizations responsible for the subsequent phase. 


Safety lifecycle management process diagram

1.) Requirements Identification

This phase involves conducting Process Hazards Analyses and identifying the Protective Functions required to avoid the consequences of process hazards from occurring.

The tools typically used for these activities are a Process Hazards Analysis application and Layers of Protection Analysis (LOPA). The CCPS publication Layer of Protection Analysis: Simplified Process Risk Assessment describes the process of identification and qualification of Protective Functions, identified as Independent Protection Layers (IPL’s).

2.)  Specification, Design, Installation and Verification 

This phase is typically thought of as “Design”, but it is so much more:

  • The Specification phase is involving specification of the functional requirements for the identified IPL’s. When the IPL’s are classified as Safety Instrumented Functions (SIF), they are defined in a Safety Requirements Specification as defined by IEC 61511. Other non-SIF IPL’s are defined as described in the CCPS LOPA publication, although the concepts defined in IEC 61511 are also an excellent guide.
  • Once requirements are specified, physical design is performed. The design must conform to the functional, reliability and independence requirements that are defined in the SRS or non-SIF IPL requirements specifications.
  • The designs of the Protective Functions are installed and then are validated by inspection and functional testing. For SIS’s a Functional Safety Assessment as described by IEC 61511 is performed prior to placing the SIS into service.

3.) The Ownership Phase

This is the longest duration phase, lasting the entire life of the process operation. This phase includes:

  • Operation of the process and its Protective Functions. This includes capture of operational events such as Demands, Bypasses, Faults and Failures.
  • Periodic testing of Protective Functions at the intervals defined by the original SRS or IPL requirements. This involves documentation of test results and inclusion of those results in the periodic performance evaluations.
  • Periodic review of Protective Function performance and comparison of in-service performance with the requirements of the original SRS or IPL requirements. If performance is not meeting requirements of the original specifications, identification and implementation of corrective measures is required.
  • Management of Change in Protective Functions as process modifications occur during the process lifetime. This starts a new loop in the Safety Lifecycle where modifications, additions or deletions of Protective Functions are identified, specified and implemented.
  • Final decommissioning where the hazards associated with decommissioning are assessed and suitable Management of Change processes are applied.


CLICK HERE TO READ MORE ON ⇨ A Holistic Approach to the Safety Lifecycle


Execution Challenges

Execution of the Safety Lifecycle interacts with numerous process management tools. Some of those tools that are typically available are illustrated in the figure below. All of these tools have the characteristics that they are generally suitable for the single purposes for which they were chosen, but all of them have limitations that make them unsuitable for use with a Safety Lifecycle Management process.

The Safety Lifecycle involves numerous complex relationships that cross traditional organizational boundaries and require sharing of data across these boundaries. The tools traditionally used in process operational management just don’t fit the requirements of Managing the Safety Lifecycle. Attempts to force fit them to Safety Lifecycle Management results in fragmented information that is difficult to access and maintain or which is just missing, and which results in excessive costs and highly ineffective Safety Lifecycle Management. The work around become so fragmented and complex, they rapidly become unsustainable. 

SRS and SIS engineer data
  • The Value of an Integrated Safety Lifecycle Management System

    An Integrated Safety Lifecycle Management System provides the benefits that an organization expects from the protective systems installed in a facility. The System provides fit for purpose work processes that account for the multiple relationships among the various parts of the Safety Lifecycle that traditional tools do not provide. A few of the high-level benefits are:

        • Consistency and quality of data is vastly improved by using common processes, data selection lists, data requirements and procedures that have been thought out and optimized for the needs of managing protective systems.
        • Design of Protective Functions is made much more efficient due to standardization of the information needed and the ability to copy SRS and non-SIF IPL data from similar applications that exist elsewhere in an organization. Design data is readily available to all authorized Users that need that data.
        • Process Safety awareness is enhanced because the Safety Lifecycle Management System provides links between the originating hazard assessments, PHA Scenarios, LOPA’s, LOPA IPL’s and the Plant Assets used to implement the Protective Functions. Authorized users can readily identify Protective Functions and Plant Assets that implement them, and directly access the process hazards for which the functions were installed to prevent.
        • Protective Function and associated Plant Asset performance events can be readily captured with a minimum of effort. The Safety Lifecycle Management System collects all of the event data and automatically produces performance data such as Tests Overdue, Tests, Failure Rates, Tests Upcoming, Demand Rates, Failure Rates and Prior Use statistics on a real time basis. The performance can be reported on a Unit, Site or Enterprise basis and can be categorized by Protective Function type, Device Type, Device manufacturer or similar categories. This allows Users to fully understand the conformance of Protective Function and Device performance relative to their Safety Requirements and identify any performance issues.


 Rick Stanley has over 45 years’ experience in Process Control Systems and Process Safety Systems with 32 years spent at ARCO and BP in execution of major projects, corporate standards and plant operation and maintenance. Since retiring from BP Rick has consulted with Mangan Software Solutions (MSS) on the development and use of MSS’s SLM Safety Lifecycle Management software and has performed numerous Functional Safety Assessments for both existing and new SISs.

Rick has a BS in Chemical Engineering from the University of California, Santa Barbara where he majored in beach and minored in Chemical Engineering… and has the grade point to prove it. He is a registered Professional Control Systems Engineer in California and Colorado. Rick has served as a member and chairman of both the API Subcommittee for Pressure Relieving Systems and the API Subcommittee for Instrumentation and Control Systems.

A Holistic Approach to the Safety Lifecycle

A Holistic Approach to the Safety Lifecycle

Holistic Approach to the Safety Life Cycle

Holistic (adj): relating to or concerned with wholes or with complete systems rather than with the analysis of, treatment of, or dissection into parts.

A lot of factors enter into how a Process Safety Culture develops in an organization, but the net result is that either an organization has a positive, effective Safety Life Cycle culture or becomes exposed to major incidents that can cause a business to fail. The history of major incidents in process plants is littered with root causes related to failed Safety Cultures.

A robust Process Safety Management culture in a facility also leads to multiple other improvements. In an operation where Process Safety has a major focus, operators tend to be more attentive to keeping their units stable and on spec and the entire organization tends to be more focused on quality of work. If there is a lax Process Safety Culture, then it is easy for operations to become sloppy and for other groups to just let things slide.

When I stand back a bit and think of what factors determine whether a facility has an effective Safety Culture, the following come to mind. All of these are complex subjects, so only a bit is discussed. However, the combined effect of these items has deep impacts upon whether a Process Safety Culture is positive or toxic. In the end however, people do the work for which they are rewarded, even if it’s just a positive performance review. If Process Safety performance is not a key item on the expectations for an employee’s performance, its probably not going to be something that gets a lot of effort. 

Management Attitude

Unfortunately, the number one factor in determining how successful a Process Safety Culture becomes, is the attitude of the management of an Enterprise or Site. I’ve had the fortune and mis-fortune to work in environments where the management had some level of appreciation of Process Safety and work in environments where Process Safety came right after cost, schedule and getting my next promotion (and I hope I get out of here before something goes wrong).

A successful Process Safety Culture, and the Process Safety Management structure that evolves from it, starts at the top. In order to have an effective system, the management of an organization has to demonstrate that Process Safety is as important as the quarterly results. Management has to continue to reinforce that commitment. A basic philosophy has to be defined and spread through the organization, and the expectations of that philosophy need to be rigorously applied at all levels of management and supervision. Failure to meet those expectations has to have real consequences.

Management has to demonstrate a basic knowledge of, and high and continuous interest in the Process Safety Management System. The status of Process Safety needs to be as high on the priority list as more measurable things like production results and costs. Plant staff needs to understand that missing key performance targets for Process Safety functions such as periodic testing, having too many demands or tolerating poor safety function performance have the same consequences as other financially related shortfalls. If management isn’t actively following the Process Safety Life Cycle, they are really telling their staff that they don’t care, and the staff is going to let things slide to pursue things that they think that management cares about.

The systems also have to be robust enough that they become embedded in the organization’s operating culture so that it can survive the changes in personnel, including management, that always happen. Personnel need to have clearly defined responsibilities and be trained to meet those responsibilities. When an individual takes on a new position, the Process Safety responsibilities and procedures need to be part of the transition process. It’s tough to build a Process Safety Culture, but it’s fairly easy to destroy one. When the first question out of manager’s mouth is what does it cost? Or why are you doing that? it’s a good sign that the Process Safety Culture isn’t doing very well.

Information Availability and Training

Part of implementing a robust Process Safety Management System is making sure that all of the personnel that are expected to perform tasks related to the system are fully trained and have access to the information they need. This extends far beyond just the mechanics of performing their assigned tasks.

The training they receive needs to include a clear identification of how their tasks fit in with the Safety Life Cycle Management System, and full training in the underlying process hazards and access to usable reference data. Training needs to be routinely reinforced. Refresher training should be routine and training on changes to Process Safety Systems should be an integral part of the Management of Change procedures. As noted above, Process Safety requirements and procedures need to be part of all transition plans.

Operations personnel in particular require comprehensive initial training and periodic refresher training. Operations personnel need to be fully aware of the protective functions that are installed in their units, what process hazards are responsible for their installation, and how they are operated. Operations supervision needs to take an active role in making sure that this knowledge is current, and operators are routinely drilled in the properly responses to process safety related events.  Procedures for collection of event data for demands, failures, bypasses and similar events need to be reinforced and accurately captured.


Written procedures need to be prepared and maintained for Process Safety related activities. This includes validation and periodic testing procedures, operating procedures and procedures for capture and transmittal of Process Safety related events such as Demands, Tests, Failures and Bypasses. These procedures need to be readily available to all individuals whose jobs involve Process Safety, which means just about everybody.

Personal Experience and Biases

Everyone who is part of the Safety Life Cycle comes to the process with their own experiences and biases. The most general categorization is those who have experienced a major incident and those who have not. The members of the those that have group seldom need to be convinced of the need to have a robust and effective Safety Life Cycle Management process.

The those who have not group often are the most difficult to bring into compliance as they often do not recognize the critical value that the process has. This is an especially difficult problem if the members of management at the higher levels believe that “it can’t happen here”. Unfortunately, these folks get multiple opportunities to join the “those that have” group and its just a matter of how severe their lesson is. Trevor Kletz’s books, What Went Wrong, and Still Going Wrong should be mandatory reading for those folks. They need to be convinced that it can happen to them.

Silos, Tribes and Conflict

Every process facility is organized into various departments and work groups. Over time the divisions between these departments and work groups can become tribal with each group working in their own silo and not sharing information. Information becomes power and often isn’t readily shared.

Process Safety Information is unfortunately one class of information that is far too closely held. This is partially due to the isolated nature of the common process hazards analysis software packages, but in some places, especially those with poor Process Safety Cultures, process hazard data is almost treated as a state secret. I recall on multiple occasions attempting to get copies of HAZOP data from a Process Safety Group and getting the equivalent of “who wants to know” before I could force release of the data. Not a healthy environment. Process Safety information was distributed to operations and maintenance personnel in heavily curated forms and very few people had access to the actual HAZOP data.

The same thing can happen between operations, engineering and maintenance groups. They end up performing day to day work in a vacuum and data sharing is determined only by what is available on the common operation and maintenance tools that are available. It isn’t always intentional, that’s just the way the work processes end up dividing people.

Process Safety Management Systems require a lot of data sharing and organizational barriers need to be broken down, or at least partially broken down. In a robust Process Safety Culture, these barriers are not as firm and you see a lot more data sharing that can be observed in organizations that don’t have a good Process Safety Culture.

See how industry leaders like Shell are digitizing their process safety lifecycle!

System Capabilities, Limitations and Performance

I’ve long had a private theory that the operating culture in a plant is set by the design, capabilities and failures of the plant’s process control systems. It’s not that personnel set out to make it that way, but over time people adapt their behavior to match what the process control system allows them to do or what the system’s performance and reliability imposes upon them in forced work around or other less than optimum practices. Everything an operator sees on a daily basis is viewed through the lens of the information provided by the process control system and that shapes a lot of culture. This ends up affecting how other organizations behave, as in most facilities operations is king no matter what the organization chart says.

In the same manner, the presence or lack of presence of Process Safety Systems and the importance that the plant management and supervision place on those systems shapes a plant’s process safety culture and determines how effective these systems are. This determines whether they become the assets that were intended to be or become perceived as an obstacle to operations

Poorly designed systems may fail to provide the protection with which they have been credited. Even worse, poorly designed systems result in loss of credibility with the staff that have to work with them. Operators will not tolerate a system that causes false trips, operating difficulty or is just too hard to understand. Before long the systems are disabled, and nobody asks why.

I’ve seen lots of skepticism, some well-earned, from operators when a new safety system was installed. Often, they get handed a system designed by a contractor that had little guidance other than a Project Engineer beating them up for cost and schedule. Upon the first operational difficulties, the criticism starts. In an organization that has a poor Safety Life Cycle management system, the criticism is often just accepted, and management starts hearing the complaints and decides that the safety systems don’t really have much value.

The first requirement is that the design all Safety Related functions get adequate direction and review from qualified engineering staff who are skilled in design for reliability and design of human interfaces and understand how the plant operators view things. When performance issues do occur, the design needs to be looked at to determine where the problem occurred. In some cases, it’s a learning experience as prior poor operating practices may have caused the operators to be careless and allowed the process to go where it should not have gone. In other cases, the protective system operated exactly as it should have, and the operators don’t initially appreciate the bullet they dodged.

Well-designed systems can have the opposite effect. Engineering and Process Safety personnel need to take the performance of the installed protective systems very seriously. These are not install-and-forget systems. Operations often needs considerable hand holding for quite a while after commissioning. This involves continued contact with operations personnel about their experiences and seriously listening to their feedback. Sometimes there are explanations, clarifications and follow up training, but just as often there is something that needs to be fixed.  All trips that occur need to be investigated to determine if a trip was valid and then operations needs to be brought into the loop on the findings. 

Sometimes they just have to learn by being saved by a process safety system. I recall installing a rather complex protective system on an FCCU. The operators were very afraid of the system (first question during training – How do I turn it off? Answer – You don’t. Second question What do I do if it trips – Answer – Secure the unit, calm down and then start the restart procedure). It took a lot of convincing to get them to turn on the system and more than a few questions over time about what it really would do.

You could tell it was always on their mind as I seldom could walk through the control room without someone having a question or complaint, but I did make it a point to wander by fairly regularly and start a conversation before I got hijacked. One day they had an equipment failure that resulted in the system tripping the unit. First response was that it was the trip system that caused it. After a couple of days of the investigation, one operator realized that it really was a valid trip, and it saved them from a lot of equipment damage and people getting hurt. The operator passed on his epiphany to others on his crew. The questions stopped and there wasn’t any more grumbling. I knew we had broken through when the operators were reminding each other about putting the system into service before they started back up.

A lot of factors affect how a Process Safety Culture develops in an organization. 

 Rick Stanley has over 45 years’ experience in Process Control Systems and Process Safety Systems with 32 years spent at ARCO and BP in execution of major projects, corporate standards and plant operation and maintenance. Since retiring from BP Rick has consulted with Mangan Software Solutions (MSS) on the development and use of MSS’s SLM Safety Lifecycle Management software and has performed numerous Functional Safety Assessments for both existing and new SISs.

Rick has a BS in Chemical Engineering from the University of California, Santa Barbara where he majored in beach and minored in Chemical Engineering… and has the grade point to prove it. He is a registered Professional Control Systems Engineer in California and Colorado. Rick has served as a member and chairman of both the API Subcommittee for Pressure Relieving Systems and the API Subcommittee for Instrumentation and Control Systems.

Non-Instrumented Independent Protection Layers (IPLs) – Hiding in Plain Sight

Non-Instrumented Independent Protection Layers (IPLs) – Hiding in Plain Sight

Non-Instrumented independent protection layers (IPLs) are hiding in Plain Sight. A few of the often-missed non-Instrumented IPL types are often forgotten in the real world. This blog is not a complete list of non-Instrumented IPLs but instead it highlights how easy it is for these types of protective features to be forgotten and unintentionally disabled. An organization needs to rigorously manage these “invisible” IPLs to assure that they receive the maintenance and management of change procedures they require to continue to be able to perform their functions.

When an Organization conducts Layer of Protection Analyses, IPLs are identified by the LOPA teams. As described in the CCPS publication Layer of Protection Analysis: Simplified Process Risk Assessment-there are a wide variety of functions and design features that may be credited as an IPL, provided that other criteria such as the ability to prevent a consequence, independence and availability are also met.

Many Organizations tend to focus on Instrumented IPLs such as Alarms and Basic Process Control System functions. However, there are a significant number of other non-Instrumented IPLs for which credit may be taken. Many of these IPLs are passive or mechanical functions that often fade from the Organization’s attention as they are often look just like non-IPL equipment.

See how industry leaders like Shell are digitizing their process safety lifecycle!

Tank Berms and Dikes

One of the most common non-Instrumented IPLs is installation of Berms and Dikes (Bunds if you are outside of the US) that contain the contents of a storage tank or vessel should there be a loss of containment event. Berms and Dikes get a fair amount of attention during their initial design, but soon become just a background feature in the tank farm. Over time, they can degrade or be compromised by ongoing operations.

One of the more recent and spectacular failures of containment IPLs is the Buncefield storage facility fire that occurred in the UK in 2005. As with most major incidents, there were a number of contributing causes, but one of them was the failure of the tank containing walls to contain the liquid released by a tank failure. This allowed inventory to escape the secondary containment. The investigation of the incident found that seals in the concrete wall containment system had not been maintained and significant material flowed beyond containment.

Drainage Systems

When sizing pressure relief systems, credit is often taken for the presence of drainage systems that will prevent the accumulation of flammable liquids around process vessels. This allows the designers to eliminate or reduce the size of the pressure relief systems for fire cases. A drainage system consists of physical grading or installation of drainage trenches or lines that carry away flammable material to a “safe location”. These systems are usually dry for years and decades and aren’t that hard to compromise. Drains and trenches can become plugged with debris or the “safe containment” area gets compromised or even built over. The Buncefield fire and explosion mentioned above was aggravated by the fact that the drainage systems failed to function as they were designed, and material that leaked from the tank containment did not flow away from the area as intended.


Frangible Tank Roofs

Storage tanks are subject to overpressure from a variety of sources as described in API RP-2000. For the more extreme cases, such as external fire, designers may choose to specify that the that tank be constructed with a weak roof to wall connection, or a frangible roof. The design is intended to provide a failure point which would allow a path to relieve vapors generated prior to failure of the tank at more catastrophic locations such as at the floor to wall seam.

The difficulty with constructing tanks with a frangible roof specification is that externally it is extremely difficult to verify that the welds at the roof seam meet the requirements for a weak seam. In tank over pressure audits conducted many years after tank construction, it was found that it was basically impossible to verify that the existing tank roof to wall welds qualified as a frangible roof. During the study, a few reports of welds not meeting frangible roof specifications were found. There is no practical means of testing the seam, so there was little alternative other than to not take credit for a frangible roof, which resulted in retrofit installation of some very large emergency roof vents.

Excess Flow Valves

Excess flow valves are typically installed to prevent the uncontrolled flow of hazardous material from a vessel to the environment should an external failure occur, such as failure of light ends pump seals or other loss of containment events involving equipment downstream of the process vessel. They are also found in transportation applications such as truck loading racks or in pipelines.

In regulated industries such as transportation and pipelines, excess flow valves typically have high visibility and usually get tested and maintained. However, in process applications, this isn’t necessarily the case. Process excess flow valves are often installed at the outlet of a process vessel and are of a design that uses a check valve installed in a reversed position. The check valve is held open by a mechanical linkage that is released by either a fusible link that melts when exposed to a fire or a solenoid valve that releases the linkage, and sometime both.

Once installed, these valves appear remarkably common. They look like most any other check valve and often get ignored and sometimes forgotten about. I recall being in an older process unit on other business when I just happened to notice a couple of wires hanging from an open conduit. In itself this was a big issue as if those wires were energized an ignition event could occur. So, I started to look around and found an old, solenoid operated excess flow valve nearby that was missing its wires. Worse yet, the excess flow valve hadn’t operated. A bit of inspection showed that the solenoid was indeed deenergized, but the mechanical latch mechanism was severely corroded and had not allowed the valve to operate. Even more interesting was when I reported this to the Operations group, they had no idea that the excess flow valve was there. No wonder it never got looked at. The wiring disconnection appeared to be some casual modification that no one had any idea of when or who did it, or why. This incident started a hunt for other excess flow valves in the plant, which turned up another handful of issues. After decades of neglect, the excess flow valves got added to an inspection and maintenance list.  

Check Valves

In high pressure applications, such as feed pumps for hydrocrackers, other services where liquid is being pumped from a very low pressure to a very high pressure, or when a high pressure process can back flow into a low pressure process, check valves are often depended on to provide some level of overpressure protection for the low pressure system. API RP-521 recognizes this practice and recommends that credit only be taken for installations consisting of two check valves of differing designs installed in series and describes considerations that should be used in assessing potential leakage through the check valves.

The difficulty in operating these systems is that almost every pump in a process plant has at least one check valve installed in its discharge lines, so keeping track of which check valves are being credited for over pressure protection can be a challenge. It’s quite easy to lose track of these valves and not give them the routine inspection and leak testing required for those services which are being used at IPLs or to reduce the low-pressure relief system requirements. The check valves that are used for these purposes are usually high-pressure designs (2500 or 1500 pound class) and are difficult to maintain due to weight and sometimes being installed with welded ends. At the same time, the hazards of a failed check valve service are quite high, as high-pressure backflow will generally result in the rapid unscheduled disassembly of the low-pressure equipment.

Flame Arrestors

Flame arrestors are static device, usually consisting of some form of metal mesh or similar convoluted flow passages at the location where a tank or other vessel is vented to atmosphere. Flame arrestors are designed to prevent flame propagation from the vent outlet back into the tank or vessel, usually by cooling an external flame and reducing the flame propagation velocity.

Flame arrestors are passive devices and may remain in place for many years without any attention. This often results in the functionality being compromised due to build up of dirt, insect nests, corrosion or other degradation. Flame arrestor design is also based upon a very specific set of conditions such as the flammable material contained in the tank and environmental conditions. It is not that difficult to compromise or plug up a flame arrestor, and there are reports of them failing to function when needed or being found in an inoperable condition when inspections were eventually performed.

Block Valve Lock Systems

In some process designs, safe operation of the process is depended upon block valves installed for maintenance, startup or shutdown operations being kept in specific positions, either opened or closed. For example, pressure relief system designs are often dependent upon block valve installed under pressure relief devices being kept open at all times, or other block valves required to isolate parallel equipment being kept open whenever process fluids are in the system.

Often block valve lock systems are manually managed with only manual monitoring. The physical “lock” varies with the operations, ranging from simple aluminum car seals such as those used on rail cars or truck doors, to new plastic designs, to designs that used metal cables or chains with physical locks. In some cases, an organization will attempt to not use physical barriers and rely only upon hanging warning tags on valves.  

Use of block valve lock systems requires that there be a robust administration system whereby the status of all locked open or closed valves are continuously kept and logged, and that procedures to follow when removing or installing a block valve lock/seal and changing of the valve positions are clearly specified and followed. If locking systems are used, an additional layer of tracking of keys is also required.

For a process plant of any size, there may be a large number of block valves that are designated as CSO, CSC, LO, LC etc. (Car Seal Open, Car Seal Closed, Locked Open, Locked Closed). Administration of these valve seals or locks is no small task and more than a few units have failed surveys of their valve lock systems.

Captive Key Systems

Captive key systems are a step above the use of simple valve seals and locks. In most cases, captive key systems are used in applications where a number of valves or other equipment must have their status changed in a specific order. In these systems, the valves or other operating equipment are provided with a mechanism that requires that a key be used to unlock the valve or system for operation. The mechanism captures the initiating key when the operation is performed and releases another key that is used to operate the next valve or system in the sequence. The system has multiple keys, all of which are different. When using a captive key system, the operator starts with an initiating key that is used to operate the first device in the chain. Keys are trapped and released in sequence, with the final device releasing a key that then is stored in a safe location. When the sequence is to be reversed, the operator starts with the final key and the sequence is reversed.

Captive key systems are often used to assure that equipment is safely isolated for entry or maintenance, such as in high voltage electrical systems, or in systems that require a large number of sequential valve movements to isolate equipment such as a spare reactor. The challenges of ownership are administration of the starting and ending keys, so they do not get lost and keeping the various locking mechanisms clean and operable. The use of these systems is often very infrequent and it’s not difficult to lose track of keys or find that the locking mechanisms aren’t working when needed.


Non-Instrumented IPLs have process safety roles that are every bit as important as Instrumented IPLs. However, as they are often passive design features and may be so similar to other equipment, they often fall out of view and fail due to age, neglect or modifications. It is of critical importance that these Non-Instrumented IPLs are clearly documented and that their process safety functions are clearly communicated to Operations and Maintenance personnel so they can be taken into account during Management of Change activities. A system that manages only Instrumented IPLs and does not allow management of Non-Instrumented IPLs is incomplete and can be an obstacle to effective IPL and Process Safety Management.


Rick Stanley has over 40 years’ experience in Process Control Systems and Process Safety Systems with 32 years spent at ARCO and BP in execution of major projects, corporate standards and plant operation and maintenance. Since retiring from BP in 2011, Rick has consulted with Mangan Software Solutions (MSS) on the development and use of MSS’s SLM Safety Lifecycle Management software and has performed numerous Functional Safety Assessments for both existing and new SISs. 

Rick has a BS in Chemical Engineering from the University of California, Santa Barbara and is a registered Professional Control Systems Engineer in California and Colorado. Rick has served as a member and chairman of both the API Subcommittee for Pressure Relieving Systems and the API Subcommittee for Instrumentation and Control Systems.