Shell Global Bowtie Guidance - 2016 [PDF]

Zitiervorschau

Global Bowtie Guidance Document Title

Global Bowtie Guidance

Document Number

TBC

Document Revision

0

Document Status

Final

Document Type

HSSE Specification

Owner / Author

Bradd McCaslin / Kalisha Bennett

Issue Date

December 11, 2015

Expiry Date

December 11, 2020

ECCN

EAR 99

Security Classification

Unrestricted

Disclosure

None

Revision History shown on next page

- 2 -

Unrestricted

Revision History REVISION STATUS Rev.

Date

0

APPROVAL

Description

Initial Release

12/11/15

Originator

Reviewer

Approver

Kalisha Bennett

Anneeza Abdul Ghani` Karen Stammer Jitze Lukkes Riccardo Magliocchi Tawheed Olayiwola TSE Leadership Team

Bradd McCaslin

Signatures for this revision Role

Name

Risk Management PTE

Bradd McCaslin

Date 12/11/15

Signature or electronic reference (email)

Summary Guidance (Ruleset and methodology) for the development and application of Bowties

Keywords Bowtie, Hazard, Major Hazard, Barrier, Top Event, Threat, Consequence

Global Bowtie Guidance

Rev. 0

- 3 -

Unrestricted

BACKGROUND Bowties exist in many formats and are used to meet a range of requirements for management of RAM Yellow 5A/5B and Red Risk Hazards. A number of methodologies have previously been adopted across Royal Dutch Shell (RDS) for Bowtie analysis. In order to develop a consistent approach, a standardized methodology for Bowtie development was established including the application of Ruleset and the terminology used to communicate the Hazard scenarios. This document establishes the basis for the Bowtie methodology, Rulesets and guidance that was developed through the Global Bowtie Improvement initiative for the development of Bowties across RDS. Global Bowtie Initiative Sponsor; Natalie Salter Global Bowtie Project Owner; Bradd McCaslin Project Manager Kalisha Bennett Global Bowtie Initiative Team; DMH – Riccardo Magliocchi PTP – Anneeza Abdul Ghani` PTS – Karen Stammer PTW – Jitze Lukkes UA – Kalisha Bennett UI – Tawheed Olayiwola

Global Bowtie Guidance

Rev. 0

- 4 -

Unrestricted

DEFINITIONS As Low as Reasonably Practicable (ALARP) Active Barriers

Barriers

Barrier Validity

Bowtie

Global Bowtie Guidance

The point at which the cost (in time, money and effort) of further Risk reduction is grossly disproportionate to the Risk reduction achieved. An Active Barrier works by virtue of an action, or a change of state, to become effective. Active Barriers consist of:  a Sensor (or initiator) - detects the condition that requires action;  a Logic Solver - decides that and which action needs to be taken; and  an Actuator (or final element) takes/affects the action to address the Hazard release condition. Active Barriers can be either Hardware and/or Human Barriers. Barriers on the left hand side (LHS) of the Bowtie prevent Threats from releasing a Hazard. They are also referred to as controls. Barriers on the right hand side (RHS) of the Bowtie prevent, limit the extent of, or provide mitigation or recovery from the Consequences. They are also referred to as recovery measures. Barriers may be hardware or human interventions or a combination of the two. In order for a Barrier in a Bowtie to be considered valid, it must be Effective, Independent and Auditable.  Effective Controls prevent or significantly reduce the probability of Threats leading to the Top Event;  Effective Recovery Measures prevent or substantially limit the extent of the Consequences;  Independent Barriers should be independent of the initiating event (of the Threat) as well as the components of any other Barrier already validated for the same condition.  Auditable Barriers should be evaluated to verify that it can operate correctly when it is called upon (for example: inspection, testing and record keeping. A Bowtie is a graphical representation of how an unwanted event can occur, the potential resulting Consequences, and how these can be controlled and/or mitigated. The Bowtie analysis identifies Threats and Consequences associated with a specific Hazard and determines the necessary Barriers to manage the risk.

Rev. 0

- 5 -

Consequence

Control Escalation Factor

Escalation Factor Controls Hardware Barrier

Human Barrier

Hazard Hazard and Effects Register Initiating Event Major Hazard Passive Barrier

Global Bowtie Guidance

Unrestricted

A Consequence is an Effect on people, Assets, the environment or reputation as a result of a Hazard being released. A Consequence is the ultimate (credible) harm that may occur as a result of the release of a Hazard. A type of Barrier that is a means of preventing an incident or Top Event, and therefore is located on the left hand side of a Bowtie. Escalation Factors are situations, conditions or circumstances that degrade, impair or bypass the Barrier and may lead to the partial or full failure of a Barrier. Escalation Factors can act on Barriers on the left or right hand side of the Bowtie. Barriers that prevent and/or mitigate an Escalation Factor from adversely affecting a Barrier. Equipment or safety systems also classed as “Safety Critical Element”, act to prevent Top Events or limit the Consequences of a release. Hardware Barriers can be Active Barriers or Passive Barriers. Human Barriers rely on a human being as part of the Barrier, initiating and/or taking actions (in response to information) to prevent the Top Event or mitigate the Consequences. Human Barriers in practice are often used in combination with hardware to perform an action (e.g., an operator response to alarm, initiate emergency response). A Human Barrier can only be an Active Barrier. An agent that has the potential to cause harm to People, damage to Assets, business loss and impact on the Environment or Reputation (PAER). A list of the Hazards that are associated with an activity, together with their potential Effects and assessed Risks. Condition that catalyses the release of the Threat. Hazards having risk in the Red and Yellow 5A / 5B areas of the RAM A Passive Barrier works on the basis of its (continuous) presence, e.g.:  A bund wall around a tank prevents escalation from a LOPC.  The tank (wall thickness) itself is a Barrier to prevent the LOPC. Passive Barriers tend to be Hardware Barriers.

Rev. 0

- 6 -

Performance Standard / Technical Integrity Performance Standard (TIPS) Recovery Measure

Risk Assessment Matrix (RAM) Safety Critical Activities (HSSE Critical Activity)

Safety Critical Element (HSE/HSSE Critical Element, SC Equipment)

Safety Critical Positions (HSSE Critical Position, Frontline Barrier Management, Critical Roles) Safety Critical Processes (HSSE Critical Processes) Threat

Top Event

Unrestricted

A document that establishes the performance requirements of a system or item of equipment, and which is used as the basis for effective management of the Barriers used to prevent/mitigate an incident following the release of a Major Hazards. A type of Barrier that limits or mitigates the Consequences of the release of a Hazard (Top Event), and therefore is located on the right hand side of a Bowtie. A tool used to assess the Consequences and Risks of Hazards to HSSE. The results are referred to as a RAM Severity rating and a RAM Risk rating. A group or set of (Safety Critical) tasks (e.g. a discrete action) necessary for the development, implementation, operation and /or maintenance of a Barrier established for managing Hazards with RAM Red Risks or Yellow 5A / 5B Risks. An item of equipment or structure, or a system (including software logic), that acts as a Barrier to prevent the uncontrolled release of a Hazard leading to worst case credible scenario with RAM Red, Yellow 5A / 5B Risk, or acts as a Barrier to control or mitigate the effects of such a release. Personnel positions which have the responsibility to design, implement, operate or maintain Barriers established for managing Major Hazards A management process established to implement and maintain Controls that manage Hazards with RAM Red Risks (and Yellow 5A / 5B Risks for AIPS Management Application Manual). A Threat is the occurrence (condition, situation, phenomenon or event) which will release the Hazard and cause a Top Event, for example, corrosion or overpressure. The Incident that occurs when a Hazard is released, such as the release of hydrocarbons, toxic substances or energy. Typically Top Events are some type of loss of containment, loss of control or release of energy. If this event can be prevented there can be no effect or Consequence from the Hazard.

ACRONYMS AI-PSM ALARP BBSM

Asset Integrity Process Safety Management As Low As Reasonably Practicable Behavioral Based Safety Management

Global Bowtie Guidance

Rev. 0

- 7 -

CF DCAF DEP FSR HEMP HSSE JSA LOPC MH MOC OCA PV RAM RDS SCA SCE SCT SOU TA TIPS TSE

Unrestricted

Control Framework Discipline Controls and Assurance Framework Design & Engineering Practice Facility Status Report Hazard and Effects Management Process Health, Safety, Security & Environment Job Safety Analysis Loss of Primary Containment Major Hazard Management of Change Operations Competency Assurance Partially Valid Risk Assessment Matrix Royal Dutch Shell Safety Critical Activity Safety Critical Element Safety Critical Task Shell Open University Technical Authority Technical Integrity Performance Standards Technical Safety Engineering

Global Bowtie Guidance

Rev. 0

- 8 -

Unrestricted

TABLE OF CONTENTS BACKGROUND................................................... 3 DEFINITIONS.................................................. 4 ACRONYMS..................................................... 6 1. INTRODUCTION ............................................ 10 1.1. ..................................................................................................................................Scope 2. BOWTIE METHODOLOGY ...................................... 11 2.1. ...................................................................................Bowtie Diagram Overview 2.2. ....................................................................................................... Bowtie Approach 2.3. ....................................................................................................... Bowtie Rulesets 2.4. ............................................................................................. Additional Guidance 3. IMPLEMENTATION OF BARRIERS .............................. 26 3.1. ................................................................ Safety Critical Elements (SCE) 3.2. ........................................................... Safety Critical Activities (SCA) 3.3. ............................................................................................. Additional Guidance 4. USING BOWTIES TO SUPPORT ALARP DEMONSTRATIONS ........... 29 4.1. ..................................................................................................... Remedial Actions 4.2. .......................................................................................................... Bowtie Reviews 4.3. .... Additional Guidance: Resources for Bowtie Development APPENDIX A: BOWTIE LEGEND................................... 32 APPENDIX B: REFERENCES...................................... 36

Global Bowtie Guidance

Rev. 0

10 11 12 13 24 26 28 28 30 30 30

- 9 -

Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure

Unrestricted

2-1: Bowtie Structure 2-2: Hazard 2-3: Top Event 2-4: Consequences and Propagation of Events 2-5: Threats and Initiating Events 2-6: Barrier Validity 2-7: Example of Hardware and Human Barriers 2-8: Improper Use of Escalation Factors 2-9: Escalation Factors Used to Highlight Gaps 2-10: Adding Barrier Detail 3-1: Implementation of Barriers 3-2 Safety Critical Element (SCE) Groups 3-3: Example of a Safety Critical Activity 4-1: Any other Threats/Consequences/Barriers?

Table 2-1 Types of Barriers Table 2-2: Hardware, Human Barriers and Critical Processes

Global Bowtie Guidance

Rev. 0

- 10 -

1.

Unrestricted

INTRODUCTION

The HSSE&SP Control Framework (CF) manual section on Managing Risk (Ref. 1) requires identifying (and implementing) Controls and Recovery Measures for Hazards in the Yellow 5A/5B and Red areas of the RAM to reduce risks to ALARP with the use a Bowtie or an equivalent methodology. This guidance defines a methodology, including Ruleset and terminology for the development of Bowties in a consistent manner for application across the RDS businesses. As shown, this methodology does not propose that all businesses must use the same tools or formats but instead presents a streamlined methodology to improve consistency of application. This guidance is not intended to replace training for Hazards and Effects Methodology Process (HEMP) practitioners (HEMP101); rather it outlines the specific methodology to be adopted for developing Bowties. 1.1. Scope This Global Bowtie Guidance defines a Ruleset for developing bowties for Assets, Facilities, Operations, Projects and Activities having RAM Yellow 5A / 5B and Red Risks as outlined in the HSSE&SP CF manual section for Managing Risk. The Rulesets and process as detailed in this guidance should be applied to all Bowties developed to ensure consistent outputs are produced.

Global Bowtie Guidance

Rev. 0

- 11 -

2.

Unrestricted

BOWTIE METHODOLOGY

Bowties developed using this methodology should be used to assess the management of Major Hazards in order to identify the Barriers required to effectively manage these Hazards. 2.1. Bowtie Diagram Overview A Bowtie is a graphical representation of how a Hazard can be released, how it can escalate and how it is controlled. It defines the Barriers required to effectively manage the Hazard and prevent, or mitigate, harmful Consequences. Figure 2-1 presents an example of a Bowtie diagram. Figure 2-1: Bowtie Structure

At the center of the Bowtie diagram is the release of the Hazard - the Top Event. On the left hand side are the potential Threats that may cause/lead to the Top Event; while on the right hand side are the potential Consequences that could result from that event. In between the Threats and the Top Event are the Barriers as shown that prevent the event from occurring (also referred to as Controls). On the right hand side of the diagram are the Barriers that mitigate, minimize or prevent Consequences, in the event that the Top Event occurs (also referred to as Mitigation or Recovery Measures).

Global Bowtie Guidance

Rev. 0

- 12 -

Unrestricted

Escalation Factors are used to identify the potential failure or degradation of a Barrier (e.g. temporary conditions) and ultimately Escalation Factors Controls are put in place to prevent the occurrence of the Escalation Factors or mitigate their effect.

2.2. Bowtie Approach The approach to developing an effective Bowtie requires properly defining the scope of the Bowtie based on the complexity of the activities being evaluated. 

Each Bowtie should have a well-defined (logical) scope or boundary.



Each Bowtie should be defined for a specific or distinct Hazard.



Since the same Hazard may be present in multiple process units or work activities it is recommended that separate Bowties are developed where significant differences exist in location or function.



The Threats, Top Event and Consequences must be relevant to the scope being considered.



It should be realized that Consequences (e.g. fire, explosion) may not be confined to one area and may impact surroundings and result in consequential damage. If propagation of the Consequence is credible those scenarios should be analyzed and added to the Bowtie as appropriate.



The level of detail within the Bowtie should be commensurate with the complexity of the scope and scenario(s) being considered (e.g. entire asset/facility, process units, work activities). The Bowtie analysis should be scoped in such a way that the results of the bowtie have sufficient clarity and detail that information on Barriers and SCE can be effectively implemented in the field. An example of Best Practice would be to set the scope of the Bowtie at the Unit level in an operating Asset.



As Barrier validity is more critical than the number of Barriers, the focus should not be placed on the number of

Global Bowtie Guidance

Rev. 0

- 13 -

Unrestricted

Barriers; rather on the identification of truly (effective, independent and auditable) Barriers. 

valid

Hardware Barriers and Human Barriers, or combinations thereof, written in a Bowtie should be those that we can provide assurance to or verify the validity of; Barrier ownership is critical for the successful management of Major Hazards.

2.3. Bowtie Rulesets The following sections define each aspect of the Bowtie and specify the methodology, common terminology / definitions and the Ruleset for developing a Bowtie. The sequence for development of the Bowtie, in addition to an abbreviated explanation of the Bowtie elements, is provided in Appendix A: Bowtie Legend. 2.3.1.

Hazards

Definition: A Hazard is an agent that has the potential to cause harm to People, damage to Assets, business loss and impact on the Environment or Reputation (PAER). Examples of Hazards include: Flammable substances, moving vehicles, rotating machinery, toxic substances, asphyxiates, and personnel at height. Hazards requiring Bowtie analysis or an equivalent methodology will have been identified through a HAZID and / or development of a Hazard and Effects Register. A work activity has a number of tasks associated with it that may result in a Hazardous condition. The work activity is NOT in itself the Hazard. Loading or unloading of gasoline can be a Hazardous activity; the applicable Hazard in this scenario is the gasoline and not the loading/unloading.

2.3.2.

Figure 2-2: Hazard

Figure 2-3: Top Event

Top Event

Definition: The Incident (first event) that occurs when a Hazard is

Global Bowtie Guidance

Rev. 0

- 14 -

Unrestricted

released, such as the release of hydrocarbons, toxic substances or energy. Typically Top Events are some type of loss of containment, loss of control or release of energy. If this event can be prevented there can be no effect or Consequence from the Hazard. A single Top Event should be identified for each Bowtie. All of the Threats identified on the Bowtie should be relevant and lead to the Top Event (see 2.3.4). The boundaries or scope (e.g. operating modes, facilities or process units being considered) of the top event should be well defined and documented. 2.3.3.

Consequences

Definition: A Consequence is an Effect on people, Assets, the environment or reputation as a result of a Hazard being released. A Consequence is the ultimate harm that may occur as a result of the release of a Hazard. The release of a Hazard, i.e. the Top Event, can often have more than one credible Consequence. The Bowtie should as a minimum include the Consequences of the Major Hazard as defined in the Hazard and Effects Register. It is often useful to refine the credible Consequences from a Top Event to allow for more specific identification of mitigation measures. For each Consequence there should be a separate Top Event to Consequence line on the Bowtie. If the analysis reveals that the recovery measures are identical, the Consequences may be combined - e.g. jet fire and flash fire may be shown on the same Consequence line ‘Fire’ if the barriers for either scenario being considered are the same. It should be realized that Consequences (e.g. fire, explosion) may not be confined to one area and may impact surroundings and result in consequential damage. If propagation of the Consequence is credible those scenarios should be analyzed and added to the Bowtie as appropriate. Refer to Figure 2-4.

Global Bowtie Guidance

Rev. 0

- 15 -

Unrestricted

Figure 2-4: Consequences and Propagation of Events

2.3.4.

Threats

Definition: A Threat is the occurrence (condition, situation, phenomenon or event) which will release the Hazard and cause a Top Event, for example, corrosion or overpressure. All (credible) Threats that can release a Major Hazard must be identified. In most cases there will be a number of Threats on each Bowtie, i.e. several potential ways by which the Hazard may be released. For each Threat there should be a separate Threat line and each Threat must relate to (imminently lead to) the specified Top Event and at least one of the defined Consequences. If the Bowtie analysis reveals that there are multiple Threats that rely upon the same Barriers for each Threat, the Threats may be combined. Bowties portray all Threats equally – they do not discriminate between the likelihoods of the various Threats occurring, either independently or simultaneously. The Bowtie should document the Threats that can result in a Consequence whose risks are ranked in the Yellow 5A / 5B and Red areas of the RAM. Threats that could cause the release of the Hazard (Top Event), but would not result in these Consequences, are to be omitted from the Bowtie (e.g. sampling).

Global Bowtie Guidance

Rev. 0

- 16 -

Unrestricted

Threats must be clear and standalone [i.e. understood in isolation]. For example, corrosion is a Threat internal and external to piping, but painting the external section of a pipe may only be a control for managing external corrosion. Hence the Threat should be separated into external and internal corrosion to enable the control to directly target the Threat. Likewise, different corrosion phenomena may require individual Threats to be identified. Figure 2-5: Threats and Initiating Events

2.3.5.

Initiating Events

Definition: Conditions that catalyze the release of the Threat are e called “Initiating Events”. Initiating Events should be credible and can be either equipment failures or caused by human error. One Threat can have multiple Initiating Events, refer to Figure 2-5. For example, overfill can occur due to human error (e.g. incorrect line-up) or level controller failure. If the Bowtie analysis reveals that each combination of Threat and Initiating Event has identical Barriers, then these may be combined into a single Threat line. 2.3.6.

Barriers

Definition: Barriers on the left hand side (LHS) of the Bowtie prevent Threats from releasing a Hazard; they are also referred to as Controls. Barriers on the right hand side (RHS)

Global Bowtie Guidance

Rev. 0

- 17 -

Unrestricted

of the Bowtie limit or mitigate from the Consequences; they are also referred to as Recovery Measures. Barriers may be hardware (e.g. equipment or safety systems) or human interventions or a combination of the two (refer to Section 2.3.6.3). 2.3.6.1.

Barrier Validity

Valid Barriers should be identified for each Threat and Consequence. A Barrier is valid if it will (on its own) prevent the Threat causing the Top Event (LHS), or will mitigate the Consequences (RHS) of the Top Event. For a Barrier to be valid it should be Effective, Independent, and Auditable. 

Effective Barriers are big enough, fast enough, strong enough: o Effective Controls prevent or reduce the probability of Threats leading to the Top Event; o Effective Recovery Measures extent of the Consequences;

prevent

or

limit

the

o Note: A right hand side Barrier can only be considered effective if its function remains unimpaired by the scenario under analysis. For example (refer to Error! Reference source not found.), the gas detector system has to be designed with fire retardant materials if it is going to be an effective recovery measure during an ignited release of Hydrocarbons; o Note: A Barrier should be protected from Consequences of the release of another Hazard and perform as intended when impacted by another Threat. For example, a boundary isolation valve must be protected from fires and explosion either by its location or by a protective enclosure; 

Independent Barrier: o The failure of the Barrier should initiating event (of the Threat);

not

be

the

o Barrier is independent of other Barriers within the same Threat to Consequence line (e.g. the Deluge System and the Gas Detection share the same logic solver – refer to Figure 2-6);

Global Bowtie Guidance

Rev. 0

- 18 -

Unrestricted

o A Barrier cannot be considered independent another if there is a common cause failure;

from

o Where a number of hardware and human Barriers are elements of a single program (e.g. a corrosion management system may include chemical injection, inspections, etc.) these should be shown as a single Barrier i.e. the program, as they are not truly independent; And 

Verifiable / Auditable can be evaluated to verify that it can and will operate when it is called upon (e.g. through testing and inspection, or trough audit of the hardware performance criteria or Safety Critical Activities needed to maintain an effective Barrier); o In this context it is important to recognise that Personnel involved in putting in place, executing and/or maintaining a Barrier (or part thereof) are expected to be competent and capable. Auditability of valid Barriers therefore extends to the training and Competence Assurance of personnel performing safety critical tasks and/or activities.

In many cases, Barriers are only Partially Valid (PV) or are part of a Barrier. Therefore, they need the assistance/support of another (part of a) Barrier to fully address the Threat or Consequence. When a PV Barrier is found, an attempt should be made to combine it with another (partially valid) Barrier that will make it valid. Figure 2-6: Barrier Validity

Note: Individually, these Barriers are only PV; together they may make one Independent Valid Barrier as identified below.

Global Bowtie Guidance

Rev. 0

- 19 -

2.3.6.2.

Unrestricted

Active and Passive Barriers

Barriers can be Active or Passive. 

Active Barriers: Works by virtue of action or change of state (e.g., relief valve, operator actions, or automatic shutdown system). For a valid active Barrier one must define a sensor (or initiator), logic solver, and an actuator to be effective;



Passive Barriers: Works by virtue of space, separation, blast wall, or bund).

2.3.6.3.

presence

(e.g.

Hardware Barriers and Human Barriers

A barrier may be hardware, or human interventions also called human barriers, or a combination of both. Hardware Barriers are equipment, hardware or safety systems also classed as a “Safety Critical Element”. These Barriers act to prevent Top Events or mitigate the Consequences of a Top Event. These can either be Active or Passive (see Error! Reference source not found.).

Table 2-1 Types of Barriers Active

Passive

Hardware





Human



Human Barriers rely on a human being as part of the Barrier, initiating and/or taking actions (in response to information)

Global Bowtie Guidance

Rev. 0

- 20 -

Unrestricted

to prevent the Top Event or mitigate the Consequences. Human Barriers in practice are often used in combination with hardware to perform an action (e.g., an operator response to alarm, initiate emergency response). A Human Barrier can only be an Active Barrier (see Error! Reference source not found.) and must comply with the definition per Section 2.3.6.2. Hardware and Human Barriers written in a Bowtie should be those that we can provide assurance to or verify the validity of. Ensuring that a barrier is auditable is critical for the successful management of Major Hazards. The Hardware involved in the Barrier needs to be checked and maintained by people (critical activity / tasks).The Human Barrier also requires human interventions via critical activity / tasks. Examples of Barriers linked to the relevant Barrier categories for Hardware Barriers and Human Barriers are shown in Table 2-2 and Figure 2-7Error! Reference source not found.. The Barrier Failure Identification & Reporting Guidance (Ref. Appendix B: references) provides additional details for Hardware and Human Barriers.

Global Bowtie Guidance

Rev. 0

- 21 -

Unrestricted

Table 2-2: Hardware, Human Barriers and Critical Processes Hardware Barriers (HW)  Structural Integrity  Process Containment/ Mechanical Design  Ignition Control  Detection Systems  Protection Systems  Shutdown Systems  Emergency Response  Life Saving Personal Survival Equipment

Human Barriers (HUM)  Operating in accordance with procedures  Surveillance, operator rounds and routine inspection  Authorisation of temporary and mobile equipment

Critical Processes

 Management of Change (MOC)  Permit to Work (PTW)  Emergency Response / Management  Competency Management  Contractor Management  Design Integrity

 Acceptance of handover or restart of facilities or equipment

 Operating Integrity

 Response to process alarm and upset conditions

 Wells Integrity

 Response to emergencies

 Equipment Isolation  Technical Integrity

 Security Management  HSE Compliance  Risk Management  Integrity Leadership  Contracting and Procurement  Assurance  Project Execution  Incident Investigation and Learning’s  Management Systems  Health  Environment

Global Bowtie Guidance

Rev. 0

- 22 -

Unrestricted

Figure 2-7: Example of Hardware and Human Barriers

Operator intervention is a valid Human Barrier if there is sufficient time to respond and prevent the event. Each business has specific requirements for defining the amount of time that qualifies as sufficient. Generally, no credit can be taken for operator intervention if that same operator was involved in the initiating event. If an operator is considered as part of two Barriers, the following must be true: 

The person’s periods, and



The person must have adequate time to respond favorably

2.3.6.4.

response

must

occur

at

different

time

Safety Critical Processes

Definition: A management process established to implement and maintain Controls that manage Hazards with RAM Red Risks (and Yellow 5A / 5B Risks for AIPS Management Application Manual). Safety Critical Processes are essential for the health of all Hardware and Human Barriers, as they support the effective design, construction, operation/execution, and maintenance, testing and/or inspection of the Barrier. These are typically Management System elements (for instance, Management of Change or Permit to Work). The Critical Processes listed in Table 2 2 lists the Critical Processes that can be the underlying cause of hardware or human barrier failures. These processes are included in the HSSE& and SP Control Framework explicitly or implicitly. Failure of these processes can lead to failure of hardware and/or human barriers. 2.3.6.5.

Escalation Factors and Escalation Factors Controls

Definition: Escalation Factors are situations, conditions or circumstances that degrade, impair or bypass the Barrier and may lead to the partial or full failure of a Barrier.

Global Bowtie Guidance

Rev. 0

- 23 -

Unrestricted

Barriers (Escalation Factors controls) for each Escalation Factors should be identified to assure Barrier condition by either preventing the Escalation Factors from occurring or to manage the defeated Barrier until its normal function is restored. Where possible, Barriers for Escalation Factors should comply with Barrier Rulesets. However, it is recognized that this may not always be possible, and in many cases these Escalation Factors controls are captured in critical processes (such as Management of Change, Inspection, etc.), for which validity cannot always be confirmed. Common Escalation Factors that occur repeatedly may cause a Bowtie to lose its effectiveness as a visual communication tool. Escalation Factors should be used sparingly to highlight specific gaps. Refer to Figure 2-8 and Figure 2-9. 

Performance criteria (e.g. design or operations performance standards) for hardware Barriers will define common and well understood factors that can impair Barriers; these Escalation Factors should be omitted from the Bowtie.



It is assumed that Processes and Procedures are followed and the required training has been enforced, hence “Human error” and “Lack of training” should not be included as escalation factors.



In lieu of using these factors to identify specific concerns in procedures or processes, actions should be raised to close the identified gap.

Global Bowtie Guidance

Rev. 0

- 24 -

Unrestricted

Figure 2-8: Improper Use of Escalation Factors

Figure 2-9: Escalation Factors Used to Highlight Gaps

2.4. Additional Guidance 

The Bowtie Rulesets established above for Major Hazards can also be adopted for developing Bowties for non-Major Hazards (especially Barrier validity considerations).



The level of detail required to be shown on the Bowties (and specifically to the Barriers) should be determined prior to developing the Bowtie to ensure suitable

Global Bowtie Guidance

Rev. 0

- 25 -

Unrestricted

information is gathered; e.g. to enable establishing the validity of Barriers and the identification of SCEs. The Bowtie analysis should be scoped according to the system in consideration with detail added to provide clarity for the implementation of the Barriers (refer to Section 3). For example; Figure 2-10: Adding Barrier Detail



Threats should not be interdependent, meaning that one Threat should not depend on another Threat / release scenario happening; one of the Threats is likely the ‘initiating event’ for the other. If this is the case, the Threats can be combined to represent one event scenario as the Barriers should address the sequence of events.



Right hand side Barriers are often partially valid, the focus should be to assure that the Barriers will mitigate or reduce the likelihood of the occurrence of the Consequence.



When developing a Bowtie, the focus will likely be on the left hand side of the Bowtie (i.e., to prevent the release of a Hazard), rather than to attempt to mitigate the consequences and / or recover from it. Whilst this is understandable (also in view of the previous point), one should pay due attention to also properly defining the right hand side of the Bowtie.



Human Barriers are Active Barriers and should be written as an action that is being taken (start with a verb, e.g. Respond to Alarm, Activate Emergency Response Equipment). The Barrier description should demonstrate that it is an effective Barrier, i.e. include a sensor, logic solver, and actuator when writing the Barrier.



A helpful resource when developing Bowties is Examples of Threats, Consequences, Barriers and Escalation Factors (Ref. 5).

Global Bowtie Guidance

Rev. 0

- 26 -

3.

Unrestricted

IMPLEMENTATION OF BARRIERS

Hardware Barriers must be developed, implemented and maintained to make sure that the Barrier functions properly. Human Barriers need human interventions (actions or tasks) to function and prevent the Top Event or mitigate the Consequences. The identification of the Safety Critical Elements and Safety Critical Activities support the implementation of valid Barriers. Figure 3-1: Implementation of Barriers Identify Hardware Barriers

Establish Barrier

Where & What

Define & Select Safety Critical Elements (SCEs)

Maintain Barrier Functionality

What

How

Assign to HSSE Critical Processes

Define Safety Critical Activities (SCA)

Identify Human Barriers

Establish Barrier

Who

Assign to HSSE Critical Positions

3.1. Safety Critical Elements (SCE) Definition: An item of equipment or structure, or a system (including software logic), that acts as a Barrier to prevent the uncontrolled release of a Hazardous Substance or release of energy leading to worst case credible scenario with RAM Red, Yellow 5A / 5B Risk, or acts as a Barrier to control or mitigate the effects of such a release. The identification of SCEs facilitates prioritization of an asset’s continuous effort for managing Barriers. Bowties are the recommended tool to help identify SCEs and link them to Barriers that prevent or mitigate a Major Hazard. The process for identification, allocation and management of Safety

Global Bowtie Guidance

Rev. 0

- 27 -

Unrestricted

Critical Elements (SCE) is controlled at Shell Group level and documented in the Shell Group SCE Management Process. Each hardware barrier is sub-divided into SCE groups, for reporting and management purposes. These groups are defined by their function in ensuring the barrier remains in place (they are not defined by location, equipment type, medium or service, construction type or TA responsibility). The SCE groups are listed against their respective barrier in Figure 3-2. Figure 3-2 Safety Critical Element (SCE) Groups

Each SCE should have defined performance criteria which sets out the levels of performance it must achieve in terms of functionality, availability/reliability and survivability. This ensures that the Barriers identified on the Bowtie as SCEs remain in place and effectively continue to manage the Major Hazard over time.

Global Bowtie Guidance

Rev. 0

- 28 -

Unrestricted

3.2. Safety Critical Activities (SCA) Definition: Safety Critical Activities are a group or set of tasks / actions necessary for the development, implementation, operation or maintenance of a Barrier established for managing Hazards with RAM Red Risks or Yellow 5A /5B Risks. SCAs can be linked to procedures or processes which are identified to ensure that the activity is carried out when, and as, required. Each activity should be assigned to a responsible HSSE Critical Position. Personnel in these positions should be competent in executing the activity allocated to them. Refer to Error! Reference source not found.. All Barriers on the Bowtie must be supported by at least one SCA to maintain the Barrier (as per Control Framework, Managing Risk, Section 7.2, Ref. 1). Figure 3-3: Example of a Safety Critical Activity

SCAs should be written in the active form (e.g. Initiate Emergency Response according to an Emergency Response Plan) SCAs should have defined inputs and outputs i.e. (performance) standards and inspection records. Inspection and maintenance are typically not Barriers but serve as tasks to maintain the integrity of the Barriers. They are incorporated in the Bowtie as SCAs.

3.3. Additional Guidance 

SCEs and SCAs are defined and implemented for the management of Major Hazards. If a business decides to develop a non-Major Hazard bowtie, the business should

Global Bowtie Guidance

Rev. 0

- 29 -

Unrestricted

take care to identify that the hardware barriers and / or activities are not safety critical and use alternate terminology to define the implementation of barriers. 4.

USING BOWTIES TO SUPPORT ALARP DEMONSTRATIONS

The HSSE&SP Control Framework Managing Risk Manual (Ref. 1) requires that all Red and Yellow 5A / 5B risks on the Shell RAM are managed to ALARP. The Asset Integrity Process Safety Management Application Manual (AIPSM) (Ref. 1) focuses on the activities and assets where Hazards with risks in the Red or Yellow 5A /5B areas of the RAM (Major Hazard) and require a documented demonstration that they are managed to ALARP. Bowtie analysis can be used to support the ALARP demonstration. For Bowties, the following are example questions that can be asked to ascertain whether a Major Hazard is managed to a level that is ALARP; 

Based on the Barriers on the Bowtie, can we confirm that we comply with Company and legal requirements and relevant good practice? (Note: only demonstrates Tolerability, not ALARP)



Are the existing (effective/auditable/independent)?



Can we introduce any reasonably practicable?

additional

Barriers Barriers

valid that

are

Figure 4-1: Any other Threats/Consequences/Barriers?

When brainstorming or assessing additional Barriers, the hierarchy of controls should be considered to ensure that the most robust Barriers possible are identified i.e. an engineered Barrier rather than a procedural or organizational Barrier. Barrier validity should also be taken into account. This process allows the discussion of any improvements that could be made in risk management which can be used to demonstrate that the risks associated with a (Major) Hazard are being managed to a level that can be considered ALARP.

Global Bowtie Guidance

Rev. 0

- 30 -

Unrestricted

For more information on ALARP processes and concepts, see the ALARP Guide (Ref. 3). 4.1. Remedial Actions If any corrective/improvement actions or potential risk reduction measures are identified as part of the Bowtie process that are not currently in place, a remedial action plan should be developed. Any remedial actions should be documented and assigned to a responsible party. Each action should be reviewed, assessed accordingly and tracked to closure. For potential risk reduction measures (additional Barriers) a review should be performed to ascertain the effort, cost and time required for implementation. Where risk reduction measures are chosen for implementation, these should be followed up in a timely manner remembering that the risk is not reduced until the measure has been fully implemented. Each line of business will determine how to prioritize the remedial actions. All decisions for remedial actions should be documented to demonstrate the risk assessment process and as an input to the overall ALARP demonstration. 4.2. Bowtie Reviews The HSSE & SP Control Framework (Ref. 1) requires Process Safety Reviews to be performed for new Assets or modifications to existing Assets, and existing Assets to perform a Process Safety Review at least every five years. The Bowties can be utilized as part of this process to (re)validate the management of Hazards. Bowtie reviews can also take place after every significant / major incident. During a Process Safety Review, existing Bowties are reassessed to show the current conditions / Barrier status and also review any further potential for risk reduction. Where any gaps are identified; remedial actions should be raised and tracked for close out. If new Major Hazards are identified during the review cycle, the Bowtie(s) should be assessed and revised or developed using the methodologies outlined above. 4.3. Additional Guidance: Resources for Bowtie Development An experienced review team carries out the hazard analysis, focusing on identification of the Threats which can cause the

Global Bowtie Guidance

Rev. 0

- 31 -

Unrestricted

release of the hazard, the Control and Recovery Measures that need to be in place to manage those hazards and the associated Safety Critical Activities that need to be in place to keep the barriers whole. The Experienced Team should consist of: 

Competent facilitator, for example, HEMP practitioner.



Operations/Maintenance representation having specific experience on the process or business activity being analyzed.



Health, Security and Environment representatives as required (provide information of past HSSE related incidents for the specific hazard).



Engineering/Technical representative(s) as required (provide specific information on the process or business activity being analyzed).



A mix of the above people for Projects, or more, as required by the nature of the project.

Global Bowtie Guidance

Rev. 0

- 32 -

Unrestricted

APPENDIX A: BOWTIE LEGEND The Bowtie Legend provides a simplified the explanation of the elements of the Bowtie with the summary of Steps to develop a Bowtie. 1. Identify the Hazard(s). 2. Identify the Top Event(s). 3. Identify the worst credible Consequences of credible release scenarios 4. Identify the Threats. 5. Identify the Control Barriers, Barrier Validity criteria met? 6. Identify the Recovery Measures, Barrier Validity criteria met? 7. Brainstorm Escalation Factors on Controls. 8. Brainstorm Escalation Factors on Recovery Measures. 9. Identify HSE Critical Activities.

Global Bowtie Guidance

Rev. 0

- 33 -

Threat: The cause or action that could result in loss of control of the Hazard. A Threat is the occurrence which releases a Hazard to cause a Top Event, for example, corrosion or operator error.

Barriers: Barriers on the left hand side (LHS) of the Bowtie prevent Threats from releasing a Hazard. Barriers may be hardware or human interventions or a combination of both.

Global Bowtie Guidance

Unrestricted

Hazard: An agent that has the potential to cause harm to People, damage to Assets, business loss and impact on the Environment or Reputation (PAER).

Top Event: Incident that occurs when a Hazard is realised, or the release of the Hazard; typically some type of loss of control or release of energy. If this event can be prevented there can be no effect or Consequence from the Hazard.

Consequence: The potential Hazardous outcomes arising from the Top Event. A Consequence is the ultimate harm that may occur as a result of the release of a Hazard.

Barriers: Barriers on the right hand side (RHS) of the Bowtie prevent, limit the extent of, or provide immediate recovery from the Consequences. Barriers may be hardware or human interventions or a combination of both.

Rev. 0

- 34 -

Escalation Factors are situations, conditions or circumstances that degrade, impair or bypass the Barrier and may lead to the partial or full failure of a Barrier.

Global Bowtie Guidance

Unrestricted

EF Controls on Escalation Factors should comply with Barrier Rulesets

Rev. 0

- 35 -

Unrestricted

Safety Critical Activity: A group or set of tasks / actions necessary for the development, implementation, operation and / or maintenance of a Barrier established for managing Hazards with RAM Red Risks or Yellow 5A / 5B Risks.

Safety Critical Position: Personnel positions which have the responsibility to design, implement or maintain Barriers established for managing Major Hazards

Safety Critical Element: An item of equipment or structure, or a system (including software logic), that acts as a Barrier to prevent the uncontrolled release of a Hazardous Substance or release of energy leading to worst case credible scenario with RAM Red, Yellow 5A / 5B Risk, or acts as a Barrier to control or mitigate the effects of such a release.

Global Bowtie Guidance

Rev. 0

- 36 -

Unrestricted

APPENDIX B: REFERENCES 1. HSSE & SP Control Framework Manual, HSSE CF 2. Shell Group SCE Management Process (update pending) 3. ALARP Guide 4. Barrier Failure Identification & Reporting Guidance Document 5. Examples of Threats, Consequences, Barriers and Escalation Factors 6. Assurance of Frontline Barrier Management 7. Business Application References* a. DSM HEMP Resources b. Wells Master Bowtie c. UA Specification Document (update pending) *Note: The Business Applications referenced above were generated prior to the release of the Global Bowtie Guidance and may not be aligned with this Ruleset. However, these references are included to provide examples of Bowties used within the Business. Consult with the Risk Management PTE or SMEs before using these references.

Global Bowtie Guidance

Rev. 0