A Safety Critical Element (SCE) is any item of hardware, system or logic software the failure of which could cause a major Accident Hazard (MAH) or whose purpose is to prevent or mitigate the effects of a MAH. SCEs groups are categorised according to Shell EP2009-9009 ‘Safety Critical Element Management Manual’ [Ref. 10]. These groups or barriers (see section 11.1) contain the definitions of those items that may be classed as safety critical on any given facility.
Safety Critical Elements shall be selected from these groups during the bow-tie development process. The bow-tie diagrams show the SCEs as ‘barriers’ to the MAH. A deliverable of the Bow-Tie development process is a list of SCEs applicable to the facility. This list shall be further developed as part of a SCE identification process that defines the safety critical components of each SCE barrier.
The role of a barrier on the bow-tie diagrams is to prevent or limit the consequence of a major incident. Barriers may be:
-
Design (inherent) features, e.g. separation distances, reduction of process pressures, minimisation of leak sources, etc.
-
Safety Critical Elements (hardware and logic software), e.g. Process Containment Systems, Pressure Relief Valves, ESD, Fire and Gas Detection, Escape & Evacuation Systems, Breathing Protection, etc.
-
Operational Safety Processes, e.g. valve lock out/tag out, breaking containment procedures, permit to work, etc.
-
Operational Intervention Tasks, e.g. Plant Monitoring, Alarm Response, Shutdown, etc.
The SCE management manual [Ref. 10] describes the activities and processes for managing the critical hardware barriers (SCEs) that appear in the MAH bow-ties.
11.1SCE (Hardware) Barriers
Each SCE is grouped under one of 8 hazard management barriers, as depicted in the Swiss Cheese Model (Figure 7 ). The hazard management barriers are as follows:
-
Structural Integrity
-
Process Containment
-
Ignition Control
-
Detection Systems
-
Protection Systems
-
Shutdown Systems
-
Emergency Response
-
Life Saving Equipment
Each SCE belongs to one hazard management barrier. Generally, the Structural Integrity, Process Containment and Ignition Control SCEs together with some aspects of the PSD/ESD system, reside on the left hand-side of the bow-tie top event. Failure of any of these barriers could cause or significantly contribute to a MAH. The remaining SCEs normally reside on the left hand-side of the bow-tie top event. These SCEs are provided to control or mitigate the effects of a MAH after it has occurred.
Figure 7: SCE Hardware Barriers and SCE Groups
The hardware barriers in Figure 7 are depicted with a number of small holes that represent an integrity failure either in design or operating performance. On their own, these failures may not be significant but, if the holes line up, there may be no effective barriers in place between safe operations and escalating consequences, leading to a major incident.
For example, a loss of containment in a sweet gas facility would not normally be expected to cause fatalities unless it is ignited. An integrity failure in the process containment system combined with a failure in the ignition control system could cause an ignited event, i.e. a fire or explosion. If there are no personnel in the area then this in itself would not cause fatalities. However, if there are integrity failures in the fire and gas detection system then the event may not be detected and the process system not isolated and the event may have the potential to escalate to adjacent inventories. This would also be the case if an ESD Valve or Blowdown Valve failed to operate on demand. Finally, if adequate assembly points and EER systems such as emergency telecoms are not provided or are not suitable, then personnel may not be evacuated quickly enough and the process release would have the potential to cause fatalities. The example shows that a number or what on their own would sometimes be considered as ‘minor failures’ have combined to produce a Major Accident causing fatalities.
Figure 7 shows the importance of maintaining and monitoring and ensuring the integrity status of all hardware barriers, so that what might be considered to be relatively small faults in individual barriers do not combine together in an unforeseen manner that compromises the ability if the barriers to prevent or control a major incident.
Note that it is not necessary for all barriers to fail to lead to a major incident. For example, failure of a single barrier such as process containment on a high sour facility may lead directly to major incident.
Each SCE is attached to a relevant discipline who are designated as the owner of the associated Performance Standard.
11.2SCE Selection
SCEs should be colour coded green on the Bow-tie and the specific SCE category denoted beneath the barrier that appears in the Bow-tie.
The process for selection of SCEs starts with a review of the generic list of SCE’s provided in the SCE Management Manual [Ref. 10] to identify those SCEs that are applicable to the facilities, for each of the identified Major Hazards. The list of selected SCEs shall be reviewed and agreed by the relevant discipline engineers during the define phase.
Figure 7 depicts the process for the selection of SCE’s.
The HSE Case shall contain a list of the SCEs identified in the bow-tie diagrams as per the table provided in 25.
The HSE Case shall contain a table showing each SCE against the MAH bow-ties where they appear as hardware barriers, and an example is shown for the SCE group ‘Process Containment’ in 26.
Is the purpose of this element to prevent a MAH?
Could failure of this element cause a MAH?
Could failure of this element contribute substantially to a MAH?
Is the purpose of this element to limit the effects a MAH?
This item is a Safety Critical Element.
This item is not a Safety Critical Element.
No
No
No
No
Yes
Yes
Yes
Yes
Generic List of SCEs
EP9009-2009
Figure 7: Selection Process for Safety Critical Elements
Share with your friends: |