Beyond Compliance Auditing: Drill til you find the pain points and release the pressure!

Transcription

1 Beyond Compliance Auditing: Drill til you find the pain points and release the pressure! Laura Ankrom, P.E. aesolutions, Inc. 250 Commonwealth Drive, Ste. 200, Greenville, SC Kathy Shell, P.E. aesolutions, Inc. 250 Commonwealth Drive, Ste. 200, Greenville, SC Prepared for Presentation at American Institute of Chemical Engineers 2016 Spring Meeting 12th Global Congress on Process Safety Houston, Texas April 11-23, 2016 AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications

2 Beyond Compliance Auditing: Drill til you find the pain points and release the pressure! Laura Ankrom, P.E. aesolutions, Inc. 250 Commonwealth Drive, Ste. 200, Greenville, SC Kathy Shell, P.E. aesolutions, Inc. 250 Commonwealth Drive, Ste. 200, Greenville, SC Keywords: Verification, Auditing, Compliance Auditing, USEPA Risk Management Program, OSHA Process Safety Management, Process Safety Lifecycle, ISA84.91, IEC 61511, Independent Protection Layer (IPL) Abstract In Failure to Learn: the BP Texas City Refinery Disaster, the author, Andrew Hopkins, explores the importance of senior managers using auditing as a tool to identify unrecognized problems that may be lurking beneath the surface (Hopkins, 2010, p. 114). He also goes on to state that auditors will not set out to sample the organization. Rather, they will use their expert knowledge to zero in on areas where things might be going wrong (Hopkins, 2010, p. 115). Building on this concept, the authors of this paper will look beyond traditional OSHA PSM and USEPA RMP regulatory compliance auditing to explore the value of drilling down around the process safety lifecycle; locating the pain points; and releasing the pressure on the system. Compliance auditing has historically provided a check-the-box approach to meet regulatory requirements imposed by OSHA and USEPA. Regulatory compliance, however, is no guarantee of the prevention of major accidents. There is still a need to identify hazards, understand and manage risks. Today s auditors need to determine how to systematically identify the root cause of the pain points that will foster conversations around releasing the pressure on existing practices to achieve a vibrant integrated process safety management system. Industry standards, such as ANSI/ISA and IEC 61511, continue to drive the evolution of functional safety and meeting these requirements go far to demonstrate that a company has reduced risk to a tolerable level. The ANSI/ISA/IEC lifecycle approach actually quantifies the value of an integrated process safety program by assigning a numerical value to risk and assessing the effectiveness of the independent protection layers (IPLs) at meeting safety integrity targets. There is a growing realization in industry that having a healthy process safety management program in place is essential in meeting the full intent of IEC and ISA84.91.

3 The authors will present a drill down audit methodology that focuses on the organizational interfaces and the related management system procedures and practices used to meet the defined safety integrity requirements of both instrumented and non-instrumented IPLs. The approach utilizes a hazard scenario-based drill down audit methodology to expose the issues and the sources of the pain by digging deep into the management system processes around process hazard analysis, process safety information, mechanical integrity, operating procedures and management of change. When exposed in this manner, there is an audit trail that provides a basis for revising the work flow to release the pressure and accomplish the risk management objectives going forward. 1 Introduction Organizations have been implementing the regulatory requirements of the Occupational Safety and Health Administration s (OSHA s) Process Safety Management (PSM) program and the United States Environmental Protection Agency s (USEPA s) Risk Management Program (RMP) since They have completed multiple revalidations of their Process Hazard Analyses (PHAs). Many are using the Layers of Protection Analysis (LOPA) methodology to assess their safety integrity requirements and assigning Independent Protection Layers (IPLs) to protect against their high hazard scenarios. They are also applying a risk-based focus on managing their IPLs as critical safeguards on their journey toward implementation of sustainable process safety management systems. With the drive for continuous improvement and the evolution of so many aspects of PSM and RMP practices over the years, why are we still witnessing catastrophic accidents? As Andrew Hopkins has addressed in Failure to Learn and his subsequent book, Disastrous Decisions, there is a need for leadership to take a more defined role in process safety. Leaders must have an understanding of the highest hazards present in their organization and what risk barriers are in place to protect against major incidents. Assurance that these are installed, properly managed, and available to respond moves organizations one step closer to managing their hazards at the source. In Disastrous Decisions, Hopkins states If major hazards are to be managed effectively, we must first devise appropriate indicators and then make those indicators matter. (Hopkins, 2012, p.81). Figure 1.1, the Process Safety Indicator Pyramid, reprinted from the American Petroleum Institute in Recommended Practice 754, has become an industry best practice model for establishing leading and lagging indicators. Tier 1 and 2 events include any loss of containment which has significant consequences. Most organizations have very infrequent Tier 1 and 2 events, which places an emphasis on learning from Tier 3 and 4 events. A Tier 3 event represents a challenge to the barrier system that progressed along the path to harm but is stopped short of a Tier 1 or 2 loss of primary containment (Hopkins, 2012, p. 83). The Tier 3 events, such as an excursion from safe operating limits; inspection and test results outside acceptable limits; or a demand on a safety system, are the leading indicators that point to the problems that are lurking beneath the surface (Hopkins, 2012, p. 83). These indicators may point out deficiencies in an organization s process safety management systems that undermine the integrity of their IPLs. The very IPLs that are protecting against their highest hazard scenarios.

4 Figure 1.1: Process Safety Indicator Pyramid (API 754, p.8) The hazard scenario-based, drill down auditing approach presented in this paper is intended to uncover weaknesses in the management systems that manifest themselves as findings when verifying the consistency of the data in the PHA and operating procedures; and the integrity of the IPLs against the requirements in International Society of Automation Standards, ANSI/ISA (Modified IEC 61511) and related recognized and generally accepted good engineering practices (RAGAGEP). A focused audit of this nature yields findings that are leading indicators in the same sense that Tier 3 events are; they provide actionable direction before a Tier 1 or 2 event. A hazard scenario-based, drill down audit is directed at finding issues with the handoff between management systems to ensure that the engineered and administrative protection layers in place are properly installed, managed and maintained such that they will be available to respond if called upon. This methodology differs from a more traditional compliance audit, which is often segmented by prevention program element and reliant on the drill down on the interconnectivity of a few elements, such as the Management of Change (MOC) process, to uncover systematic problems. The author is not suggesting that the scenario-based audit supplant the element-based audit, but encourages organizations to put programs in place which draw on the most effective practices of both techniques to produce a valid indicator of the integrity of the process safety management systems in place. This form of auditing also complements the Center for Chemical Process Safety s (CCPS ) recommended approach to monitor Risk Based Process Safety maturation over time through trending of relevant performance metrics to identify management system weaknesses (CCPS, p.614). 2 Hazard Scenario-Based, Drill Down Audit The hazard scenario-based, drill down audit is focused on a trail that begins with the PHA/LOPA and the credited IPLs (or safeguards, if LOPAs have not been performed), then drills down through

5 the management systems intended to ensure their integrity, finishing with the related human factors considerations. This approach provides a clearer view of whether the information in the PHA/LOPA has been fully integrated in the systems, procedures, and practices, as well as whether they are in place and are functioning as intended. OSHA s National Emphasis Program guidance reflects a similar drill down approach to auditing in that the emphasis of the audits (or inspections) is on implementation versus documentation. The objectives are to confirm that the facility has an integrated, functioning process safety program and to provide an indication to leadership, with a degree of confidence, that their plant is operating within the desired risk tolerance criteria. 2.1 Defined IPL Characteristics LOPA methodology, or other quantitative risk analysis methodology, is being used to evaluate if adequate safeguards are in place for hazard events with high severity or high risk consequences to meet many organizations risk tolerance requirements. During a LOPA, safeguards are identified that are expected to independently interrupt an initiating event from progressing to an undesired consequence. These safeguards credited for risk reduction are classified as IPLs. Publications from the CCPS and the ANSI/ISA (Modified IEC 61511) and specify that in order for a device, system or action to be considered an IPL it must meet the characteristics of specificity, independence, dependability, auditability and security. The IPL can be passive or active as long as the criterion in Table 2.1 are met. Table 2.1: ISA 84 IPL Classification Characteristics Characteristic Specificity Independence Dependability Auditability Security Description The IPL is designed to prevent or mitigate the consequences of the identified hazard. An IPL shall be independent of the initiating cause and all of the other protection layers associated with the identified Hazard Event Scenario. Independence requires the performance must not be affected by the failure of another protection layer or by the conditions that caused another protection layer to fail. The protection provided by the IPL shall reduce the identified risk by at least ten-fold. In terms of availability, the IPL must be at least 90% available. The IPL must be designed to allow regular validation of the protective function. The IPL security shall be managed by design or by administrative procedure to ensure that unauthorized changes are not made that affect the integrity of the IPL, its availability, or any of its properties.

6 2.2 OSHA PSM Compliance and ANSI/ISA S84 Overlap OSHA acknowledged in 2000 that ANSI/ISA S84.01, Application of Safety Instrumented Systems for the Process Industry, is a national consensus standard that is considered RAGAGEP for safety instrumented systems. OSHA issued a letter of interpretation stating that an organization meeting the intent of ANSI/ISA S84.01 is also meeting the PSM requirements for safety instrumented systems. In validating ANSI/ISA S84.01 requirements for an IPL, an auditor is validating many of the PSM/RMP program elements as well. In other words, execution of the safety instrumented lifecycle provides an opportunity to build and reinforce an integrated process safety management program. The overlap between ANSI/ISA S84.01 and PSM is shown below in Table 2.2. Table 2.2: OSHA PSM Compliance and ANSI/ISA S84.01 Overlap OSHA PSM Element Process Hazard Analysis Process Safety Information Operating Procedures Pre-Startup Safety Review Mechanical Integrity Management of Change ANSI/ISA 84 Clause Clause 8 & 9 - Hazard & Risk Assessment Clause 19 - SIS Information & Documentation Clause 16 - Operation & Maintenance Clause 17 - SIS Modification Clause 16 - Operation & Maintenance Clause 5 - Management of Functional Safety 2.3 Drill Down Methodology The methodology for the hazard scenario-based, drill down audit, presented herein, seeks to validate that the causes, consequences and credited IPLs are embedded in an organization s operating discipline, that the IPLs meet all of the defined characteristics in Table 2.1, and that they are fully integrated into the process safety management systems in Table 2.2. Appendix A illustrates the suggested audit criteria for five key types of IPLs which include: Alarm, Pressure Relief Valve (PRV), Basic Process Control System (BPCS) Interlock, Standard Operating Procedure (SOP), and Safety Instrumented Systems (SIS).

7 Referencing Appendix A, the following is an example of a drill down audit trail for an Alarm IPL PHA/LOPA A review of the PHA/LOPA should verify that the operator, alarm sensor, and final elements used by the operator are independent of the Initiating Event and other IPLs for the scenario. The auditor must also verify that the operator action will fully prevent the cause from propagating to the final consequence; either through documentation in the PHA, review of relevant process safety information (PSI), and/or interviewing an engineer knowledgeable in the process. Example Systematic Issue(s): If there is a lack of independence there is a potential for common mode failure which degrades the risk credit given the IPL. This may also be an indication of lack of experience of the facilitator on the LOPA methodology and the methods the organization uses to qualify their facilitators Process Safety Information (PSI) A review of PSI would confirm that the alarm sensors are maintained on the critical IPL list and on the piping and instrumentation diagram (P&ID); the sensor data sheet and final elements are in place; and the basis for the Probability of Failure on Demand (PFD) is well documented. The auditor should verify that the alarm set point is based on the calculated time from detection to the consequence of concern (i.e. maximum calculated response time) with ample time for the operator to receive the alarm, identify the issue, and take intended action. During a field inspection, the auditor should verify that the devices are installed correctly and have open flow to the process, by physically walking down a P&ID. Example Systematic Issue(s): Lapses in PSI can indicate that there is a potential issue with maintaining PSI as current through the MOC process. If the basis for the alarm set point is not readily available or found to be inadequate to support the operator action, then a lack of dependability may exist. This may reflect a lack of recognizing the need for documentation to validate the assumptions, or an issue with recognizing the significance of crediting the operator with a risk reduction factor of 10. This could also be due to not having the right team make-up in the PHA/LOPA with an engineer knowledgeable of the process (i.e. automation engineer) Mechanical Integrity Review of the mechanical integrity information should verify that calibration and proof test procedures are available; testing, calibration and inspections are scheduled at a routine frequency; and calibration and proof test records are reviewed, actioned if required, and maintained. If testing, calibration or inspection records indicate that the sensor was found to be in an undetected failed state, confirm that a near miss was initiated. Verify that records do not indicate that the field devices are prone to problems due to fouling or external environmental conditions.

8 Example Systematic Issue(s): Lack of proof test procedures and routinely scheduled inspections and testing bring the reliability for the alarm sensor to function as intended in question or at risk. If there are inspection records illustrating a trend of performance issues for a device, without consideration of causes and fixes, it may represent the need for a change in the work flow where an individual is assigned responsibility for the reliability management of the instrumented functions Operating Procedures The auditor must confirm that the alarm, along with consequences of deviation, intended operator action, and the specific parameters/authorization for bypass of the alarm are documented in the appropriate operating procedures and/or alarm summary. They must also be included in the operator training program with up-to-date documented training records. Through operator interviews and field checks, the auditor should assess that the operator has a clear understanding of the criticality of the alarm, the consequence of concern, the urgency of responding, the intended action, and the expected automated action if it escalates. If this alarm has been activated was it captured as a demand for the revalidation process and investigated as a process safety Tier 3 event. An auditor must validate that the operator has a means of identifying an alarm as an IPL from the console and can respond effectively in the required time. Documentation of drills, tests or simulations should be reviewed to ensure the operator has sufficient time to complete the required actions and verify that the actual response time is safely within the calculated maximum response time. Operators should be able to tell the auditor what they would do in the event of the alarm (i.e. what their first steps would be as a response to the alarm, how they would diagnose it, and what action they would take). The auditor should also verify with the operator that their response will not place them in harm s way. Example Systematic Issue(s): Lapses in alarm dependability may be due to lack of proper operator training, inadequate training methods, or infrequent training on abnormal event management. The facility may not have a process in place to validate the reliability of the operator response, which results in it being considered at risk. The facility may not have a process in place associated with demands on IPLs outside of an SIS. If there is an inconsistency on how two operators would respond to the same alarm, the operating procedures and alarm summaries may be poorly written. It may also reflect obsolete procedures which no longer reflect practices in place, or possibly a culture of complacency where procedures are not adhered to and thus are not highly regarded as entirely necessary to learn and follow.

9 2.3.5 Management of Change Much like a standard compliance audit, the auditor will also need to track an MOC down a trail to determine if changes to the alarms credited as IPLs are managed appropriately. The auditor should verify that process records exist for any changes to the DCS/PLC logic and alarm set points are securely programmed in the DCS/PLC with limited access control to the code (i.e., operators cannot adjust the set point and there is access control to the logic). The auditor should confirm with operators that they would initiate a bypass management process if they take an alarm IPL out of service. If alarms have been in a bypassed state for an extended period of time, determine if they have instituted a temporary MOC process. Any permanent changes should have resulted in an update to the PSI, Operating Procedures and Training, and Mechanical Integrity requirements, as applicable. Example Systematic Issue(s): If MOC issues have been identified it questions the sustainability of the operating discipline in place for continued safe operation. The auditor should continue to probe or assess where the breakdown is in the intended MOC process. This might require a need to revisit the work flow processes, roles and responsibilities, and training. 3 Conclusion The goal of the hazard scenario-based, drill-down audit is to increase an organization s confidence that they are meeting their risk target criteria and increase their assurance that they are uncovering the systematic issues to open up opportunities for improvement that would have otherwise not been apparent. Leaders can constructively align their communications and actions around the findings of scenario-based compliance audits because they reflect degrees of achieving operations excellence, where practices follow procedures and organizational interfaces are successfully managed day in and day out to the betterment of the whole. At the end of the day, leaders need to ensure that their hazardous processes are being operated within the risk envelope that they are intending to operate within and have a sense of assurance that they are effectively managing their risks, identifying their pain points, and relieving the pressure. 4 References American Petroleum Institute, Process Safety Performance Indicators for the Refining and Petrochemicals Industries, API Recommended Practice 754, API. Washington, DC Center for Chemical Process Safety, Guidelines for Risk Based Process Safety, Wiley. New York Hopkins, Andrew, Disastrous Decisions: The Human and Organisational Causes of the Gulf of Mexico Blowout, CCH Australia Limited. Sydney, Australia Hopkins, Andrew, Failure to Learn: The BP Texas City Refinery Disaster, CCH Australia Limited. Sydney, Australia

10 Appendix A: Suggested IPL Audit Criteria IPL TYPES Alarm Pressure Relief Valve (PRV) Basic Process Control System Interlock (BPCS) Standard Operating Procedure (SOP) Safety Instrumented System (SIS) Independence The operator, alarm sensor, and final elements used by the operator are independent of the Initiating Event and other IPLs for the scenario. (PHA) The operator response will not place the operator in harm s way. (OPS) The consequence level of the hazard scenario was determined independent of the PRV in the IPL. (PHA) The failure of this PRV is independent of the LOPA scenario initiating cause(s). (PHA) This PRV required is fully independent and separate from all other IPLs credited in the same LOPA scenario(s). (PHA) Failure modes for the BPCS interlock logic solver, sensors and control elements are independent of the LOPA scenario initiating cause(s). (PHA) BPCS interlock's logic solver, sensors, and control elements are independent of other credited IPL(s). (PHA) Specificity The consequence level of the hazard scenario was determined independent of the SOP and the related operator in the IPL. (PHA) The SOP, the related Operator Action, and the final element(s) that the operator may use are independent of the LOPA scenario initiating cause(s) and other credited IPL(s). (PHA) The Safety Instrumented Function's (SIF's) logic solver, sensors, and control used by the operator are independent of the Initiating Event and other IPLs for the scenario. (PHA) The failure of this SIF's logic solver, sensors, and control elements are independent of the LOPA scenario initiating cause(s). (PHA) The potential for Common Cause Failure between this SIF and other IPLs credited in the same LOPA scenario(s) has been ruled out, or quantified in the SIL calculations if another IPL is also a SIF. (PHA) The operator action will fully prevent the cause from propagating to the final consequence. (PHA) The PRV is only bypassed with heightened administrative controls and the bypass is authorized per site procedures. (OPS/MI) The data sheets for the BPCS Interlock's sensor(s) and control element(s) are complete and available. (PSI) The intended operator action(s) in the SOP are such that they fully prevent the cause from The logic block, sensors, and control elements are only bypassed with heightened administrative controls. (OPS)

11 IPL TYPES Alarm Pressure Relief Valve (PRV) Basic Process Control System Interlock (BPCS) Standard Operating Procedure (SOP) Safety Instrumented System (SIS) Sensors and final elements data sheets are complete. (PSI) The operator has a means of identifying an alarm as an IPL from the console. (OPS) The alarm set point provides ample time for the operator to receive the alarm, identify the issue, and take action within the maximum allowable response time. (PSI) The alarm sensor is depicted correctly on the P&ID. (PSI) The data sheet is complete and available. (PSI) The data sheet for an Associated Protective Device (APD), if applicable, is complete and available (e.g. rupture disk). (PSI) All manual valves which can block this PRV are secured (locked or car-sealed) open. (MI) If this PRV is in potentially fouling service, freezing service, or there are extreme environmental conditions, measures have been implemented to counter these effects (e.g., heat tracing, rupture disk) and they were taken into account in the risk reduction credit taken. (MI) If this PRV is coupled with a Rupture Disk, a pressure gauge is installed in the interstitial space to detect leakage. (MI) The outlet of this PRV has been designed for safe discharge (e.g., sized for adequate flow, process sewer, above congested process equipment, to a flare header). (PSI) When de-energized, the BPCS Interlock's control elements will transition to their "safe" states for the credited LOPA scenario(s). (PSI) The BPCS Interlock can fully transition its control elements to their safe states upon detection and trip within the Maximum Allowable Response Time. (PSI) The interlock s sensor(s) and control element(s) are depicted correctly on the P&ID. (PSI) propagating to the final consequence. (PHA) The SOP is of sufficient detail to support consistent execution by the operator. (OPS) There is ample time for the operator to execute the SOP within the maximum allowable response time. (PSI) The data sheets for the logic solver, sensors and control elements are complete and available. (PSI) This SIF Interlock is designed to fully prevent the LOPA scenario consequence(s). (PHA) A failure of the logic block, sensors, and control elements will not initiate the LOPA scenario(s) being credited. (PHA) When the SIF detects the hazardous process excursion, it can fully transition its control elements to their safe states within the Maximum Allowable Response Time. (PHA)

12 IPL TYPES Alarm Pressure Relief Valve (PRV) Basic Process Control System Interlock (BPCS) Standard Operating Procedure (SOP) Safety Instrumented System (SIS) Dependability The basis for the Probability of Failure on Demand (PFDavg) is well documented. (PSI/PHA) The alarm with consequence of deviation and intended operator action is documented in an Alarm Summary or SOP. (OPS) The operator training program includes the alarm and intended action. (TRN) The operator response time has been established through drill or calculated basis. (PSI) Justification of the Probability of Failure on Demand (PFDavg) selected for this IPL is documented. (PHA/PSI) This PRV is designed to fully prevent the LOPA scenario consequence(s). (PHA) The basis for the Probability of Failure on Demand (PFDavg) is well documented. (PSI/PHA) The interlock set point with consequence of deviation and intended automated action is documented in an Alarm Summary or SOP. (OPS) The operator training program includes the interlock and intended automated action. (TRN) Auditability/Validation The basis for the Probability of Failure on Demand (PFDavg) is well documented. (PSI/PHA) The critical tasks are identified in an SOP and require positive documentation that they are executed, i.e. checklist. (OPS) The operator training program includes the SOP. (TRN) The location of the SIL calculation documentation giving the Probability of Failure on Demand (PFDavg) for this IPL is recorded. (PSI) Alarm and sensors are maintained on critical IPL list. (PSI) Calibration and proof test procedures are available. (MI) Testing, calibration and inspection are scheduled at a routine frequency. (MI) Calibration and Proof Test Records are reviewed, actioned if required, and maintained. (MI) If testing, calibration or inspection records indicate that The PRV is inventoried on the critical equipment list for management, maintenance and auditing purposes. (PSI) If this PRV is installed in polymerizing service, fouling service, or there are extreme external conditions, it is inspected boroscopically during a shutdown. (MI) This PRV's proof test procedure is complete, available, and includes a BPCS Interlock's sensor(s) and control element(s) are maintained on the critical IPL list. (PSI) Calibration and proof test procedures are available. (MI) Testing, calibration and inspection are scheduled at a routine frequency. (MI) Calibration and Proof Test Records are reviewed, actioned if required, and maintained. (MI) There is documentation that the procedure is executed properly, i.e. completed checklists. (OPS) Operator training records are up to date. (TRN) SOP is certified as current annually. (OPS) MOC records exist for any changes to the SOP. (MOC) SIFs are maintained on critical IPL list. (PSI) Calibration and proof test procedures are available. (MI) Testing, calibration and inspection are scheduled at a routine frequency. (MI) Calibration and Proof Test Records are reviewed, actioned if required, and maintained. (MI)

13 IPL TYPES Alarm Pressure Relief Valve (PRV) Basic Process Control System Interlock (BPCS) Standard Operating Procedure (SOP) Safety Instrumented System (SIS) the sensor was found to be in an undetected failed state, it was recorded and investigated as a near miss. (MI/II) Verify that records do not indicate that the field devices are prone to problems due to fouling or external environmental conditions. (MI/PSI) Operator training records are up to date. (TRN) SOP/Alarm Summary is certified as current annually. (OPS) MOC records exist for any changes to the software or hardware. (MOC) "pop test" to verify actuation pressure. (MI) This PRV is periodically removed from service, tested, and inspected for signs of corrosion. (MI) This PRV's inspection records are well maintained, current, available, and include both "as found" and "as left" conditions. (MI) If testing, calibration or inspection records indicate that the sensor(s) or control element(s) were found to be in an undetected failed state, it was recorded and investigated as a near miss. (MI/II) Verify that records do not indicate that the field devices are prone to problems due to fouling or external environmental conditions. (MI/PSI) Operator training records are up to date. (TRN) SOP/Alarm Summary is certified as current annually. (OPS) MOC records exist for any changes to the software or hardware. (MOC) Security If testing, calibration or inspection records indicate that the sensor was found to be in an undetected failed state, it was recorded and investigated as a near miss. (MI/II) Verify records do not indicate that the field devices are prone to problems due to fouling or external environmental conditions. (MI/PSI) MOC records exist for any changes to the software or hardware. (MOC) Access controlled to the hardware and software. (MOC) Specific parameters/authorization in place for bypass of the alarm. (OPS) Alarm set points are securely programmed in the DCS/PLC Block valves upstream or downstream of the relief device are adequately secured to limit access. (OPS/MI) Relief valves are periodically bench tested by a certified individual. (MI) Access controlled to the hardware and software. (MOC) Specific parameters/authorization in place for bypass of the interlock. (OPS) Trip set points are securely programmed in the The operator has access to the most current version of the SOP. (OPS) Changes to the SOP are managed through the MOC program. (MOC) Access controlled to the hardware and software. (MOC) Specific parameters/ authorization in place for bypass. (OPS)

14 IPL TYPES Alarm Pressure Relief Valve (PRV) Basic Process Control System Interlock (BPCS) Standard Operating Procedure (SOP) Safety Instrumented System (SIS) with access control to the code. (MOC) DCS/PLC with access control to the code. (MOC) Field Validation Verify that the field devices are installed correctly, open flow to the process, by physically walking down a P&ID. (PSI/MOC) Verify that the field devices are installed correctly, open flow to the process, by physically walking down a P&ID. (PSI/MOC) Verify that the field devices are installed correctly, open flow to the process, by physically walking down a P&ID. (PSI/MOC) Operator Validation Verify that the operator has ready access to the most current version of the SOP. (OPS/MOC) Verify that the field devices are installed correctly, open flow to the process, by physically walking down a P&ID. (PSI/MOC) Verify through interviewing several operators that they are knowledgeable in: the criticality of the alarm the consequence of concern the urgency of responding the intended action the expected automated action if it escalates. (OPS/TRN) Verify through interviewing operators that they confirm that the line-up of the block valves are maintained; and they are using the PSSR process to ensure proper alignment and all chain locks are back in place. (OPS) Verify through interviewing maintenance personnel: the process they use to store PRVs and ensure they have a means to evaluate that they are returned to service in their proper positions. (MI) the existence of PRV outof-service or bypass procedures. (MI) Verify through interviewing several operators that they are knowledgeable in: the criticality of the interlock and its set point the consequence of concern the intended automated action the expected SIS trip action or associated mitigation system (PRV, etc.), if applicable, should it continue to escalate. (OPS/TRN) Walk through the SOP with an operator to verify that the stepwise description is current and in agreement with practice in place. (OPS) Verify through interviewing several operators that they are knowledgeable in: the criticality of the SIF the consequence of concern the expected automated action if it escalates. (OPS/TRN) PSM Elements: II - Incident Investigation; MI Mechanical Integrity; MOC Management of Change; OPS Operating Procedures; PHA-Process Hazard Analysis; PSI Process Safety Information; TRN Training