This chapter presents ideas on expected minimum safety control and mitigation measure, which should be in place for each set of technology. These safety controls can be viewed as safeguards which prevent a loss of containment (a leak) of hydrogen gas from the technology set out in each scenario.
Risk-based Regulatory Design for the Safe Use of Hydrogen
15. Bow tie barrier analysis
Abstract
A Bow Tie analysis is an ideal way to assess the risks associated with technology or activities as it is used to identify potential hazards and to understand the adverse consequences the hazards may cause, if not effectively controlled (CCPS; Energy Institute, 2018[1]). A Bow Tie diagramme is a visualisation of the path a hazard may take to cause a severe consequence and a description of the combination of preventative and mitigative barriers required to reduce the process safety risk to an acceptable level.
Simple Bow Tie Diagrams are shown in Figure 15.1 and Figure 15.2. The circumstances which may give rise to a loss of control are displayed as blue boxes on the left-hand side of the diagramme. These “initiating events” are derived from hazard analysis identified in the literature review, supplemented by professional experience of the author in dealing with major hazards in order to understand and describe how a component or system may fail.
Figure 15.1. Simple bow tie diagrammes
Figure 15.2. Components of a bow tie diagramme
The control measures, or barriers, are the safeguards which are in place to prevent a threat from causing a loss of control or containment of a hazardous substance. Ideally, they should be independent of each other to avoid any common mode of failure. The barriers can be categorised by their function, which makes it easier to decide whether they are sufficiently reliable to prevent a threat from causing harm.
In the centre of the Bow Tie, the knot, describes the condition which represents a loss of control of the hazard, such as loss of containment of a hazardous substance. The right-hand side of the Bow Tie shows the mitigation measures or barriers which serve to reduce the final impact of the loss of control. Examples include, emergency shut-down systems, elimination of sources of ignition (ATEX Equipment) which reduces the chance of ignition if a flammable substance is released, and the emergency response actions required.
The red boxes to the extreme right-hand side describe the outcome or consequences which could occur following a loss of control. These should represent the “worst-case” outcome which could happen.
The visual nature of the Bow Tie means that it is easy to see the number and range of controls available to safeguard against a major incident and to decide whether the number and type of safeguards in place are sufficient to reduce risk to an acceptable level. Well-constructed Bow Tie diagrams quickly show the “basis of safety” (what is being relied upon to keep process conditions safe) for individual activities and processes. Bow Tie diagrams are also very useful for training people in the hazards and risks associated with their activities and for incident investigation as it is relatively straightforward to see which control measures should have been in place and to identify which barriers failed leading up to and during the incident.
The effective functioning of some control and mitigation measures are dependent on a secondary set of actions or controls. These are call “barrier dependencies” and are show as yellow boxes in the Bow Tie diagram, as shown in Figure 15.3. For example the effective functioning of a flame detection device in a heating appliance may deteriorate over time and require routine inspection and maintenance actions to sustain its function.
Figure 15.3. Barrier dependencies
Barrier classification
Classifying control and mitigation measure by their type and function helps us to make judgements about the value and robustness of the measures which can be applied to the technology or situation which could give rise to a major incident. Ideally all control measures will be robust and will function as desired when called upon to provide protection. However, in practice no protection measure can be perfect and the circumstances of how and why they may fail are important considerations when designing and implementing safety systems.
Basic mode of operation
The initial classification used in this assessment is by basic mode of operation of the barrier. This helps us to understand if the control was part of the original safety design of the installation and therefore will be fixed for the lifetime of that system. A further consideration is whether it is an active control measure or is a task undertaken by people and whether it should appear in a maintenance program. Five categories are used for this purpose:
Design
Automated
Semi-automation
Maintenance
Procedure
Design: These barriers are determined during the initial design of the safety system and tend to be fixed for the duration of the use of the technology. Once installed and operational it is usually difficult to change the design without a major modification of the installation or system.
Automated: Automated controls operate without human intervention. These controls operate when safety is compromised, and action is needed quickly to prevent an incident. Automated controls are usually reliant on routine maintenance to keep them functioning in an optimal condition.
Semi-automated systems: These controls relay partly on technology and then human intervention to bring the situation back into safety. An alarm followed by corrective action is an example of this type of control. In an emergency the right action requires a pre-determined response.
Maintenance: These are the controls which keep safety systems functioning and delivering the desired safety outcomes. As with all human tasks maintenance can be prone to error and mistakes which may remain undetected until a safety system is called upon in an emergency.
Procedure: These are tasks performed by people and normally the correct action is set out in a safe operating procedure. People tend to have more failure modes than technology and when an error may happen is very difficult to predict.
Criticality
Not all barriers or control / mitigation measures are of equal value in protecting against a major incident, so it is helpful to differentiate them. The two types of classification are criticality or “importance” in the prevention of a major accident (safety criticality) and the second is ‘reliability’ (or vulnerability to failure on demand). They are quite separate and distinct features that are generally independent of each other.
Adopting this classification helps an organisation focus on the most important issues with complex process safety management systems. It helps to concentrate efforts aimed at assuring that weak control measures continue to function and deliver the desired outcome against a constant tendency for control measures to deteriorate over time.
Consider the safety criticality of a barrier as a function of its contribution to the prevention of a major accident. Applying guide words such as ‘essential’ and ‘vital’ or ‘incidental’ or ‘marginal’ to the prevention of a major incident can help as a starting point. It is more helpful to also consider which failure mechanism the barrier helps to prevent and how significant that failure mechanism is compared to alternative routes to failure e.g. does it lie on one of the most significant major hazard scenarios for the facility. A further factor to consider is whether the control measure or barrier is involved in the maintenance of a process condition within prescribed boundaries such as pressure, temperature or level, where an excursion outside such boundaries could lead to a loss of containment?
The following questions help assess criticality (Travers and McCulloch, 2018[2]):
Does the barrier lie on the critical path to a major accident e.g. is this a major hazard initiator should it fail?
Does the control measure / barrier directly relate to controlling process conditions e.g. temperature, pressure, flow, level which could directly lead to a loss of containment?
Does the control measure / barrier guard against another important loss of containment failure mechanism, e.g. corrosion, stress, impact?
How essential is the control or mitigation measure in preventing a loss of containment e.g.
Essential?
Important?
Moderately relevant?
Marginal?
Supplementary / adjunct to a more important control measure?
Three categories of criticality are used:
High criticality
Medium criticality
Low criticality
Vulnerability (to failure)
The next classification to be applied to the barriers relates to the reliability of the control measure to work and deliver the correct control and outcome when it is needed. The term vulnerability is used to help focus on the weakest elements of the system and vulnerability should be viewed as the inverse of reliability. This is based on the characteristic of the barrier function. This is illustrated in Table 15.1 which identifies five main characteristic types which fulfill the stages of “Detect, Decide and Act” from the CCPS and Energy Institute Guidance: Bow Ties in Risk Management (CCPS; Energy Institute, 2018[1]).
Table 15.1. Barrier types and vulnerability based on function
Type 1. Passive Hardware – this type of control operates without human intervention. For example, a storage tank containment bund falls into this category as it can contain a spillage without any prior detection of a leak. It is simply a physical protective measure. Generally considered as of “low vulnerability”.
Type 2. Active Hardware – this type of control fulfills its function automatically once a set of conditions are encountered. The system detects the condition, decides whether it is acceptable and if not takes action to bring the situation back into its controlled state. An automatic gas detector linked to an emergency shut down valve fulfills this action as the flammable gas is detected and the system then automatically closes the pipe inlet valve without any human intervention. Generally considered as of ‘low vulnerability’ as a main barrier but the inspection, maintenance, and calibration activities upon which its performance relies upon can be considered as ‘medium’ or ‘high vulnerability’.
Type 3. Active Hardware and Human – this type of control is partially automated but then relies on human intervention to decide if the situation is unacceptable and to initiate a corrective action. The action to be taken on the initiation of a high-pressure alarm is an active hardware / human control as the hardware gives information from the sensor about a rise above a pressure threshold, or even sounds an alarm at a set pressure but then it is the operator who decides whether the system should be shut down. Generally considered as ‘medium vulnerability’.
Type 4. Human Active – this is a control where a person or several people undertake the whole of the control or mitigation measure. Generally considered as “high vulnerability” because of the opportunity for human error. This value can be further assessed using human reliability analysis on such critical tasks to gauge the likelihood of an error occurring or the opportunity for recovery should an error be made.
Type 5. Continuous – this type of control is active continuously regardless of the situation or condition of the plant or process. For example, a ventilation fan which is constantly running in a confined or indoor space is an example of a continuous measure. Generally considered as “medium” or “low vulnerability” depending on the thoroughness of periodic checks and tests of its function.
Findings
Hazards are always generic, and risks are always context-based. So, hydrogen gas is always flammable (the hazard) but the degree of exposure to potential harm to people and assets (the risk) varies based on the context in which hydrogen is deployed. When hazards are present there can never be zero risk, instead it is important to determine what is an acceptable level of risk associated with the deployment, throughout society, of hydrogen as a fuel source, rather than it being a specialised industrial commodity confined to specific industrial locations.
This bow tie analysis provides an initial and slightly crude risk assessment based on limited information available about the exact nature and configuration of the technology within which it is deployed (McCulloch, 2017[3]).
The control and mitigation measures determined for each scenario are set out in Bow Tie Diagrammes as summarised in the tables below. These are not meant to be definitive or absolute but rather to help industry and regulators consider and debate what needs to be in place to reduce the likelihood of a major incident to as low as is reasonably practical.
Special attention needs to be paid to controls which are classified as both high criticality and high vulnerability as these are really important controls, but which cannot be considered as highly reliable.
The best control measures are associated with intrinsically safe systems, that is systems with high levels of automation and few failure modes. However, given the range of technologies involved in the hydrogen fuel transition it will not always be possible to adopt intrinsically safe solutions for every technology.
In-situ electrolytic H2 generation
H2 transport by high pressure pipeline
H2 in road transport
Mobility and partially confined spaces: Hydrogen city bus driving in a tunnel involved in a collision accident
Mobility and partially confined spaces Accidents at a hydrogen refueling station
Domestic use of H2 for cooking and heating
References
[1] CCPS; Energy Institute (2018), Bow Ties in Risk Management: A Concept Book for Process Safety, https://doi.org/10.1002/9781119490357.
[3] McCulloch, P. (2017), Learning from Incidents- Linking incident analysis with BowTie based risk assessments.
[2] Travers, I. and P. McCulloch (2018), The Chemical Engineer.