Stpa: A Systemic and Integral Hazards Analysis Technique Applied to the Process Industry

Process plants (refineries, chemical plants, petrochemical, pharmaceutical, etc.) deal with a large amount of potentially dangerous materials (toxic, inflammable, explosive) and many times in extreme conditions (such as high temperatures and pressures). This can lead to equipment failures, plant shutdowns or even worse accidents with catastrophic consequences.

In spite of the safety layers of protection (basic control, alarms, SIS, protective systems, etc.) there are accidents every day with losses up to 1.000 million $ each year only in the US refineries. The existence of accidents is due mainly to the increasing complexity of the process plants. This complexity appears because of two factors. The first one is a more complex process structure (energy integration, minimum waste, higher demands on yield and production, environmental constraints), the second one is a more complex control system (systems that performs many more tasks than before with a non predictable software). This complexity problem is even worse because both factors are not independent but they highly interrelated.

In order to have safer and more robust plants Process Hazard Analyses (PHA) are carried out to identify the potential problems and also to propose possible solutions such as process changes. Traditional PHA techniques are HAZOP, What-If, FMEA, etc. The problem with this traditional approach is that a loss is considered as the consequence of a chain of failures, and the solution is to protect the weakest or most dangerous elements in that chain. This have serious limitations: the traditional approach does not consider systemic failures (due to the interaction between components), they simplify or even do not take into account some factors such as the human factor or the importance of software failures or the company’s safety culture. These methodologies consider reliability as a measure of the safety of a system, which is a reduction of the actual problem. Reliability is not equal to safety.

In this work we apply a new methodology, a systems theory based model. The model is called STAMP (Systems-Theoretic Accident Model and Processes) developed by prof. Leveson at MIT. The use of such a model provides a theoretical foundation for the introduction of unique new types of accident analysis, hazard analysis, accident prevention strategies including new approaches to designing for safety, risk assessment techniques, and approaches to designing performance monitoring and safety metrics. This systemic view separates the concepts of reliability and safety as one of them does not necessarily implies the other and viceversa. The main idea of this methodology is to have safety as an emergent property, so it considers it as a control problem. Thus the methodology is oriented to enforce that the safety control constraints are met in the design and operation of the plant. Two different processes have derived from STAMP, one devoted to process analysis (STPA: Systems-Theoretic Process Analysis) and CAST (Causal Analysis using Systems Theory). This approach has been applied to other domains (aeronautics, trains, etc.) but not to chemical processes.  

In this work we apply STPA to the whole control (socio-technical) structure of a chemical process (from field equipment, to process control, alarms management and human operators, supervisors, management and regulators). We stress the advantages and drawbacks over traditional approaches such as HAZOP and evaluate its applicability to this domain.