In process safety, initiating events (IES) are the primary triggers that lead to hazardous scenarios. Identifying and categorizing these events is essential for risk assessment and mitigation. Understanding initiating events and their frequency is essential in Layer of Protection Analysis. Initiating events are classified into three general types;
- External Events
- Equipment Failures
- Human Failures (also called inappropriate actions)
Each type has unique characteristics and requires different approaches for prevention and control. Let’s explore these in detail.
1. External Initiating Events
External initiating events refer to hazards that originate from outside the system. These events include:
- Natural Phenomena: Earthquakes, tornadoes, floods, and other environmental factors.
- “Knock-on” Events: Fires or explosions in adjacent facilities that impact operations.
- Third-Party Interventions: Mechanical impacts on equipment or structural supports caused by vehicles or construction equipment.
- Sabotage and Terrorism: Deliberate attacks that may override or disable Independent Protection Layers (IPLs).
Sabotage and terrorism require special consideration since a determined saboteur can bypass safeguards. Full protection against such events is often challenging, but proactive risk management can help minimize potential impacts.
2. Equipment-Related Initiating Events
Equipment failures are a major source of initiating events and can be categorized into control system failures and mechanical failures.
Control System Failures
These failures impact process controls and automation, leading to unsafe conditions. Common causes include:
- Basic Process Control System (BPCS) component failures
- Software failures or crashes
- Failure of control support systems (e.g., power supply, instrument air)
Mechanical Failures
Mechanical breakdowns involve physical damage to components. These failures include:
- Vessel or piping failure due to wear, fatigue, or corrosion
- Structural failures caused by design flaws, specification errors, or manufacturing defects
- Overpressure (thermal expansion, pigging/blowing) or underpressure (vacuum collapse)
- Vibration-induced failures in rotating equipment
- Failures caused by inadequate maintenance, incorrect material substitution, or improper repairs
- Extreme temperature effects, such as fire exposure or brittle fracture due to low ambient temperatures
- Flow surge or hydraulic hammer impacts
- Internal explosions, decompositions, or other uncontrolled chemical reactions
For equipment failure data, it is assumed that an asset integrity program is in place to maintain equipment within its useful life. A well-managed maintenance program ensures equipment is restored to a “like-new” condition, reducing failure risks.
3. Human Failure-Related Initiating Events
Human errors play a significant role in initiating events. These failures are classified into:
- Errors of omission: Forgetting to perform critical steps or executing them in the wrong order.
- Errors of commission: Performing an action incorrectly, leading to process deviations.
Factors Affecting Human Errors
Several factors influence human reliability and should be considered in initiating event frequency assessments and IPL Probability of Failure on Demand (PFD) calculations:
- Accuracy and clarity of procedures
- Operator training, knowledge, and skill levels
- Fitness for duty and mental alertness
- Workload management and job complexity
- Effectiveness of communication
- Work environment conditions
- Design and layout of Distributed Control System (DCS) Human-Machine Interfaces (HMIs)
Managing human performance is crucial to reducing errors that may initiate hazardous incidents or impact IPL reliability.
Verification of Initiating Events
Before assigning event frequencies, initiating event causes should be reviewed and validated for their relevance to specific consequences. There must be a clear cause–consequence relationship. Any incorrect or inappropriate causes should be:
- Discarded if they are irrelevant.
- Refined into valid initiating events if they contribute to potential hazards.
The analyst should also verify that all the potential initiating events were determined by viewing the process from a system perspective and ensuring that any causes normally generic to this process or similar processes have not inadvertently been excluded.
Examples of Inappropriate Initiating Events
- Inadequate operator training/certification: While this can contribute to initiating events, standard site-specific training and certification levels are already factored into failure rates.
- Inadequate test and inspection: This is an underlying cause but not a standalone initiating event. Site-specific testing and inspection frequencies are assumed in reliability calculations.
- Unavailability of protective devices (e.g., safety valves, overspeed trips): These do not initiate incidents but rather act as safeguards against them. Another event must occur first to challenge these protections.
- A spurious trip of a safety instrumented function (SIF), which is an independent protection layer for an accident scenario, is only considered an initiating event for scenarios that result from transitional operating states (e.g., emergency shutdowns) and is not normally a valid initiating event in itself.
Best Practices for Managing Initiating Events
To effectively manage process safety risks, organizations should implement:
- Comprehensive Risk Assessments such as Layer of Protection Analysis (LOPA).
- Asset Integrity and Reliability Programs to ensure equipment remains in optimal condition.
- Human Factors Engineering to reduce operator-induced errors.
- Enhanced Security Measures to mitigate sabotage and external threats.
The LOPA analyst should reduce each cause into discrete failure events. For example, the cause “loss of cooling” could be the result of a coolant pump failure, power failure, or control loop failure. Listing these separately is useful, because the existing (and new) potential layers of protection may be different for each initiating event.
In addition, the analyst should ensure that initiating events in all modes of operation (e.g., normal operation, startup, shutdown, utility outages) and equipment states (e.g., standby, under maintenance) have been identified/examined. Any of these may involve discrete failures that could cause loss of cooling and in turn result in the consequence of interest.
References
For more detailed guidelines, refer to:
- CCPS Guidelines for Initiating Events and Independent Protection Layers of LOPA
- CCPS, Layers of Protection Analysis: Simplified Risk Assessment
