Journal of Loss Prevention in the Process Industries 43 (2016) 721e729

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

A systematic and integral hazards analysis technique applied to the

process industry
Manuel Rodríguez*, Ismael Díaz
Dpto. Ingeniería Química Industrial y del Medio Ambiente, ETS Ingenieros Industriales, Universidad Polit
ecnica de Madrid, C/Jos
e Guti
errez Abascal 2,
Madrid, 28006, Spain

a r t i c l e i n f o a b s t r a c t

Article history: Traditional approaches to process safety are not enough. Accidents keep occurring every day across the
Received 26 February 2016 globe. Technology advances make systems more complex and their behaviour more non linear and
Received in revised form unpredictable. This trend will increase in the coming years mainly due to the new industrial paradigm
21 June 2016
that will change production processes to fully digital. In this context this paper analyses the current
Accepted 23 June 2016
Available online 25 June 2016
status and methodologies and introduces the need to change to systems theory based approach for
process safety. An overview of different system theory based techniques is presented. A more in deep
explanation is given about the STAMP-STPA methodology. Finally, STPA is applied to a case study of the
Keywords:
Hazard analysis
process industry pointing out the needs, advantages and drawbacks of the approach.
Systems theory © 2016 Elsevier Ltd. All rights reserved.
Process industry
STAMP
STPA

1. Introduction September the 21st in an ammonium nitrate plant in Oppau (Ger-

1.1. Safety a present and actual problem
Industrial chemical processes (refineries, petrochemical, phar-
maceutics …) usually work with great amounts of potentially
dangerous materials (toxics, explosives, flammables …), very often
under extreme conditions (high temperature and/or pressure) that
can lead to accidents with the associated human and economic
losses. Although safety systems have evolved during the last de-
cades, the reality is that accidents still happen with losses over
1000 million dollar only in USA refineries. The Abnormal Situation
Management consortium have showed that losses can be as high as
3e8% of the total plant production Nimmo (1995). The history of
process safety is short in comparison with process industry history.
Safety regulations have been developed in the last thirty years
usually driven by important accidents (Flixborough, 1974; Seveso,
1976; Three Mile Island, 1979; Bhopal, 1984). These have caused
widespread public concerns about major incidents in chemical
plants, Mannan (2004). Besides the regulations, accidents keep
occurring. As a curious fact, the first big accident happened in 1921
* Corresponding author.
E-mail address:
many) and the very same day 80 years after a big accident
happened again in an ammonium nitrate plant in Toulouse
(France). Today you can find many accidents happening in the
process industry everyday which are reported in the Abnormal
Situation Management Consortium web page.
The main problems present currently in the process industry
regarding safety, according to Mannan et al., (2010), are basically:

Organizations have no memory of past accidents.

Insufficient attention to leading indicators.

Process operations with increasing complexity.

Need for better solutions and approaches.
The last item is nowadays widely accepted as indicated in De
Rademaekeret al. (2014).
1.2. Causes of accidents
Technology is rapidly evolving and the process industry,
although at a lower pace, is being affected by it. Today, process
plants involve operations with complex human-machine in-
teractions. The processes are large, complex, distributed, and more
automated. There are a lot of interactions and couplings between

[email protected] (M. Rodríguez). sub-systems and equipment, and computers (software) play a

http://dx.doi.org/10.1016/j.jlp.2016.06.016
0950-4230/© 2016 Elsevier Ltd. All rights reserved.
722 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729
significant role in the human-machine interaction Soken et al.
(1995). The social part of the systems has a very important role
which means that now not only the technical but the complete
socio-technical structure has to be taken into account. Team
members (managers, supervisors, operators, etc.) have to cope with
heterogeneous and sometimes conflicting information, perfor-
mance pressure and high workload, Bullemer and Laberge (2010).
Table 1 shows top 3 common failures found by Bullemer after
analysing more than 30 incidents.
2. The traditional approach to safety
2.1. The traditional approach
One of the first methodologies for safety was Failure Mode and
Effects Analysis (FMEA) that dates from the end of the 40’s but most
traditional techniques appeared in the 60’s: Fault Tree Analysis
(FTA), Hazard and Operability study (HAZOP), Event Tree Analysis
(ETA) and Bow Tie e early 70’s. All these tools used to identify
hazards (defining hazard as a set of chemical, physical or changing
conditions that have the potential for causing damage Center for
Chemical Process Safety (1999)) share a common view and it is
that they consider accidents caused by component failures,
following a chain of events.
In the process industry the de facto standard is HAZOP, devel-
oped by ICI. A HAZOP study is a highly disciplined procedure meant
to identify how a process may deviate from its design intent. It is
defined as the application of a formal, systematic critical exami-
nation of the process and the engineering intentions of new or
existing facilities to assess the potential for malfunctioning of in-
dividual pieces of equipment, and the consequential effects on the
facility Dunjo et al., (2010). It divides the whole system in nodes
following Piping & Instrumentation Diagrams (P&IDs).
However, there are some disadvantages in the use of HAZOP as a
hazard analysis technique:

No means to assess hazards involving interactions between
different parts of the system.

Time consuming and expensive.

Both human and organizational factors are rarely taken into
consideration and only related to lower levels in the organiza-
tional hierarchy.
As stated earlier, safety is considered a failure problem so the
way to protect a system, after conducting the hazards analysis, is to
add a set of barriers. In order to do this after the HAZOP study a
method to calculate the safety integrity level (SIL) is conducted. A
widely used methodology for this is the Layers of Protection
Analysis (LOPA). With this protection in place, for an accident to
happen a chain of failures passing through the barriers is needed
The protection layers can be classified into prevention and miti-
gation layers. Fig. 1 shows the onion-like system used in the process
industry.
With this protection in place for an accident to occur there has to
be “aligned holes” in all the layers so it seems that with all these
protective layers an accident should almost never happen (based
Table 1
Top 3 common failures across all the incidents (Bullemer and Laberge (2010)).
Common failure modes
Implement a comprehensive hazard analysis and communication program
Establish effective first line leadership roles to direct personnel, enforce organizational policies and achieve business objectives
Establish an effective and comprehensive program to continuously improve the impact of people, equipment, and materials on plant productivity and reliability 60
Fig. 1. Layers of protection in the process industry.
on reliability the accident has a very low probability), but unfor-
tunately this is not the case. It appears then that the prevailing
assumption of classical models that accidents are caused by a chain
of directly related events is not the proper way to tackle the
problem. At least it is not enough and new complementary tech-
niques are needed. As stated in Leveson (2011a,b) safety is not the
same as reliability, one does not imply nor require the otherda
system can be reliable and unsafe or safe and unreliable. In some
cases, these two system properties are conflicting.
2.2. Why the traditional approach is not enough
We have claimed in the previous section that reliability is not
enough to guarantee safety, almost 20 years ago Pasman (1998)
extracted some conclusions from the analysis of past accidents:

Conditions that lead to an accident are often complex and
difficult to reproduce.

Test methods are often inadequate for making reliable
predictions.

A system approach appears crucial for successful prevention.
Following these conclusions we present additional reasons that
support our previous claim:
1. Systems are becoming more complex (being software the main
contributor) which means:
a. There are accidents that result from interactions among
components not just from component failures
(Venkatasubramanian (2011)).
b. The increasing complexity impedes to anticipate all potential
interactions.
c. Component interactions are usually non-linear and their
behaviour is difficult to predict.
2. Traditional techniques omit or oversimplify some important
factors:
a. Human factor. This is a crucial element when considering
safety, although some methodologies, like HAZOP, can
consider human errors when applied, they only do it to a
Freq. %
79 15
65 12
11
 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729 723

quite limited extent. Besides, only operator errors are taken

into consideration and not the human factors in all the levels
of the hierarchy of the plant (management-supervision-
operation).
b. Technology evolution. In the last decades, technology is
evolving very fast and is affecting (and will affect much more)
to existing systems. Particularly, software is every day more
embedded in many manufacturing processes. The new in-
dustrial revolution (name it industry 4.0, advanced
manufacturing process or intelligent manufacturing) will
definitely augment this effect.
c. Safety culture and management. Many accidents happen not
because the protective barriers were not enough but because
of a lack of safety culture in a company (near misses, omis-
sions, production pressure on workers, lack of hazards anal-
ysis specially after revampings, etc.)
d. Lack of safety maintenance. Safety deteriorates over time and
a plant that was safe when started may be in an accident-
prone condition after some time. Understanding and pre-
venting or detecting system migration to states of higher risk
requires that our accident models consider the processes
involved in accidents and not simply the events and condi-
tions. (Leveson and Stephanopoulos (2014))

3. Systems theory as the foundation for systems safety Fig. 2. Ten principles for systems thinking to improve system performance and safety
from Shorrock et al. (2014).
3.1. Generalities

Initially formulated by Bertalanffy (1968), general systems the-
ory is seen as a general framework for universal, abstract systems
modelling. Systems conception has evolved from the Cartesian
paradigm (structure-function), the statistic-mechanics paradigm
(evolution-function), the structuralist (evolution-structure-func-
tion) and cybernetic paradigms (homeostasis, goals) into the global
systemic paradigm represented by the General Systems Theory that
collects and merges somehow the last two paradigms. It dates from
the 1930s and 1940s and was a response to the limitations of the
classic analysis techniques in coping with the increasingly complex
systems being built (Checkland, 1981). Systems theory is nowadays
widely used as the basis for systems engineering and process sys-
tems engineering (Stephanopoulos and Reklaitis (2011)).
A system can be described as “a set of elements or parts that is
coherently organized and interconnected in a pattern or structure that
produces a characteristic set of behaviours, often classified as its
‘function’ or ‘purpose’” (Meadows and Wright (2009)).
A systems viewpoint means seeing the system as a purposeful
whole e as holistic, and not simply as a collection of parts. We try to
“optimise (or at least satisfies) the interactions involved with the
integration of human, technical, information, social, political, eco-
nomic and organizational components” (Wilson (2014)).
To understand and improve the way that organisations work, we
must think in systems. This means considering the interactions
between the parts of the system (human, social, technical, infor-
mation, political, economic and organizational) in light of system
goals (Shorrock et al. (2014)). In this paper they proposed 10
principles to encourage a systems thinking approach to improve
systems performance and safety. These principles are summarised
in Fig. 2.
One important principle related to safety is emergence. In
complex systems, outcomes are often emergent and not simply a
result of the performance of individual system components. Woods
et al. (2010) describe emergence as follows: “Emergence means
that simple entities, because of their interaction, cross adaptation
and cumulative change, can produce far more complex behaviours
as a collective and produce effects across scale.” Emergence makes
system behaviour difficult to understand and it cannot be reduced
to the behaviour of components. Systems thinking and resilience
engineering provide approaches to help anticipate and understand
system behaviour, to help ensure that things go right.
3.2. Systems theory for safety
Systems theory was proposed for accident analysis research in
the 1980’s (e.g. Leplat, 1984), but its application for safety purposes
boosted with the work of some researchers as Hollnagel, 2004;
Leveson, 2004; or Rasmussen, 1997. All agreed in that the linear
cause-effect explanation of existing models represented a theo-
retical limitation Underwood and Waterson (2012). System safety
uses systems theory and systems engineering approaches to pre-
vent foreseeable accidents and to minimize the result of unforeseen
ones. Losses in general, not just human death or injury, are
considered. Such losses may include destruction of property, loss of
mission, and environmental harm.
According to Leveson (2003) there are several systems safety
principles:

System safety emphasizes building in safety, not adding it on to
a completed design.

System safety deals with systems as a whole rather than with
subsystems or components.

System safety takes a larger view of hazards than just failures.

System safety emphasizes analysis rather than past experience
and standards.

System safety emphasizes qualitative rather than quantitative
approaches.

Recognition of trade offs and conflicts: Nothing is absolutely
safe, and safety is not the only, and is rarely the primary, goal in
building systems.

System safety is more than just system engineering.
As a conclusion, safety appears as an emergent property that
arises at the system level when components are operating together
724 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729
(it is a system property not a component property).
3.3. Systems theory based methodologies for safety
A brief description of two of the most used (besides STAMP)
systems theory based methodologies, FRAM and Accimap, is given
in this section.
FRAM: Functional Resonance Accident Method.
The Functional Resonance Analysis Method or FRAM (Hollnagel
(2004), (2012)) was developed to act as an accident analysis and as
a risk assessment tool. It provides a way to describe outcomes using
the idea of resonance arising from the variability of everyday per-
formance. To arrive at a description of functional variability and
resonance, and to lead to recommendations for damping unwanted
variability, a FRAM analysis consists of four steps:

Identify and describe essential system functions, and charac-
terise each function using the six basic characteristics (aspects):
Input, Output, Precondition, Resource, Control, and Time.

Check the completeness/consistency of the model.

Characterise the potential variability of the functions in the
FRAM model.

Define the functional resonance based on dependencies/cou-
plings among functions and the potential for functional
variability.
The FRAM is based on the four basic principles described below:
1. The Principle of Equivalence of Successes and Failures: Failure is
normally explained as a breakdown or malfunctioning of a
system and/or its components. FRAM e and Resilience Engi-
neering e acknowledges that things go right and wrong in
basically the same way.
2. The Principle of Approximate Adjustments: Many socio-
technical systems are intractable. The conditions of work
therefore never completely match what has been specified or
prescribed. Individuals, groups, and organisations normally
adjust their performance to meet existing conditions (resources,
demands, opportunities, conflicts, interruptions) such adjust-
ments will invariably be approximate rather than exact.
3. The Principle of Emergence: the variability from multiple
functions may combine in unexpected ways, leading to conse-
quences that are disproportionally large, hence produce a non-
linear effect. Both failures and normal performance are emer-
gent rather than resultant phenomena, because neither can be
attributed to or explained only by referring to the (mal)func-
tions of specific components or parts.
4. The Principle of Functional Resonance: The variability of a
number of functions may every now and then resonate. The
consequences may spread through tight couplings rather than
via identifiable and enumerable cause-effect links. Functional
resonance is the detectable signal that emerges from the unin-
tended interaction of the normal variabilities of many signals.
3.3.1. Accimap
Rasmussen’s risk management framework (Rasmussen (1997))
describes the various system levels (e.g. government, regulators,
company, company management, staff, and work) involved in
production and safety management and considers safety an
emergent property arising from the interactions between actors at
each of these levels. For systems to function safely decisions made
at high levels should promulgate down and be reflected in the
decisions and actions occurring at lower levels of the system.
Conversely, information at the lower levels regarding the system’s
status needs to transfer up the hierarchy to inform the decisions
and actions occurring at the higher levels (Cassano-Piche et al.
(2009) and Waterson and Jenkins (2011)).
Accimap is based on this framework and it is used to graphically
represent the system wide failures, decisions and actions involved
in accidents. Accimap analyses typically focus on failures across the
following six organizational levels: government policy and budg-
eting; regulatory bodies and associations; local area government
planning and budgeting (including company management) tech-
nical and operational management; physical processes and actor
activities; and equipment and surroundings. Accimaps are dia-
grams developed to support vertical integration across the control
levels of a socio-technical system.
4. STAMP and STPA
4.1. Definitions
System-Theoretic Accident Model and Processes (STAMP) was
published by prof. Nancy Leveson in Leveson (2002) and Leveson
(2004) to capture more types of accident causal factors including
social and organizational structures, new kinds of human error,
design and requirements flaws, and dysfunctional interactions
among non-failed components. STAMP is based on systems theory
and control theory. Complex systems are viewed as hierarchical
structures with multiple levels; each level controls lower levels by
imposing constraints on the level beneath it. Therefore STAMP
treats safety as a control problem in which accidents arise from
complex dynamic processes that may operate concurrently and
interact to create unsafe situations. Safety is an emergent property
and accidents can be prevented by identifying and enforcing con-
straints on component interactions. These constraints are imposed
on the operational state of a chemical plant as a system, so process
safety is a problem that must be addressed within the scope of an
operating plant seen as a system (Leveson and Stephanopoulos
(2014)). At each level of the system structure, control loops
(Fig. 3) exist.
The main advantage of Leveson approach is that its general
control loop structure can be applied to all the levels of the socio-
technical organization levels as depicted in Fig. 4. From STAMP
general theory, two different techniques have been developed
trying to improve, on one hand, existing hazard analysis and, on the
other hand, existing accident analysis. These two approaches are
STPA (System Theoretic Process Analysis) and CAST (Causal Anal-
ysis based on STAMP).
STPA is a hazard analysis technique that embodies the STAMP
accident causality model. As such, it is based on control and system
theory rather than the reliability theory underlying most existing
hazard analysis techniques. STPA is a new hazard analysis tech-
nique with the same goals as any other hazard analysis technique,
that is, to identify scenarios leading to hazards and thus to losses so
they can be eliminated or controlled. STPA does not generate a
probability number related to the hazard. The only way to generate
such a probability of an accident for complex systems is to omit
important causal factors that are not stochastic or for which
probabilistic information does not exist (particularly new designs
for which historical information is not available). In contrast to the
traditional hazard analysis techniques, however, STPA is more
powerful in terms of identifying more causal factors and hazardous
scenarios, particularly those related to software, system design, and
human behaviour. Because STPA is a top-down, system engineering
approach to system safety, it can be used early in the system
development process to generate high-level safety requirements
and constraints. Because it works on the hierarchical safety control
structure, it can be used both on technical design and on
 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729
Fig. 3. Generic control loop.
organizational design (Leveson and Thomas (2013)).
4.2. The STPA process
The STPA applying procedure has four steps that are necessary
to complete the process. The steps are (detailed in Leveson
(2011a,b), Leveson and Thomas (2013)):
1. Identify Hazards and Accidents. The first step consists in
defining what accidents will be taken into consideration and
identifying the hazards associated to those accidents, under-
standing hazard as ”a system state or set of conditions that
together with a particular set of worst-case environmental
conditions, will lead to an accident (loss)“ Leveson (2011a,b).
This step is completed matching the hazards to safety con-
straints (requirements). For example, if the hazard is a toxic
release in a chemical plant the safety constraint is that toxic
chemicals must never be released from the plant.
2. Draw the functional control structure. This step generates the
document to perform the STPA process (steps 3 and 4). It con-
tains the whole socio-technical structure of the system under
analysis and the relationships between the different elements.
3. Identify potentially unsafe control actions. Unsafe control ac-
tions (UCAs) are actions that leads to a hazard. The four types of
unsafe control action are:
a. A control action required for safety is not provided.
b. An unsafe control action is provided that leads to a hazard.
c. A potentially safe control action provided too late, too early,
or out of sequence.
d. A safe control action is stopped too soon or applied too long
(for a continuous or non-discrete control action).
4. Identify the causes of the unsafe control actions. This step
identifies new safety constraints to be added. In this phase the
information provided allows the engineers to change the design
to eliminate or mitigate the causes of the hazards. This is the
most important step of the analysis but also de most difficult
one.
725
Fig. 3 allows for a systematic analysis of what factors can go
wrong. The generic loop (applied identified control structure in
step 2) is used mainly in step 3 and part in step 4.
4.3. Why using STAMP-STPA?
The first reason to use STAMP-STPA comes from defining safety
as a control problem (vs. a failure problem). Enforcing safety con-
straints on system behaviour allows to detect and control migration
of the system to states of higher risk which finally is the main cause
of most accidents. Other reasons for using STAMP methodology:

It applies to very complex socio-technical systems.

It includes software, human and new technology.

It is based on systems theory and systems engineering.

It expands the traditional model of accident causation- not just a
chain of directly related failure events.
When comparing STPA features with HAZOP-SIL we can find
what STPA does (and HAZOP-SIL doesn’t):

Include socio-technical analysis

Include systemic factors

Include all the hierarchy (from regulations to the final process):
safety culture

Fill the design operation gap: avoid higher risk states
And what STPA does not do (vs. traditional safety methods as
HAZOP-SIL):

Put the blame on you (many times an accident investigation
stops when a human error is found)

Consider only reliability and probability

Work only in the design stage (or after changes in the plant)

Doesn’t follow chains of events
726 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729
Fig. 4. Example of socio-technical control structure (adapted from Leveson (2011a,b)).
5. STPA for the process industry: a case study
5.1. STPA for the process industry: adaptation
STAMP has been applied to different industries (nuclear, avia-
tion, etc.), and it has been proposed as a promising methodology for
the process industry, Pasman et al. (2013) and De Rademaekeret al.
(2014), although there are not published works on how it should be
applied in this industry.
In this paper a new approach is suggested to apply STPA to the
chemical and oil&gas industries. The application is focused on the
lowest level of the control architecture, that is related to the
equipment and process control loops. Upper control levels (human
operators, alarms, maintenance, supervision, etc.) are not
addressed and are the subject of a future paper.
The main change to be done in the application of STPA to the
process industry lies in step 3. The four unsafe control action types
described in the previous section are enough for different domains
but for chemical systems two extra unsafe control actions types are
needed and have to be taken into account to enforce system safety.
Process plants are, usually, continuous plants and the control is
achieved using conventional PID controllers that send the control
action to the final element, typically a control valve. The operation
of the valve is also continuous, and as it is not an On/Off controller
(the valve is not just open/closed) the Provided/Not Provided UCAs
are not sufficient to describe the control action status. They have to
be extended to include if the control action is more or less than it
should be. So the UCAs for this system are Provided (we consider
that provided means provided correctly, in the expected amount),
More and Less (both of them constitute the Not Provided type).
More or Less are directly related to the final value (after the control
action) of the manipulated variable. In most of the cases the Less
type effect includes the None effect on the process although there
are some specific situations where None has to be specified besides
the Less type. This could be considered as a third type of the Not
Provided control action. For example, if pressure is controlled in a
vessel (hazard: high pressure) manipulating the exit stream, a More
control action is safe but a Less control action is unsafe as it means
 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729 727

that gas is accumulating in the vessel. The reason to distinguish 5.3. STPA analysis
between more and less instead of leaving Not provided is because
in some cases More can lead to a hazard and Less can lead to a The first step is to identify the accidents that can happen in the
different one in the same equipment. plant. In this case one of them is explosion. After that hazards
Nowadays, STPA tables are individually generated for each UCA leading to that accident are identified, in this example, the hazards
studying hazards for different scenarios (a scenario is a UCA along taken into account are high temperature and high pressure in the
with a context, which is the set of not controlled variables). In the vaporizer as shown in Table 2. Safety constraints are derived to
approach proposed herein, all UCAs are studied at the same time in avoid the hazardous scenarios (also shown in table).
the same table. Scenarios (context variables) are also discretized in If three UCAs (Provided, LESS, MORE) are applied to each control
“Desired”, “None”, “Less” and “More” (following the same UCA action, it would result (according to Equation (1)) in 34 ¼ 81 rows in
discretization criteria). For real systems, the size of the STPA tables the STPA table. However, some cases are not applicable and can be
is huge (although less than using different tables for every UCA). initially discarded in order to reduce the table size. For example, for
The STPA Table Size (STS) can be calculated by (1): the interlock actions only ’Provided’ and ’Not Provided’ (LESS) will
be taken into account according to interlock logic implementation.
Number The number of cases to be studied are 3  3  3  2 ¼ 54. Besides,
controlled all cases in which interlock control action is not provided are,
Y  
variables Number of UCAs themselves, unsafe. For all those cases hazard H1 is present.
STS ¼ i¼1
considered for i Therefore, they are eliminated from the STPA so the number of
(1) cases to be studied is reduced to 3  3  3 ¼ 27.
Number
context From tha HAZOP presented in the BSI Standards (2001) it is
Y   suggested a low flow alarm in the liquid oil stream as one of the
variables Number of states
j¼1 main recommendations. As it can be seen in Table 3, it can also be
considered for j
deduced from the STPA analysis (rows 19 to 27) that a lower liquid
As it can be seen, the number of rows to evaluate in STPA tables flowrate is related with hazard H1 (increased temperature). The
can be very large. Therefore, some solutions are under development table can be used to propose recommendations to avoid the haz-
in order to automate the analysis. One of them is the A-STPA open ards. Starting in the row with the hazard one can follow the table
tool created by Asim Abdulkhaleq at the Institute of Software and seethe closest safety state. By closest we mean with less vari-
Technology, Stuttgart (Abdulkhaleq and Wagner (2014)). ables different from the hazardous state. For example, it is provided
that one solution for scenario 20 (which means less flow of liquid
oil than expected and more natural gas than expected) would be 21
5.2. Description with no flow through PRV. It means, to close the PRV or, easier, close
the valve associated to TC1 (ID 25).
In order to provide a comparison with traditional HAZOP For the scenarios studied STPA is a superset of HAZOP resulting
studies, let consider the following example of a HAZOP application: in a deeper study of the system with extra information given, but
the oil vaporizer. This is documented in the BSI Standards (2001) HAZOP provides other type of information related with other key
and showed in Fig. 5.

Fig. 5. Process flow diagram of the oil vaporizer.

728 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729

Table 2
Accidents, hazards and safety constraints identified.

Accident Hazard Safety constraint

Explosion H1: Temperature too high Temp. must never violate a maximum value
H2: Pressure too high Pressure must never violate a maximum value

Table 3
STPA hazards analysis table of the oil vaporizer.

ID FC1 TC1 PRV Hazard

1 Provided Provided Provided No

2 Provided Provided þ H2
3 Provided Provided e No
4 Provided þ Provided H1
5 Provided þ þ H1, H2
6 Provided þ e H1. No hazard if ’-’ in PRV means no flow
7 Provided e Provided No
8 Provided e þ No
9 Provided e e No
10 þ Provided Provided No
11 þ Provided þ No
12 þ Provided e No
13 þ þ Provided H1
14 þ þ þ H1, H2
15 þ þ e No
16 þ e Provided No
17 þ e þ No
18 þ e e No
19 e Provided Provided No
20 e Provided þ H2
21 e Provided e H1. No hazard if ’-’ in PRV means no flow
22 e þ Provided H1
23 e þ þ H1, H2
24 e þ e H1. No hazard if ’e’ in PRV means no flow
25 e e Provided H1. No hazard if ’e’ in TC1 means no flow
26 e e þ H1, H2. No hazard if ’e’ in TC1 means no flow
27 e e e H1. No hazard if ’e’ in either PRV or TC1 means no flow

words applied that are not taken into account in this work. For
example, when applying ’Other than’ to the liquid oil stream, an
evaluation of the influence on vaporizer behaviour of other type of
material different from oil (i.e water) is studied. A way to introduce
this kind of situations in a STPA study could be by defining a new
hazard associated with the new situation (’water is present’), add
the control structure associated (if exists) and then analyse new
UCAs together with the exiting ones.
5.4. Open questions
STPA is a promising method that can substitute or more likely
complement traditional approaches but it still is a young meth-
odology and more work has to be done, specially regarding its
application to the process industry. Following are some open
questions that need to be addressed by this technique:

Guarantee that there is at least one control action for every
hazard identified. A new explicit step could be added to address
this.

A chemical plant has thousands of variables and controllers:
how to define the system limits (the corresponding nodes in
HAZOP) for the analysis?

How many states must be considered for the process variables
(discretize)?

How many variables have to be considered (pressure, flow
composition, temperature, etc.)?

Can STPA cope with hazards like pipe leaks, dust accumulation,
static electricity, HTHA cracking, alarm problems, etc?

How to filter relevant contexts to hazards to avoid unnecessary
scenarios?
6. Conclusions
In this paper the current status of process safety has been
analysed and the need for a new approach has been justified.
Process safety cannot rely on (only) reliability and other technol-
ogies that consider the whole system and the systemic interactions
have to be incorporated to the industrial practice. Existing meth-
odologies based on systems theory are promising and in this work
we have focused on the application of STAMP-STPA to the process
industry.
STPA has been applied to the lowest level of a chemical process.
The case study shows how STPA could replace or at least comple-
ment HAZOP as the hazard analysis technique for chemical and oil
& gas industries. Although the differences between both tech-
niques are not very important in the lowest level, the great
advantage of using STPA lies in its systemic nature and its appli-
cation to the whole socio-technical hierarchy. Another advantage of
STPA is that it can give a potential recommendation to eliminate
hazards using the same analysis (the closest ewith less changes in
variables- safe scenario shown in the table).
Another conclusion is that it is more difficult to apply to the
process industry than to other domains. In fact, a problem found is
the great size of the resulting tables. It is needed to develop a tool in
order to simplify the analysis. It can be done by applying functional
modelling as a way to automatize the analysis of some (or all) cases.
We are working on applying a functional modelling technique
 M. Rodríguez, I. Díaz / Journal of Loss Prevention in the Process Industries 43 (2016) 721e729
called D-higraphs Rodriguez and Sanz (2009) for this purpose.
References
Abdulkhaleq, A., Wagner, S., 2014. A-stpa: open tool support for system-theoretic
process analysis. In: MIT (Ed.), STAMP Workshop 2014.
Bertalanffy, L., 1968. General Systems Theory. George Braziller, New York.
BSI Standards, 2001. Hazard and operability studies (HAZOP studies). Application
Guide. Technical Report. British Standard.
Bullemer, P., Laberge, J., Nov. 2010. Common operations failure modes in the process
industries. J. Loss Prev. Process Industries 23 (6), 928e935.
Cassano-Piche, A., Vicente, K., Jamieson, G., 2009. A test of Rasmussen’s risk man-
agement framework in the food safety domain:BSE in the UK. Theor. Issues
Ergonomics Sci. 10, 283e304.
Center for Chemical Process Safety, 1999. Guideline for Hazard Evaluation Pro-
cedures. Technical Report. AIChE, New York, NY.
Checkland, P., 1981. Systems Thinking, Systems Practice. Wiley, New York.
De Rademaeker, E., Suter, G., Pasman, H.J., Fabiano, B., Mar. 2014. A review of the
past, present and future of the european loss prevention and safety promotion
in the process industries. Process Saf. Environ. Prot. 92 (4), 280e291. http://
dx.doi.org/10.1016/j.psep.2014.03.007. ISSN 09575820.
Dunjo, J., Fthenakis, V., Vílchez, J. a., Arnaldos, J., Jan. 2010. Hazard and operability
(HAZOP) analysis. A literature review. J. Hazard. Mater. 173 (1e3), 19e32. http://
dx.doi.org/10.1016/j.jhazmat.2009.08.076. ISSN 1873-3336.
Hollnagel, E., 2004. Barriers and Ac cident Prevention. Ashgate Publishing Limited,
Aldershot.
Hollnagel, E., 2012. FRAM- the Functional Resonance Analysis Method: Modelling
Complex Socio-technical Systems. Ashgate, Farnham, UK.
Leplat, J., 1984. J. Occupational accident research and systems approach. J. Occup.
Accid. 6 (1e3), 77e89.
Leveson, N., 2002. A systems model of accidents. Int. Syst. Saf. Soc. Unionv. U. S. A.
Leveson, N., 2003. White paper on approaches to safety engineering. Technical
Paper. MIT.
Leveson, N., 2004. A new accident model for engineering safer systems. Saf. Sci. 42
(4), 237e270.
Leveson, N., 2011a. Applying systems thinking to analyze and learn from events. Saf.
Sci. 49, 55e64.
Leveson, N., 2011b. Engineering a safer world. Systems Thinking Applied to Safety.
The MIT Press. ISBN 9780262016629.
Levenson, N., Thomas, J., 2013. An STPA primer. Technical Report. Massachusetts
Institute of Technology, Boston.
Leveson, N., Stephanopoulos, G., 2014. A system-theoretic, control-inspired view
729
and approach to process safety. AIChE J. 60 (1), 2e14. http://dx.doi.org/10.1002/
aic.14278. ISSN 1547-5905. http://dx.doi.org/10.1002/aic.14278. URL.
Mannan, S., 2004. Lees’ Loss Prevention in the Process Industries: Hazard Identi-
fication, Assessment and Control. Elsevier Science & Technology Books. ISBN
9780750675550.
Mannan, S., Prem, K., Ng, D., 2010. Challenges and needs for process safety in the
new millennium. In: 13th International Symposium Loss Prevention and Safety
Promotion in the Process Industries, 1. Technologisch Instituut vzw, Antwerpen,
BE, pp. 8e13.
Meadows, D., Wright, 2009. Thinking in Systems: a Primer. Routledge.
Nimmo, I., 1995. Abnormal situation management. Process Control Eng. 49 (5).
Pasman, H., 1998. 50 years of improvement to safety. In: NRIFD (Ed.), Proc. Int.
Workshop on Safety in the Transport, Storage and Use of Hazardous Materials,
Tokio, Japan.
Pasman, H.J., Knegterning, B., Rogers, W.J., 2013. A holistic approach to control
process safety risks: possible ways forward. Reliab. Eng. Syst. Saf. 117, 21e29.
Rasmussen, J., 1997. Risk management in a dynamic society: a modelling problem.
Saf. Sci. 27 (2e3), 183e213.
Rodriguez, M., Sanz, R., 2009. Model. using Higr. Integrating approach 26, 871e876.
Shorrock, S., Leonhardt, J., Licu, T., Peters, C., 2014. Systems thinking for safety: ten
principles. A White Paper. Eurocontrol.
Soken, N., Bullemer, P., Ramanathan, P., Reinhart, B., 1995. Human-computer
interaction requirements for managing abnormal situations in chemical process
industries. In: Proceedings of the ASME Symposium on Computers in Engi-
neering, Houston, TX.
Stephanopoulos, G., Reklaitis, G.V., 2011. “Process systems engi- neering: from
solvay to modern bio- and nanotechnol- ogy. A history of development, Suc-
cesses and prospects for the future”. Chem. Eng. Sci. 66, 4272e4306.
Underwood, P., Waterson, P., 2012. In: Stanton, Neville (Ed.), A Critical Review of the
STAMP, FRAM and Accimap Systemic Accident Analysis Models in Book: Ad-
vances in Human Aspects of Road and Rail Transportation. CRC Press,
pp. 385e394. Chapter: 39.
Venkatasubramanian, V., 2011. Systemic failures : challenges and opportunities in
risk management in complex systems. AIChE J. 57 (1), 2e9. http://dx.doi.org/
10.1002/aic.
Waterson, P., Jenkins, D., 2011. Lessons learnt from using AcciMaps and the risk
management framework to analyse large-scale sys- temic failures. In:
Anderson, M. (Ed.), Contemporary Ergonomics and Human Factors.
Wilson, J., 2014. Fundamentals of systems ergonomics/human factors. Appl. Ergon.
41 (1), 5e13.
Woods, D., Dekker, S., Cook, R., Johannsen, L., Sarter, N., 2010. Behind Human Error.
Ashgate.