Process Safety Models: Cheese, Chains, or Cords?

The Swiss cheese model is often used to represent process safety. The individual slices represent different defenses or barriers, and the holes represent the potential for a barrier to fail. If the holes should align, all barriers will fail and the hazard consequence will be realized. Weaker barriers have bigger or more holes than stronger barriers. It usefully captures the idea of layers of protection, and of these being invoked in the order corresponding with the layer sequencing, but it relies upon the abstract notion of dynamic holes that vary in size and location, and, in illustration, it requires a perspective drawing. It is an appealing illustration that immediately conveys the primary concern of multiple concurrent failures; it is perhaps less good at representing the integrated nature of process safety.

Barriers or defenses that consist of multiple elements are sometimes thought of as chains because the elements must all work together if the barrier is to be effective. This is not really an accurate analogy, however. “A chain is only as strong as its weakest link,” because each link carries an identical load. This is not true of process safety protection chains. In terms of protection, the strength of a chain link-element relates to the probability of its failing when needed. If the strength of a link is increased (the probability of failure reduced), the strength of the entire chain is enhanced because the strength of a protection chain corresponds with the aggregate probability of failure of all the link-elements. The all-work-together concept is potentially useful for our purposes in modeling protection, but the “weakest link” notion is so strongly associated with chains that this militates against their adoption.


As an alternative, we might adopt a model of a “suspended load,” which might be considered as more complete in representing the idea of an integrated system. In this model, which can be illustrated without using perspective, process safety is represented as an arch carrying a suspended load that represents process hazard. The arch represents inherent safety—those design provisions that mean there is a low danger level even if the active systems should fail; a load-hazard above the arch cannot be realized as long as the inherent safety provisions are maintained. (But it may be realized if uncontrolled changes are introduced that undermine the inherent safety provisions.) If the suspended load is dropped, the hazard event will be realized. The load is suspended by a number of cords, each of which represents a different defense or barrier. These cables are of different lengths. The shortest will carry the load; but, if it should fail, the load will transfer to the next shortest. The cords may also have different strengths, corresponding with their probability of failure. A typical arrangement would be a pressure-control system backed up with a high-pressure trip function, backed up, in turn, by a relief system. In normal operation, the load is carried by the control system and the other cords are slack. It is only if the control system cord should fail that the load is placed upon the high-pressure trip cord. If that cord should fail, or be disconnected by an override, the load will be placed upon the relief system cord. If all cords are compromised, the load will be dropped and the hazard event will be realized.

Read the full story here