A basic law of physics states that for every action there is an equal and opposite reaction. Translating that law into the world of risk analysis, we might state that for every action (even a risk mitigation action) there are consequences—and not all of those consequences are (1) clearly identified, (2) fully understood, and/or (3) good. Even when the initial actions are an effort to mitigate a perceived risk, the range of consequences (that is, reactions) can sometimes create another set of hazards and possibly larger risks than initially addressed.
The complexity of safety instrumented systems facilitates the creation of at least four types of new hazards that should be addressed. First, some consequences that may result from the proper functioning of a single safety system may not be desirable. Second, the accumulative and interactive effects when multiple safeguards function properly may cause unexpected and unwanted consequences. Third, unanticipated and sometimes unwanted consequences at seemingly remote locations may occur. Fourth, and finally, because of interactions with other control components, safety instrumented systems can easily create several layers of risk abatement actions cascading from the initiating event, making it virtually impossible for operations personnel to troubleshoot and correct the original anomaly in a timely manner—adding yet another hazard to the operations.
This article addresses the potential of creating “downstream” or remote hazards by the installation of safety instrumented systems and then discusses how and when consequence analyses should be expanded to identify these potential new hazards. This is done using the life cycle approach for the design and maintenance of safety instrumented systems discussed in the newly published CCPS book, “Guidelines for Safe and Reliable Instrumented Protective Systems.” It is not possible to delineate every variation of how successful activation of basic process controls and safety instrumented systems might lead to the problems described in this article. Rather, this article is a sampling intended to cause the reader to think more seriously about how successful activation of systems intended to protect the process might, in fact, create new hidden hazards remote from the initiating event. © 2006 American Institute of Chemical Engineers Process Saf Prog, 2007