Professional Documents
Culture Documents
safety analysis
and Cris Whetton
Engineering, University of Shefield,
Department of Mechanical and Process PO Box 600, Shefield, UK Received 2I July 1992
Various major safety studies are carried out at appropriate stages during a project. Many companies do some form of preliminary analysis at points between initial project concept and when the process design is completed. These studies aim to ensure that the decisions on process design and site selection take full account of process safety requirements and related risk and environmental constraints. Methods have been incorporated and developed during this work to take account of best industrial practice for such safety studies. These are listed under the general heading of preliminary safety analysis (PSA) and are carried out from the time of the concept safety review until such time as reasonably firm process flow diagrams or early P 8t I diagrams are available. The methods included are as follows:
l l l l l
concept safety review (CSR) critical examination of system safety (CE) concept hazard analysis (CHA) preliminary consequence analysis (PCA) preliminary hazard analysis (PHA)
These have been developed from a model of the plant and its interpretation as part of an incident scenario. The emphasis throughout is on utilizing the best points to start the search to identify undesired events contributing to the development of accidents. For the main method described, preliminary hazard analysis, this search has as its starting point and fulcrum the dangerous disturbances of plant which arise at a point in the incident scenario just after emergency control measures have failed to control the situation. The study should be conducted using risk evaluation sheets which model each stage of the incident scenario and allow for a short-cut assessment of risk when this is desired. The above methods are demonstrated by part of a simplified case study. The methods function well and provide not only a good model of incident scenarios but are readily developed into fault and event trees and operating procedures. They are invaluable for the development of safety reports for regulatory authorities. Furthermore, by not imitating HAZOP methods they strengthen the effectiveness of the search process. (Keywords: process safety; hazard analysis; note assessment)
The purpose
of preliminary
safety analysis
Preliminary safety analysis is a systematic approach to the identification of potential hazards and hazardous conditions which is carried out at an early stage of the design of the plant, before the commencement of detailed engineering (except for specially selected items). It aims to make safety objectives more readily tenable by subsequent design, engineering, realization commissioning and productive methods. It suggests ways to challenge the design and encourages an understanding of the consequences of failures as well as identifying the principle incident scenarios stemming from deviations from normal or expected behaviour. The objective of a preliminary safety analysis is not to identify all possible scenarios and initiators of incident@. It is to consider any impact (either safety, health or environmental) which the project may have
0950-42301921010047-14 0 1993 Butteworth-Heinemann Ltd
either on-site or off-site and identify significant hazards. Special attention is paid to loss of containment leading to a significant release of material which can have major consequences, usually resulting in harm or damage to the system and its total environment. The preliminary safety analysis should also identify those changes to process conditions which could lead to an adverse discharge leading to the consent levels for gaseous, liquid or solid effluents being exceeded. Where the project can create significant on-site or offsite impacts, then the risk of such consequences should be evaluated and compared with appropriate criteria in order to determine whether further action must be taken to reduce the risk or abandon the project in its present form. In some cases a quantified risk analysis should be completed. Concept safety review follows or is incorporated in the review of the scope of the project and provides
No 1
47
Preliminary
safety analysis:
G. Wells et
al.
process development, available processes and whether these will be licensed, the availability of alternative sites and modes of transport of raw materials and products, the availability of experience within the company and site etc. It may be that a particular project does not require study of all these items and it is as well to make such matters clear at the start. Subsequently the concept safety review should determine the need for safety reviews and their timing. Information should be obtained on the safety, health and environmental hazards of all chemicals and materials involved in the new process. This should take account of both individual and collective properties of materials. Helpful information is contained in regulations such as COSHH and CIMAH in the UK. General appreciation should also be generated of the main hazards presented by the plant such as fire, explosion and release of harmful substances such as and toxic gases and liquids, effluent, radioactive corrosive materials etc. The study should review information on previous incidents on the plant using both information available on incidents within the company and its affiliates and information available from global sources. For a project under development the latter information should be augmented by studies of the route and incidents affecting plants using related reactions. At each site under consideration it is necessary to consider on-site and off-site transnort of raw materials. products and wastes including loading, off-loading; type of transport and route. The requirements for facilities and services, emergency planning, interaction with other plants etc. must be examined. The study should consider all organizational factors affecting the project including the availability of experienced staff both within the company and at the site. This experience should be reviewed in terms of general experience, experience of related plants and specific experience of the plant. Means to overcome any problems should be discussed. The impact of the plant on the general health and safety management policy of the site should be identified. Criteria should be established for all safety, health and environmental factors with which the plant must comply together with relevant company standards, national legislation and other regulatory approvals and consents. Any effect on the position of the site with respect to effluents and emissions and status under CIMAH regulations must be reviewed. General project criteria should be defined including the codes of practice to be followed and the extent and timing of all safety reviews. The preliminary concept safety review should be a means by which improvements in design procedures are made known to the designers and by which it is ensured that current thinking on ways of improving the design practice is implemented.
the means for an early assessment of safety, health and environmental hazards. It links in with other project work beginning at this time and contributes to key policy decisions such as siting and preferred route. A concept hazard analysis is used for the identification of hazard characteristics to identify areas which are recognized as being particularly dangerous from previous incidents. It also identifies the need to explore any difficulties which might be experienced with unwanted reactions. As well as identifying environmental damage, the analysis may also consider whether the proposal fulfils the green policies of the company. A critical examination of system safety is used either to eliminate or to reduce the possible consequences of a hazardous event by an early study of the design intent of a particular processing section. This should be carried out at an early stage and well before the process design is completed. A preliminary consequence analysis can be used to identify likely major events. Such studies assist in the selection of the site if this is a required project objective. This is an abbreviated form of preliminary hazard analysis in which gross assumptions are made for the frequency of events. It enables the major events which may result from the process to be identified. The event tree section of the HAZCHECK knowledge base provides the necessary information on the development of incident scenarios. A review of health hazards should consider measures proposed to prevent employees being exposed to either chronic or acute health hazards and should be carried out considering periodic emissions and fugitive emissions. A preliminary hazard analysis is undertaken to identify applicable hazards and their possible consequences with the aim of risk reduction: i.e. to reduce the frequency of significant consequences to an extent that is comparable with project and manufacturing objectives and which meets the constraints imposed by regulatory and local authorities. It should be carried out at a stage when change in the design is still possible. The methods listed above are a compilation of techniques used in industry. Several of these have been described by Turney 19905 and James 19922. This work has modified the way they are carried out and has modified the documentation procedure. The technique developed for preliminary hazard analysis is, as far as we are aware, original.
48
Preliminary potential to cause harm, including: ill-health and injury; damage to property, plant, products or the environment; production losses; business harm and increased liabilities. Ill-health includes acute and chronic ill-health caused by physical, chemical or biological agents, as well as adverse effects on mental health. Hazards are system independent. They can be split into the categories: chemical, thermodynamic, electrical and electromagnetic and mechanical. Chemicals can be further subdivided into toxics, flammables, pollutants and reactants. Further lists can be used to identify health hazards. A hazard is any potential source of threat or potential danger. There is a need to identify external threats to the system and these include unplanned changes in the plant or its use. It is important to distinguish between a hazard and a hazardous condition. A hazard is solely a qualitative term but a hazardous condition includes a quantitative element in its description of a hazardous state, e.g. the amount of hazardous material used. It is not an undesired event in itself, but has the potential to induce one or more undesired or dangerous events. Hazardous characteristics embrace both hazards and hazardous conditions. Hence when reference is made to hazard identification, it is more often than not the identification of hazardous characteristics which is of concern. After all a hazard can be identified with relative ease. It is the impact of a hazard and the frequency of occurrence which is difficult to estimate. The structure of a concept hazard analysis The methodology of a concept hazard analysis is shown in Table 1. A concept hazard analysis may be commenced at a stage when the block diagrams or a preliminary process flow diagram are available. It aims to identify the main hazards which the proposed plant will generate or face. The approach used can vary considerably from a general identification of hazards to a thorough look at each section of plant. Usually each section of the plant is evaluated at a preliminary meeting considering the items given in Tables 2 and 3. A list of streams and substance characteristics should be prepared beforehand by process engineering. A brief review of each stream is generally helpful and describes the process. The report should be updated
safety analysis:
G. Wells et al.
Table 2 Keywords Flammables Ignition Fire Explosion/detonation Toxicity Corrosion Off-specification Emissions Effluents Ventilation Chemical contact Noise Illumination hazards Electrical Radiation Laser Overpressure Underpressure Over-temperature Under-temperature Structural hazards Collapse, drop Start-up Shutdown Maintenance Abnormal Emergency Release Release Fugitive Periodic Handling Entry on rupture by discharge emissions emissions
Chemicals
Pollutants
Health
hazards
Electrical/radiation
Thermodynamic
hazards
Mechanical Mode
hazards
of operation
Release
of material
Loss of services
Electricity Water Other services Accidental impact Drop/fall Act of God Extreme weather External interference Loosening/vibration Vibration Sabotage/theft External energetic event External toxic event External contamination Corrosion/erosion
External
threats
Table 1 Methodology
of a concept
hazard
analysis
Assemble a study team Define the objectives and scope of the study Agree a set of keywords Partition each process flow diagram or block diagram reasonably-sized sections Identify the dangerous disturbances and consequences generated by each keyword Determine if the hazard can be designed out or the hazard characteristics reduced Determine any protections and safeguards Determine comments and actions Report using proforma
into
as actions are taken or resolved with respect to safeguards and the assembly of further information. As fresh hazardous conditions are identified these can be incorporated within the record for appropriate action. The keywords in Tables 2 and 3 are related to specific hazardous events. The perceived dangers are noted together with suggestions for safeguards (the latter denoting a general aim rather than an actuality). Appropriate comments are added for action. As well as identifying general hazards the opportunity is taken to add any specific hazards for which the equipment has previously given problems. Various companies use different keywords and additional ones include offspecification, fire, effluents, loss of services etc.
49
Preliminary
safety analysis:
G. Wells et al.
in concept
hazard
analysis event Consequences/problems Fire: flash, torch, pool Chemical explosion Physical explosion Vapour cloud explosion Electrical explosion Absorption, inhalation, ingestion Contamination of environment Disposal, incineration, storage, landfill Asphyxia Acidity, alkalinity, exposure Separation or accumulation
Undesired
Release on rupture Release by discharge Entry of vessels Handling Ignition Release on rupture Release by discharge Entry of vessels Handling Fugitive emissions Periodic emissions, washings Emergency emissions Human contact with chemicals Human contact with heat or cold Noise Illumination Radiation Accidental impact, vibration Act of God, natural causes Abnormal environmental extreme External interference, loosening Drop, fall Theft, hooliganism Force majeure, sabotage External energetic events External toxic events External contamination Corrosion, erosion Unintended reactions Difficulties with intended reactions Presence of dangerous (toxic) substances Products of combustion Corrosion etc. Overpressure Underpressure Over-temperature Under-temperature Overheating Overcooling Fluid jet effects Inadequate mechanical integrity Corrosion, erosion Wrong status of equipment, valves, emergency relief etc. Overload/stress/tension Mechanical energy/inertia Mechanical weakness Loss of structural integrity Charge, current, High voltage Dangerous initiators magnetism
of toxicity, biological activity of fire, contact with hot bodies, cold surfaces of exceeding acceptable noise levels of glare, mist, fog, contrast, smoke of radioactive materials
External
threats
Harm, damage and removal of equipment Harm, damage and death of personnel Release of material Adverse discharge Loss of supply Loss of services Item breaks on impact
Reactions
Rupture of equipment Impulse blows Weakening of materials of construction Failure or damage of equipment
to
or emergency
discharge
Rupture of equipment, change in material properties Failure of equipment or structure, transient effects, forces Impulse blows, fragility, vibration Failure of structure, collapse, object dropped Explosion, spark, shock, heat transfer, Shock to personnel Release of material Off-specification material Release of material Common cause failures Off-specification material ionization
Electrical
hazards
Equipment
problems
disturbances
or incident
or incident
50
1993, Vol 6, No 1
Preliminary An example of a concept hazard analysis is applied to the methanator section of a hydrogen plant in Table 4. An early P&I diagram of this plant is given in Figure 1. The process involves removing small quantities of oxides of carbon from a hydrogen product by reaction with hydrogen at 400C and 20 bar. Some companies may prefer at this point to use HAZOP keywords to highlight further problem areas. Such actions are more likely to be taken if this study is carried out as a form of preliminary hazard analysis. Such action is not recommended as it is important to use alternative search procedures at different stages in project development. The documentation shown here is more extensive than that independently developed at BNFLZ. These simply document keywords, discussion and action/retommendations. This approach has the advantage of speed and is particularly recommended when the initial information is scanty and one objective is to give advice to the designer team. The study undertaken at this stage will vary considerably according to the knowledge which the participants have about the process. Many projects considered by industry are modifications to process plant, costing up to fl million (1992 values). For these considerable information will be available. In other projects the study can be used to transfer information from process licensers etc. In the case of a development project the study can highlight key safety areas requiring further study. This it is important to determine whether both a concept hazard analysis and a preliminary safety analysis are required.
safety analysis:
G. Wells et al.
The method Examples of the method are given in Table 5 and these should be consulted to ascertain the format to be used. The first feature of the method is to write down a statement of the deseign intent describing clearly what is to be done or achieved and how this is to be accomplished. Individual statements may be necessary for some processes or task activities covering all the what, when, how, where and who questions of the proposal. If the plant is not in normal operation for the purpose of the study then this must be stated, identifying in minimum detail the change of state achieved by an operation reaction or activity. This usually indicates the operating conditions and equipment involved but not the full details. These are made available to the analyst in other documents. A similar statement is subsequently added indicating any dangerous condition, here defined as one leading to a dangerous disturbance of plant. Each significant aspect of the achievement is then probed by querying the proposal or existing facts and its purpose. The aim is to expose the strengths and weaknesses of the present situation. The emphasis is on how to avoid the dangerous conditions noted and not on how to improve the process economics etc. Such conditions should be those which are essentially a function of the process and its structure rather than a list of standard features which are automatically checked (for example the loss of lubricating oil to a compressor). Alternatives are then generated. Some keywords with which to systematically associate each significant part of the achievement are given in Table 6. Doubtless other effects than those noted can be generated. However the important matter is that a structure is given to aid the generation of possible improvements. For a safety study it is important to examine how the proposal is achieved, paying particular attention to the following:
l
materials: change the quantities or qualities/use extra or different materials method: change the operating conditions or activities/change the route and method of processing/ change the sequence, frequency, absolute time or duration equipment: use different equipment
The impetus for change should be to make the frequency of a major incident less likely and to lessen the consequences of such an incident. The technique, when applied in this manner, ensures that an attempt has been made to improve the inherent safety of the proposed system by u&g a formal procedure rather than leaving it as a matter for consideration by individuals. It is also essential to study any dangerous condition and its cause. These should be readily identifiable from an equipment knowledge base or the knowledge of the process engineer. Then the keywords are used to effect analysis. Alternatives or modifications can be
51
Ref. no
Keyword
Dangerous disturbance
Release on rupture
Flammables
Release on emergency
3 runaway reaction in
Flammables
Reaction
Exothermic methanator
Air in combustion
vessels
on catalyst
6 Off-specification H? to downstream plant. This can cause runaway reaction with chemical explosion
Pollutants Water with high sodium salts Fire-water will flood. River receives minor contamination Noise in compressor area
Effluent to sewer
Check effect on current treatment Check other sewers in area for contamination
Pollutants
Pollutants
Noise
Building would cause explosion hazard Two relief valves in circuit. High pressure alarm
in danger
Overpressure
Overpressure plant
in hydrogen
High pressure caused by inadequate release of excess gas to fuel gas or blockage or incorrect valve status causes explosion Runaway reaction (see above) Excess recycle of hydrogen around compressor can result in physical explosion Stress in compressor caused by two phase feed due to liquid blowby from KO Pot can result in physical explosion Loosening of flange gives release. Possible torch fire Loss of material to safe point. Could ignite as minor torch fire
11 in methanator in compressor
Over-temperature
Over-temperature
12
Over-temperature
Over-temperature
High temperature
alarm on loop
13
Overload of compressor
14 at compressor
Abnormal
opening
Vibration
Vibration probe
15
Abnormal
opening
Spurious relief
Consider need for lock open valve after RVs or bursting disc before RVs.
Table 4 Continued Consequences Suggested safeguards See item 4 Blockage of sodium salts at top of reactor (causes channelling) Bed of ceramics on top of reactor Improved heat exchanger network or start-up line Separate hydrogen stream may be needed Analyse outlet stream for CO, and alarm Temperature alarm. Analyse for CO, in outlet Not critical Establish requirement Failure to preheat bed Failure to activate Off-specification product affects downstream plant Off-specification product affects downstream plant High temperature See overload (item 12) Increased flammables Overload due to two phase flow from KO Pot (item 13) Stress due to loss of lube oil flow at inlet at outlet High recycle flow under control (item 12) Failure of cooling water to after-coolers High recycle flow not under control (item 10) Failure of control system Vibration probe (item 14) Loosening by maintenance requires absolute isolation of a high pressure low molecular weight gas Maintenance policy must be agreed together with standby provision 2 x 60% compressors preferred. Need double block and bleed systems plus nitrogen purge Relief valve on outlet. High pressure alarm High temperature alarm on outlet After-coolers should be on diagram Alarm on low lube oil pressure. Shutdown by trip system in sewer (item 3) Low level alarm. Trip system on low level to KO Pot Check requirements at base in design intent Comments/action
Ref. no
Keyword
Dangerous disturbance
16
Equipment: methanator
Exothermic runaway
17
Equipment: methanator
Blockage
16
Equipment: methanator
Start-up
19
Equipment: methanator
Activation of catalyst
Obtain information from manufacturer Determine policy for off-specification gas (see items 6, 20) Plant requires complete shutdown if the methanator cannot be preheated (see item 17) Cooling water temperature monitored Check requirements must be for dephlegmator
20
21
22
Equipment: cooler
23
Equipment: KO Pot
Liquid blowby
24
Equipment: KO Pot
Gas blowby
25
Equipment: compressor
Overload
26
Equipment: compressor
Overload
27
Equipment: compressor
Over-temperature
28 at inlet
Equipment: compressor
Over-temperature
29
Equipment: compressor
Overpressure
30
Equipment: compressor
Overpressure at outlet
31 of compressor
Equipment: compressor
Vibration at compressor
32
Equipment: compressor
Maintenance
Preliminary
safery analysis:
G. Wells et al.
F:
F
F -._ E
54
1993, Vol 6, No 7
Preliminary
safety analysis:
G. Wells et al.
Table 5 Critical examination DESIGN INTENT: oxides of carbon oxides of carbon Query proposal oxides
of methanator
A fixed-bed catalytic reactor, operating at 20 bar, 400C inlet, 450C outlet, converts (maximum 2%) in a stream of hydrogen into a hydrogen product stream containing
Response Oxides of carbon affect downstream catalyst on aromatics plant No addition materials of further
Generate
alternatives
Eliminate methanator here and install on aromatics plant only Alter by using pressureswing adsorption system upstream Alter the catalyst or use a larger size of bed Modification/control increase capacity of absorption unit using an absorption train
Review next
Why at 400X?
for
No safety advantage
Reject
Dangerous
condition
by
Requires the diversion of upstream flow from methanator by shutdown system Long-term effort required
Improve metallurgy of reactor to withstand maximum temperature during upset condition increase cooling of reactor by external quench
Review
later
suggested. The analyst should try to avoid only recommending measures to control the situation or shutdown plant. These should be a back-up only to other protective barriers. There is no reason to complete the study of both sections independently. The dangerous condition affects the decisions made on how the process should be achieved and vice versa.
Preliminary
consequence
analysis
A preliminary consequence analysis of major incidents examines the impact of what might occur on a particular process plant. It is usually carried out as soon as a description of the process flow diagram is available. If the site is to be selected it may be done very early. Such a study may well only consider pipe breaks and common leaks. The analysis can be carried out following critical examination before a decision is made to proceed with more extensive design. Although here the emphasis is on plant it is necessary to do similar studies on the transport of raw materials and products. Process information In order to ascertain the problems, it is necessary to identify the proposed site and effect an approximate layout of the plant. The basic information required is
listed below and some of this information is subsequently transmitted to regulatory and planning authorities when required. Information should be obtained on the nature and scale of the use of dangerous substances at a site and how the proposed activity fits in with the existing requirements of regulatory bodies, local authorities, river authorities, etc. (see the preliminary concept safety review). This information is also required on every dangerous substance involved in the activity. This should indicate the concentrations of those materials likely to be present and the names of the main impurities. Inventory levels of vessels are required and the analyst requires information on the possible impact of any hazardous chemicals on people and the environment. Information normally noted about a major hazard installation is given in the CIMAH regulations4 and includes the following items. A map of the site and its surroundings, to a scale large enough to show any features that may be significant in the assessment of the hazard or risk associated with the site. If the environment is at risk then it may be necessary to show the site and surrounding area on a scale that is large enough
1993, Vol 6, No 1
55
Preliminary
safety analysis:
G. Wells et al.
Table 6 Continued Segregate by distance, barriers, duration and time of day Segregate plant items to avoid certain commonmode failures Segregate fragile items from roads, etc. Isolate plant by shutdown isolation valves systems, emergency
keyword
dictionary Segregate
Eliminate by a completely different method or part of a method Eliminate certain chemicals, change the route, use a lean technology Eliminate additives, solvents, heat exchange mediums, additives Change the equipment or processing method Eliminate leakage points; use a weld not a bolted fitting, etc. Eliminate a prime mover or heat exchange or agitator Eliminate a separation stage or step Eliminate intermediate storage Eliminate an installed spare Eliminate manual handling Eliminate sneak paths, openings to atmosphere Eliminate waste Eliminate entry into vessels or disconnection Eliminate products that are harmful in use Eliminate an ignition source, particularly permanent flame Avoid extremes of operating conditions Avoid operating in a flammable atmosphere Avoid possible layering of materials, inadequate mixing Avoid flashing liquids, particularly in extensive heat exchanaer networks Avoid production of large quantities of dangerous intermediates Avoid unwanted reactions in and outside reactors Avoid operating near extremes of materials of construction Avoid operating conditions leading to rapid deterioration of plant Avoid maintenance on demand and in short time periods Avoid items of plant readily toppled by explosions Avoid stage, step or activity by doing something as well as or instead of Modify any topics above Modify batch operation to continuous or vice versa operation
Isolate Improve
Improve plant integrity, reliability and availability Improve control or computer control. Use userfriendly controls Improve response Improve quality of engineering, construction, manufacture and assembly
Avoid
(1:lOO 000) to show all the significant features of the natural and built environment. A scale plan of the site identifying the location and quantities of all significant inventories of the dangerous substances. A description of the process or storage involving the dangerous substance, its inventory and an indication of the conditions under which it is normally held. The maximum number of persons likely to be present on site. Information about the nature of the land use and the size and distribution of the population in the vicinity of the industrial activity to which the report relates. The general information should be sufficient to enable any external threats to the plant to be identified including adjacent plants, major hazard sites in the locality, roads etc. Information on effluents, noise, risk etc. should be assembled. This data should be supplemented by information on the arrangements for safe operation of the site and the new activity, the emergency planning requirements and the requirements for additional expertise for the operation of the plant. A safety audit of the management and organization should be carried out if not carried out earlier for other projects. Preliminary consequence analysis of major hazards The preliminary consequence analysis of major hazards will not give an accurate assessment of the frequency of any incident or the measures used to control or avoid the release. It should however consider ways of dealing with the resulting emergency and instigating the emergency response. The report should at this stage concentrate on the response to the emergency rather than countermeasures to a specific release. However due attention must be given to the possible escalation of the incident, including escalation as a result of mitigating efforts such as fighting fires. The main factors to be considered in the modelling of the behaviour and impact of a substances on release are:
Modify
Alter
Alter the composition of waste, emission and effluents Alter the sequence, method of working Alter the time or duration of an activity (faster/slower, earlier, later?) Alter the frequency of an activity (more/less, why then?) Alter quality, quantity, rate, ratio, speed of any part of an operation or activity Alter who does an activity [why them? more/less people) Prevent emissions and exposure by totally enclosed processes and handling systems Prevent exposure by use of remote control Increase heat transfer and separation capacity Increase conversion in reactions efficiency or
Prevent
Increase
Reduce
Reduce inventory: less storage, hold-up, smaller size of equipment, less piping Reduce amount of energy in system Reduce pressure and temperature above ambient Reduce emissions and exposure by improved containment, piped vapour return, covers, condensation of return, use of reactive liquids, wetting dust Reduce frequency of opening, improve ventilation, change dilution or mixing Reduce size of possible openings to atmosphere
56
Preliminary release size, phase and properties duration of release weather and terrain probability of ignition and explosion probability of escape probability of persons evacuated duration of exposure population density proportion of persons indoors building ventilation rates For preliminary studies it is often necessary only to consider general values should no danger arise outside the plant boundaries. Hazardous events and their impact The main hazardous events that should be considered are as follows: fire: flash fire, pool fire, torch fire explosion, explosion: confined chemical dust explosion, physical explosion, BLEVE, vapour cloud explosion Release of missiles Release of toxic materials to humans, water, land, flora or fauna Release in a form liable to cause normal accidents It is particularly important to identify the worst accident which might occur such as the largest release of toxic gas, the most severe contamination of an aquifer and the greatest fire or explosion. This is required for emergency planning purposes. Accurate assessments of damage and harm are difficult especially for a toxic release as the basic toxicology data is generally not based on the effects on humans. On top of this inaccuracy is the probability of mitigation. On detection of a leak about 80% of persons in the immediate vicinity are likely to escape but 20% will act inappropriately or have no opportunity to escape. For a toxic release the general advice is to find shelter (not cars) and evacuation is usually only worthwhile in the event of a change in wind direction during prolonged release or for cases where there is a progressive warehouse fire. This is due to there being little or no opportunity for either plant management or local services to influence the chances of escape. The impact of an explosion is more readily assessed apart from the likelihood of ignition. Escape action is generally obvious for trained personnel. For a BLEVE there is a high probability of escape; a probability greater than 0.5 when the time from initial release to BLEVE is 20 minutes or more. For delayed ignition of a flammable cloud only early escape action by individuals is relevant. In the event of a conventional fire the aim should be to escape immediately, closing any doors in buildings on escape. Also the heat radiating on doors should be checked before opening doors. Unfortunately people act inappropriately on such occasions as events such as the Kings Cross Underground fire have displayed.
safety analysis:
G. Wells et al.
Damage and harm must be considered with respect to people, property and the environment, paying particular attention to the following cases for major hazards: on-site at least three people suffering death or at least five people suffering injury requiring first aid treatment or hospitalization off-site at least one person suffering death or at least five people being physically and directly affected damage to property and sites of historical or archaeological interest and buildings given statutory protection against deliberate change or damage loss of normal occupancy of property for three months permanent or long-term damage to water, land, flora or fauna in a significant area of terrestrial, freshwater or marine habitat It should also be noted how the business will be affected by any incident, considering loss of production or market share, legal liabilities and costs including damages paid in civil actions, and the knock-on effects on other business interests at local, national and international level.
Simplified consequence analysis The sources of major accidents are as follows: failure of vessels giving either an instantaneous loss or a continuous loss for 30 minutes normally assuming connected pipework pipe breaks the loss of process material by discharge through an abnormal opening or the change in a normal product, discharge, vent or product A simplified consequence analysis can be carried out assuming typical leak areas and using historical data for the frequency of failures of pipes, flanges and seals. For a selected leak the consequences can be estimated using appropriate computer software. Obviously these results are most readily interpreted if the consequence analysis tool plots appropriate contours over the site and plot plan. Alternatively qualitative consequences can be expressed based on the experience of analysts or industry. General values for flammable releases (allowing for different size of a leak) can be taken for the probability of ignition and for explosion in the event of ignition. Event trees branch outwards according to different scenarios, consequently for overall reporting it is important to develop a list of accidents seen as TOP events. Part of a preliminary consequence analysis is given in Table 7. At a later stage this can be amplified by preliminary hazard analysis and further branching questions introduced to examine failure to mitigate or escape in more detail.
57
Preliminary
safety analysis:
G. Wells et al.
consequence event
analysis FRiPR 10m3 GA And Failure to mitigate Countermeasures for a release fail: insufficient time for response Countermeasures fail to control fire: fire too great to be put out immediately Countermeasures fire: fire brigade fire (no barrier) Countermeasures fire: fire brigade fire Countermeasures fail fail to control fails to put out PR 1 L 3 s 1 P Consequences Release causes hazardous condition: cloud of flammable material
Significant release of material: catastrophic failure of methanator circuit Ignition ignition of flammable mixture: and torch fire
0.5
And
Escalation
by torch fire
0.2
And
0.5
release
Ignition ignition
mixture:
1.0
And
0.2
0.2
And
Escalation by pool fire, generating possible explosion with missiles Escalation by further release of flammable material. Aromatics washed into sewer
Preliminary
hazard
analysis
(PHA)
A preliminary hazard analysis is structured in a similar manner to a HAZOP study. However it is usually possible to partition the plant into fewer sections. Thus instead of proceeding line by line it may be practical to consider just main items of plant and associated lines and heat exchangers. It has been found helpful to consider what happens if the products and planned discharges are off-specification.
Plant information
assembly
mechanical limits: overpressure; over-temperature; machine overload or streic; underpressure; undertemperature critical defect in construction: critical defect left in construction or critical deterioration in construction flow through abnormal opening to atmosphere: abnormal opening left in plant or abnormal opening made in plant adverse change in a planned product or other release: change before leaving plant or change after leaving plant The analyst expands each cause of a dangerous disturbance leading to rupture and discharge by progressing down to immediate cause as appropriate. The immediate causes of incidents are classified as follows:
l l l l l l
Plant information should include process information such as notes on fundamental process chemistry including dangerous reactions and side-reactions; data on hazardous materials; process flow diagrams showing control measures and safeguards; equipment specification sheets and inventory levels and any available operating information, The studies noted earlier should be completed as a precursor to preliminary hazard analysis. It is important prior to the preliminary hazard analysis to have a clear specification of the objectives: a full process specification of feeds, products and wastes; constraints on emissions and effluents; specification of utilities.
inadequate action by personnel defects directly causing loss of integrity plant or equipment inadequate or inoperable control systems inadequate or inoperable deliberate change from design intent environmental and external threats
disturbances
resulting
in
rupture
on
exceeding
A risk evaluation sheet should be used to conduct the analysis. In this case it is immaterial if the analysis starts at immediate cause and follows the scenario up to consequences of the release. However it is necessary always to return to the dangerous disturbance as the fulcrum of the study. An example, taken from a case study, is given in Table 8. In this particular version of the form up to 2 dangerous disturbances and 3 x 2 immediate causes can be studied. The hazardous disturbances noted on the form correspond to HAZOP style deviations. It is generally unnecessary to complete the form in the detail shown. The risk data is added after and not during the meeting. It is important that the search does not become a
58
1993, Vol 6, No 1
Table 8 PSA risk evaluation Priority C S 4 E-6 0.01 3 as hot and release not attenuated 3 in E-4 3 fire-fighting 4 L S L 7 0.01 E-5 1
sheet
PROJECT: TOMHID PLANT: HYDROGEN UNIT: METHANATOR REFERENCE: LOCATION: EOUIPMENT: GLW SHEFFIELD METHANATOR/PREHEAT
SECTION
FUNCTION: Fire escalates Failure to avoid domino Torch fire on section Failure to avoid ignition: 15 mins Release through Operator 0.1 Over-temperature Failure of operator to stop flow to methanetor Failure of shutdown system High temperature Operator High inlet temperature (slow propagation) fails to reduce trend on TAH 1 E-l Downstream blockage (clean duty) in reactor 0.1 0.1 0.2 in reactor E-3 Overpressure Pressure in reactor relief system fails fails to stop all plant flows
l
Fixed bed reactor converting to pipe rack and C plant due to lack of time and ineffective
oxides
of carbon to hydrogen
Consequences
of escalation
further
escalation
Consequences
of significant
event
Failure to mitigate
or avoid escalation
event to be prevented
E-4
Release through
overpressure fails
E-5 0.1
action to depressure
Plant in danger:
dangerous
disturbance
E-4 0.01
Inadequate
emergency
control
or action
Hazardous disturbance
High pressure
in section
E-Z
Inadequate
control
or action
Immediate
causes
E-4
Hazardous disturbance Operator or TAH High COs in stream from absorber fails to reduce trend on CO, alarm 0.8 PRC closed Fuel gas overpressure E-l Lack of demand for product 0.01 0.01 E-O
Inadequate
control
or action
Immediate
causes
-u 3 =: 3 5 m 2 B 4, %
Y
Hazardous disturbance Operator fails to reduce trend or TAH or PAH Impurities on CO2 alarm 0.1 PRC closed Fuel gas overpressure line E-Z Off-specification product 0.01 0.01 E-O 1. Operator also alerted by PAR 2. Two relief valves in system and hydrogen is exceptionally free-flowing. 3. Add W-1 and depressuring valve: locate before methanator. 1. Do not depressurise on high temperature unless sure of no flow through methenetor. 2. Operator alert by several alarms. New TAH in and out. 3. Check if start-up line needed if heat exchange circuit modified 4. Alter outlet location of start-up line. Add PAH and TR. Double block and bleed. 5. Check catefvst activation. 6. Improve absorber design to enhance reliability.
Inadequate
control
or action
2 cu
Immediate
causes
Recommendetionslcommentslactions 1. Public not affected by domino escalation. 2. Business damage would be extensive if spread to complex. *The operator can increase the probability of a release by wrong action and special supervision is required on any methanator problem
Preliminary
safety analysis:
G. Wells et al. ance problems, evaluation of the Gffect of emergency control systems being inoperable, and incident investigation. In most cases it is not necessary to have absolute accuracy for risk estimates as the relative improvement or sensitivity of overall risk to certain criteria is the factor of interest.
preliminary HAZOP study. The main search processes become too similar in nature. The PHA should emphasise disturbances of temperature and pressure whereas a HAZOP usually starts with studying deviations of flow. Sometimes it will be found necessary to expand a particular box. For example, the operator action may need to evaluate whether the operator is alerted or stimulated, whether the correct diagnosis is made and whether the right action is taken. Such action may be drastically wrong. In this case an appropriate continuation sheet can be used or a special note added. Also as forms can get congested, it may be desirable to append a separate action sheet or extend the size of sheet used for the analysis. Simplified sheets are used in meetings to carry out the analysis.
Conclusions
All hazard identification methods aim to model part of the incident (accident) scenario. If one observes the amount of data available to the analyst at any stage during the development of plant then it is clear that the starting point of the search must be selected carefully. Methods start from different points: e.g. FMEA at a failure mode, HAZOP at a hazardous deviation. In the main method described here, preliminary hazard analysis, the analysis pivots around a dangerous disturbance of plant which is identified as a point just before the release of material. Also the method utilizes a model of the incident scenarios for documentation purposes. Furthermore the opportunity is taken to evaluate the risk. It will be noted how all the methods used in preliminary safety analysis combine to produce a comprehensive safety study which can be carried out at an early stage of the design, and can be developed further as the detailed engineering of the plant proceeds. The risk evaluation sheets provide a ready record which can be examined during production to identify the effect on risk should changes in plant and its availability arise.
where L is the exponent of likelihood as measured by frequency (a negative value) and S is a severity ranking set by the company and referring to a set of five failure ranges from minor (1) to catastrophic (5). The target risk is only acceptable when its value is equal or less than zero. To reduce the risk measures should be taken to reduce the likelihood of occurrence, which is a measure of the expected probability or frequency of occurrence of an event, or to ameliorate the severity of the consequences of occurrence by appropriate measures. For example, the exposure of an individual to a hazardous substance which cannot be eliminated by other means might involve measures aimed at prevention of exposure, reduction of emission or exposure and provision of means for dealing with residual risk. Results which are clearly not acceptable are prioritized for further study with risk reduction or elimination as the aim. It is particularly helpful to evaluate risk using risk evaluation sheets as this ensures that the contribution to mitigation effected by the operators is particularly noted. This may also highlight the need for specific training. The technique has been applied to mainten-
Acknowledgements
Mike Wardman is sponsored by the UK Science and Engineering Research Council and Cris Whetton by the EC STEP programme.
References
1 Turney, R. D. Process Safety & Environmental Protection, February 1990, 12 2 James, R. A. Applications of HAZOP and the Pre-HAZOP technique, Module 1, PSLP Course, Sheffield, Ott 12-15, 1992 3 Elliot, T. D. M. and Owen, I. M. The Chemical Engineer, November 1968. 377 4 The Control of Industrial Major Accident Hazards Regulations, SI 1984/1902. 1984 5 Lees, F. P. ioss Prevention in the Process Industries, Butterworth & Co Ltd, London, 1980 6 Wells, G. L. Preliminary Safety Analysis, Module 1, PSLP Course, Sheffield, Ott 12-15, 1992
66
1993, Vol 6, No 7