Preliminary

safety analysis
and Cris Whetton
Engineering, University of Shefield,

Geoff Wells, Mike Wardman

Department of Mechanical and Process PO Box 600, Shefield, UK Received 2I July 1992

Various major safety studies are carried out at appropriate stages during a project. Many companies do some form of preliminary analysis at points between initial project concept and when the process design is completed. These studies aim to ensure that the decisions on process design and site selection take full account of process safety requirements and related risk and environmental constraints. Methods have been incorporated and developed during this work to take account of best industrial practice for such safety studies. These are listed under the general heading of preliminary safety analysis (PSA) and are carried out from the time of the concept safety review until such time as reasonably firm process flow diagrams or early P 8t I diagrams are available. The methods included are as follows:
l l l l l

concept safety review (CSR) critical examination of system safety (CE) concept hazard analysis (CHA) preliminary consequence analysis (PCA) preliminary hazard analysis (PHA)

These have been developed from a model of the plant and its interpretation as part of an incident scenario. The emphasis throughout is on utilizing the best points to start the search to identify undesired events contributing to the development of accidents. For the main method described, preliminary hazard analysis, this search has as its starting point and fulcrum the dangerous disturbances of plant which arise at a point in the incident scenario just after emergency control measures have failed to control the situation. The study should be conducted using risk evaluation sheets which model each stage of the incident scenario and allow for a short-cut assessment of risk when this is desired. The above methods are demonstrated by part of a simplified case study. The methods function well and provide not only a good model of incident scenarios but are readily developed into fault and event trees and operating procedures. They are invaluable for the development of safety reports for regulatory authorities. Furthermore, by not imitating HAZOP methods they strengthen the effectiveness of the search process. (Keywords: process safety; hazard analysis; note assessment)

The purpose

of preliminary

safety analysis

Preliminary safety analysis is a systematic approach to the identification of potential hazards and hazardous conditions which is carried out at an early stage of the design of the plant, before the commencement of detailed engineering (except for specially selected items). It aims to make safety objectives more readily tenable by subsequent design, engineering, realization commissioning and productive methods. It suggests ways to challenge the design and encourages an understanding of the consequences of failures as well as identifying the principle incident scenarios stemming from deviations from normal or expected behaviour. The objective of a preliminary safety analysis is not to identify all possible scenarios and initiators of incident@. It is to consider any impact (either safety, health or environmental) which the project may have
0950-42301921010047-14 0 1993 Butteworth-Heinemann Ltd

either on-site or off-site and identify significant hazards. Special attention is paid to loss of containment leading to a significant release of material which can have major consequences, usually resulting in harm or damage to the system and its total environment. The preliminary safety analysis should also identify those changes to process conditions which could lead to an adverse discharge leading to the consent levels for gaseous, liquid or solid effluents being exceeded. Where the project can create significant on-site or offsite impacts, then the risk of such consequences should be evaluated and compared with appropriate criteria in order to determine whether further action must be taken to reduce the risk or abandon the project in its present form. In some cases a quantified risk analysis should be completed. Concept safety review follows or is incorporated in the review of the scope of the project and provides

J. Loss Prev. Process Ind., 1993, Vol6,

No 1

47

Preliminary

safety analysis:

G. Wells et

al.
process development, available processes and whether these will be licensed, the availability of alternative sites and modes of transport of raw materials and products, the availability of experience within the company and site etc. It may be that a particular project does not require study of all these items and it is as well to make such matters clear at the start. Subsequently the concept safety review should determine the need for safety reviews and their timing. Information should be obtained on the safety, health and environmental hazards of all chemicals and materials involved in the new process. This should take account of both individual and collective properties of materials. Helpful information is contained in regulations such as COSHH and CIMAH in the UK. General appreciation should also be generated of the main hazards presented by the plant such as fire, explosion and release of harmful substances such as and toxic gases and liquids, effluent, radioactive corrosive materials etc. The study should review information on previous incidents on the plant using both information available on incidents within the company and its affiliates and information available from global sources. For a project under development the latter information should be augmented by studies of the route and incidents affecting plants using related reactions. At each site under consideration it is necessary to consider on-site and off-site transnort of raw materials. products and wastes including loading, off-loading; type of transport and route. The requirements for facilities and services, emergency planning, interaction with other plants etc. must be examined. The study should consider all organizational factors affecting the project including the availability of experienced staff both within the company and at the site. This experience should be reviewed in terms of general experience, experience of related plants and specific experience of the plant. Means to overcome any problems should be discussed. The impact of the plant on the general health and safety management policy of the site should be identified. Criteria should be established for all safety, health and environmental factors with which the plant must comply together with relevant company standards, national legislation and other regulatory approvals and consents. Any effect on the position of the site with respect to effluents and emissions and status under CIMAH regulations must be reviewed. General project criteria should be defined including the codes of practice to be followed and the extent and timing of all safety reviews. The preliminary concept safety review should be a means by which improvements in design procedures are made known to the designers and by which it is ensured that current thinking on ways of improving the design practice is implemented.

the means for an early assessment of safety, health and environmental hazards. It links in with other project work beginning at this time and contributes to key policy decisions such as siting and preferred route. A concept hazard analysis is used for the identification of hazard characteristics to identify areas which are recognized as being particularly dangerous from previous incidents. It also identifies the need to explore any difficulties which might be experienced with unwanted reactions. As well as identifying environmental damage, the analysis may also consider whether the proposal fulfils the green policies of the company. A critical examination of system safety is used either to eliminate or to reduce the possible consequences of a hazardous event by an early study of the design intent of a particular processing section. This should be carried out at an early stage and well before the process design is completed. A preliminary consequence analysis can be used to identify likely major events. Such studies assist in the selection of the site if this is a required project objective. This is an abbreviated form of preliminary hazard analysis in which gross assumptions are made for the frequency of events. It enables the major events which may result from the process to be identified. The event tree section of the HAZCHECK knowledge base provides the necessary information on the development of incident scenarios. A review of health hazards should consider measures proposed to prevent employees being exposed to either chronic or acute health hazards and should be carried out considering periodic emissions and fugitive emissions. A preliminary hazard analysis is undertaken to identify applicable hazards and their possible consequences with the aim of risk reduction: i.e. to reduce the frequency of significant consequences to an extent that is comparable with project and manufacturing objectives and which meets the constraints imposed by regulatory and local authorities. It should be carried out at a stage when change in the design is still possible. The methods listed above are a compilation of techniques used in industry. Several of these have been described by Turney 19905 and James 19922. This work has modified the way they are carried out and has modified the documentation procedure. The technique developed for preliminary hazard analysis is, as far as we are aware, original.

Concept safety review (CSR)

At the start of a preliminary safety analysis the analyst and others should carry out a preliminary concept review. This is carried out as early as possible, sometimes during process development. The objectives and scope of the project should be previewed and defined. This should include general information about the development plan and the plant or object being analysed. It is particularly important to ascertain the need for a range of options including

Concept hazard analysis (CHA)

The concept hazard analysis must identify the hazardous characteristics of the project. A hazard has the

48

J. Loss Prev. Process Ind., 1993, Vol 6, No 1

Preliminary potential to cause harm, including: ill-health and injury; damage to property, plant, products or the environment; production losses; business harm and increased liabilities. Ill-health includes acute and chronic ill-health caused by physical, chemical or biological agents, as well as adverse effects on mental health. Hazards are system independent. They can be split into the categories: chemical, thermodynamic, electrical and electromagnetic and mechanical. Chemicals can be further subdivided into toxics, flammables, pollutants and reactants. Further lists can be used to identify health hazards. A hazard is any potential source of threat or potential danger. There is a need to identify external threats to the system and these include unplanned changes in the plant or its use. It is important to distinguish between a hazard and a hazardous condition. A hazard is solely a qualitative term but a hazardous condition includes a quantitative element in its description of a hazardous state, e.g. the amount of hazardous material used. It is not an undesired event in itself, but has the potential to induce one or more undesired or dangerous events. Hazardous characteristics embrace both hazards and hazardous conditions. Hence when reference is made to hazard identification, it is more often than not the identification of hazardous characteristics which is of concern. After all a hazard can be identified with relative ease. It is the impact of a hazard and the frequency of occurrence which is difficult to estimate. The structure of a concept hazard analysis The methodology of a concept hazard analysis is shown in Table 1. A concept hazard analysis may be commenced at a stage when the block diagrams or a preliminary process flow diagram are available. It aims to identify the main hazards which the proposed plant will generate or face. The approach used can vary considerably from a general identification of hazards to a thorough look at each section of plant. Usually each section of the plant is evaluated at a preliminary meeting considering the items given in Tables 2 and 3. A list of streams and substance characteristics should be prepared beforehand by process engineering. A brief review of each stream is generally helpful and describes the process. The report should be updated

safety analysis:

G. Wells et al.

Table 2 Keywords Flammables Ignition Fire Explosion/detonation Toxicity Corrosion Off-specification Emissions Effluents Ventilation Chemical contact Noise Illumination hazards Electrical Radiation Laser Overpressure Underpressure Over-temperature Under-temperature Structural hazards Collapse, drop Start-up Shutdown Maintenance Abnormal Emergency Release Release Fugitive Periodic Handling Entry on rupture by discharge emissions emissions

Chemicals

Pollutants

Health

hazards

Electrical/radiation

Thermodynamic

hazards

Mechanical Mode

hazards

of operation

Release

of material

Loss of services

Electricity Water Other services Accidental impact Drop/fall Act of God Extreme weather External interference Loosening/vibration Vibration Sabotage/theft External energetic event External toxic event External contamination Corrosion/erosion

External

threats

Table 1 Methodology

of a concept

hazard

analysis

Assemble a study team Define the objectives and scope of the study Agree a set of keywords Partition each process flow diagram or block diagram reasonably-sized sections Identify the dangerous disturbances and consequences generated by each keyword Determine if the hazard can be designed out or the hazard characteristics reduced Determine any protections and safeguards Determine comments and actions Report using proforma

into

as actions are taken or resolved with respect to safeguards and the assembly of further information. As fresh hazardous conditions are identified these can be incorporated within the record for appropriate action. The keywords in Tables 2 and 3 are related to specific hazardous events. The perceived dangers are noted together with suggestions for safeguards (the latter denoting a general aim rather than an actuality). Appropriate comments are added for action. As well as identifying general hazards the opportunity is taken to add any specific hazards for which the equipment has previously given problems. Various companies use different keywords and additional ones include offspecification, fire, effluents, loss of services etc.

J. Loss Prev. Process Ind., 1993, Vol 6, No 1

49

Preliminary

safety analysis:

G. Wells et al.

Table 3 Keywords Keywords flammables Ignition Fire Explosion

in concept

hazard

analysis event Consequences/problems Fire: flash, torch, pool Chemical explosion Physical explosion Vapour cloud explosion Electrical explosion Absorption, inhalation, ingestion Contamination of environment Disposal, incineration, storage, landfill Asphyxia Acidity, alkalinity, exposure Separation or accumulation

Undesired

Release on rupture Release by discharge Entry of vessels Handling Ignition Release on rupture Release by discharge Entry of vessels Handling Fugitive emissions Periodic emissions, washings Emergency emissions Human contact with chemicals Human contact with heat or cold Noise Illumination Radiation Accidental impact, vibration Act of God, natural causes Abnormal environmental extreme External interference, loosening Drop, fall Theft, hooliganism Force majeure, sabotage External energetic events External toxic events External contamination Corrosion, erosion Unintended reactions Difficulties with intended reactions Presence of dangerous (toxic) substances Products of combustion Corrosion etc. Overpressure Underpressure Over-temperature Under-temperature Overheating Overcooling Fluid jet effects Inadequate mechanical integrity Corrosion, erosion Wrong status of equipment, valves, emergency relief etc. Overload/stress/tension Mechanical energy/inertia Mechanical weakness Loss of structural integrity Charge, current, High voltage Dangerous initiators magnetism

Chemicals Toxicity Corrosion Pollutants Emissions Effluents Waste Health hazards

effects after discharge

Effects Effects Effects Effect Effect

of toxicity, biological activity of fire, contact with hot bodies, cold surfaces of exceeding acceptable noise levels of glare, mist, fog, contrast, smoke of radioactive materials

External

threats

Harm, damage and removal of equipment Harm, damage and death of personnel Release of material Adverse discharge Loss of supply Loss of services Item breaks on impact

Reactions

Release of material Dangerous disturbances Release of reaction energy Defective materials

Thermodynamic hazards Overpressure Underpressure Over-temperature Under-temperature

Rupture of equipment Impulse blows Weakening of materials of construction Failure or damage of equipment

Abnormal opening atmosphere

to

Release of material Change in planned

or emergency

discharge

Mechanical hazards Structural hazards Collapse, drop

Rupture of equipment, change in material properties Failure of equipment or structure, transient effects, forces Impulse blows, fragility, vibration Failure of structure, collapse, object dropped Explosion, spark, shock, heat transfer, Shock to personnel Release of material Off-specification material Release of material Common cause failures Off-specification material ionization

Electrical

hazards

Equipment

problems

disturbances

or incident

Mode of operation Start-up Shutdown Maintenance Abnormal Emergency

Any notable disturbances initiators Loss of supply Loss of services

or incident

50

J. Loss Prev. Process hi.,

1993, Vol 6, No 1

Preliminary An example of a concept hazard analysis is applied to the methanator section of a hydrogen plant in Table 4. An early P&I diagram of this plant is given in Figure 1. The process involves removing small quantities of oxides of carbon from a hydrogen product by reaction with hydrogen at 400C and 20 bar. Some companies may prefer at this point to use HAZOP keywords to highlight further problem areas. Such actions are more likely to be taken if this study is carried out as a form of preliminary hazard analysis. Such action is not recommended as it is important to use alternative search procedures at different stages in project development. The documentation shown here is more extensive than that independently developed at BNFLZ. These simply document keywords, discussion and action/retommendations. This approach has the advantage of speed and is particularly recommended when the initial information is scanty and one objective is to give advice to the designer team. The study undertaken at this stage will vary considerably according to the knowledge which the participants have about the process. Many projects considered by industry are modifications to process plant, costing up to fl million (1992 values). For these considerable information will be available. In other projects the study can be used to transfer information from process licensers etc. In the case of a development project the study can highlight key safety areas requiring further study. This it is important to determine whether both a concept hazard analysis and a preliminary safety analysis are required.

safety analysis:

G. Wells et al.

Critical examination of system safety

At some stage it is important to review the design seeking radical change to improve safety. A critical examination of system safety is one such means of tackling the problem. Method study became widely used in the 1960s. Numerous courses were run to give information on how to conduct the critical examination of any problem. The initial questions aimed to resolve what, when, how and where? relating to a particular activity or operation. The answer to each of these questions was further probed by asking why, why then, why that way, why there? etc. There was also emphasis on the use of brainstorming to generate alternatives. Critical examination arises to reveal any problem and its formulation. The argument is made that only when designers understand the reason why they are being asked to produce a solution are they really likely to solve the problem. Here a revised approach is suggested for critical examination, which differs from that used by Elliott and Owen3 in its aims and rigour. The emphasis is on process safety, if possible without the need for add-on safety. The need for rigour is reduced as criteria are subsequently evaluated by other safety studies. The only deviations considered under how the task might be accomplished are major disturbances affecting plant safety.

The method Examples of the method are given in Table 5 and these should be consulted to ascertain the format to be used. The first feature of the method is to write down a statement of the deseign intent describing clearly what is to be done or achieved and how this is to be accomplished. Individual statements may be necessary for some processes or task activities covering all the what, when, how, where and who questions of the proposal. If the plant is not in normal operation for the purpose of the study then this must be stated, identifying in minimum detail the change of state achieved by an operation reaction or activity. This usually indicates the operating conditions and equipment involved but not the full details. These are made available to the analyst in other documents. A similar statement is subsequently added indicating any dangerous condition, here defined as one leading to a dangerous disturbance of plant. Each significant aspect of the achievement is then probed by querying the proposal or existing facts and its purpose. The aim is to expose the strengths and weaknesses of the present situation. The emphasis is on how to avoid the dangerous conditions noted and not on how to improve the process economics etc. Such conditions should be those which are essentially a function of the process and its structure rather than a list of standard features which are automatically checked (for example the loss of lubricating oil to a compressor). Alternatives are then generated. Some keywords with which to systematically associate each significant part of the achievement are given in Table 6. Doubtless other effects than those noted can be generated. However the important matter is that a structure is given to aid the generation of possible improvements. For a safety study it is important to examine how the proposal is achieved, paying particular attention to the following:
l

materials: change the quantities or qualities/use extra or different materials method: change the operating conditions or activities/change the route and method of processing/ change the sequence, frequency, absolute time or duration equipment: use different equipment

The impetus for change should be to make the frequency of a major incident less likely and to lessen the consequences of such an incident. The technique, when applied in this manner, ensures that an attempt has been made to improve the inherent safety of the proposed system by u&g a formal procedure rather than leaving it as a matter for consideration by individuals. It is also essential to study any dangerous condition and its cause. These should be readily identifiable from an equipment knowledge base or the knowledge of the process engineer. Then the keywords are used to effect analysis. Alternatives or modifications can be

J. Loss Prev. Process Ind., 1993, Vol 6, No 7

51

Table 4 Concept hazard analysis

Consequences Release may self-ignite torch fire. Escalation to pipe rack likely. Missile could affect C plant Segregation by distance. Depressure or steam purge discharge Release at safe height: and fire Chemical explosion High level of oxides of carbon cause runaway with rupture and possible physical explosion More robust design of absorber. Trip methanator on high temperature. Alarms on temperature and CO, high Purge plant before start-up. Ensure catalyst covered by N, as replaced Alarm on high CO2 outlet. Vent if off-specification and shutdown compressor. Ensure methanator warm enough to start-up. Connect methanator trip to compressor trip Sewer to effluent treatment in sewer Vent sewer with standpipes possible ignition Segregation by distance Check possible radiation levels Study best way of reducing damage Suggested safeguards Comments/action

Ref. no

Keyword

Dangerous disturbance

Release on rupture

Flammables

Release on emergency

3 runaway reaction in

Flammables

Normal discharge to sewer

Check other plants for incidents Check action if trip fails

Reaction

Exothermic methanator

5 Combustion in vessels. Causes chemical explosion

Air in combustion

vessels

Get more information

on catalyst

6 Off-specification H? to downstream plant. This can cause runaway reaction with chemical explosion

Inadequate reaction Catalyst failure Low temperature feed Methanator bypassed

Design heat exchanger circuit to preheat methanator

Pollutants Water with high sodium salts Fire-water will flood. River receives minor contamination Noise in compressor area

Effluent to sewer

Check effect on current treatment Check other sewers in area for contamination

Pollutants

Effluent caused by firewater

Pollutants

Noise

Building would cause explosion hazard Two relief valves in circuit. High pressure alarm

Operators to wear protection area

in danger

Overpressure

Overpressure plant

in hydrogen

High pressure caused by inadequate release of excess gas to fuel gas or blockage or incorrect valve status causes explosion Runaway reaction (see above) Excess recycle of hydrogen around compressor can result in physical explosion Stress in compressor caused by two phase feed due to liquid blowby from KO Pot can result in physical explosion Loosening of flange gives release. Possible torch fire Loss of material to safe point. Could ignite as minor torch fire

Flare may be needed on fuel gas if demand low

11 in methanator in compressor

Over-temperature

Over-temperature

12

Over-temperature

Over-temperature

High temperature

alarm on loop

Evaluate as no safeguard provided

13

Mechanical hazard: overload

Overload of compressor

Trip on high level in KO Pot. Level alarm in KO Pot

Explosion unlikely but note compressor may be damaged

14 at compressor

Abnormal

opening

Vibration

Vibration probe

15

Abnormal

opening

Spurious relief

Consider need for lock open valve after RVs or bursting disc before RVs.

Table 4 Continued Consequences Suggested safeguards See item 4 Blockage of sodium salts at top of reactor (causes channelling) Bed of ceramics on top of reactor Improved heat exchanger network or start-up line Separate hydrogen stream may be needed Analyse outlet stream for CO, and alarm Temperature alarm. Analyse for CO, in outlet Not critical Establish requirement Failure to preheat bed Failure to activate Off-specification product affects downstream plant Off-specification product affects downstream plant High temperature See overload (item 12) Increased flammables Overload due to two phase flow from KO Pot (item 13) Stress due to loss of lube oil flow at inlet at outlet High recycle flow under control (item 12) Failure of cooling water to after-coolers High recycle flow not under control (item 10) Failure of control system Vibration probe (item 14) Loosening by maintenance requires absolute isolation of a high pressure low molecular weight gas Maintenance policy must be agreed together with standby provision 2 x 60% compressors preferred. Need double block and bleed systems plus nitrogen purge Relief valve on outlet. High pressure alarm High temperature alarm on outlet After-coolers should be on diagram Alarm on low lube oil pressure. Shutdown by trip system in sewer (item 3) Low level alarm. Trip system on low level to KO Pot Check requirements at base in design intent Comments/action

Ref. no

Keyword

Dangerous disturbance

16

Equipment: methanator

Exothermic runaway

17

Equipment: methanator

Blockage

16

Equipment: methanator

Start-up

19

Equipment: methanator

Activation of catalyst

Obtain information from manufacturer Determine policy for off-specification gas (see items 6, 20) Plant requires complete shutdown if the methanator cannot be preheated (see item 17) Cooling water temperature monitored Check requirements must be for dephlegmator

20

Equipment: heat exchanger

Internal leak causing offspecification product

21

Equipment: heat exchanger

Less heat causing no reaction in methanator

22

Equipment: cooler

Loss of cooling water

23

Equipment: KO Pot

Liquid blowby

24

Equipment: KO Pot

Gas blowby

25

Equipment: compressor

Overload

26

Equipment: compressor

Overload

27

Equipment: compressor

Over-temperature

28 at inlet

Equipment: compressor

Over-temperature

29

Equipment: compressor

Overpressure

30

Equipment: compressor

Overpressure at outlet

31 of compressor

Equipment: compressor

Vibration at compressor

32

Equipment: compressor

Maintenance

Preliminary

safery analysis:

G. Wells et al.

F:
F

F -._ E

54

J. Loss Prev. Process Ind.,

1993, Vol 6, No 7

Preliminary

safety analysis:

G. Wells et al.

Table 5 Critical examination DESIGN INTENT: oxides of carbon oxides of carbon Query proposal oxides

of methanator

section the small amounts 10 ppm maximum of of

A fixed-bed catalytic reactor, operating at 20 bar, 400C inlet, 450C outlet, converts (maximum 2%) in a stream of hydrogen into a hydrogen product stream containing

Response Oxides of carbon affect downstream catalyst on aromatics plant No addition materials of further

Generate

alternatives

Comments No real saving overall on risk

Recommendations Reject or change downstream catalyst

Why remove of carbon?

Eliminate methanator here and install on aromatics plant only Alter by using pressureswing adsorption system upstream Alter the catalyst or use a larger size of bed Modification/control increase capacity of absorption unit using an absorption train

Why this process?

Lower yield of hydrogen but cheaper plant

Review next

for plant after

Why at 400X?

Optimized design this catalyst Cause

for

No safety advantage

Reject

Dangerous

condition

Comments Expensive solution but robust

Recommendations Evaluate using quantitative risk analysis

Reactor runaway due to excess oxides of carbon in feed leading to reactor

Failure of absorption system

Isolate the methanator shutdown system

by

Requires the diversion of upstream flow from methanator by shutdown system Long-term effort required

Install bypass and vent off-specification material

Catastrophic failure of methanator circuit

Over-temperature due to reactor runaway

Improve metallurgy of reactor to withstand maximum temperature during upset condition increase cooling of reactor by external quench

Review

later

Weakness in circuit may well not be the reactor

Consider under preliminary hazard analysis

suggested. The analyst should try to avoid only recommending measures to control the situation or shutdown plant. These should be a back-up only to other protective barriers. There is no reason to complete the study of both sections independently. The dangerous condition affects the decisions made on how the process should be achieved and vice versa.

Preliminary

consequence

analysis

A preliminary consequence analysis of major incidents examines the impact of what might occur on a particular process plant. It is usually carried out as soon as a description of the process flow diagram is available. If the site is to be selected it may be done very early. Such a study may well only consider pipe breaks and common leaks. The analysis can be carried out following critical examination before a decision is made to proceed with more extensive design. Although here the emphasis is on plant it is necessary to do similar studies on the transport of raw materials and products. Process information In order to ascertain the problems, it is necessary to identify the proposed site and effect an approximate layout of the plant. The basic information required is

listed below and some of this information is subsequently transmitted to regulatory and planning authorities when required. Information should be obtained on the nature and scale of the use of dangerous substances at a site and how the proposed activity fits in with the existing requirements of regulatory bodies, local authorities, river authorities, etc. (see the preliminary concept safety review). This information is also required on every dangerous substance involved in the activity. This should indicate the concentrations of those materials likely to be present and the names of the main impurities. Inventory levels of vessels are required and the analyst requires information on the possible impact of any hazardous chemicals on people and the environment. Information normally noted about a major hazard installation is given in the CIMAH regulations4 and includes the following items. A map of the site and its surroundings, to a scale large enough to show any features that may be significant in the assessment of the hazard or risk associated with the site. If the environment is at risk then it may be necessary to show the site and surrounding area on a scale that is large enough

J. Loss Prev. Process Ind.,

1993, Vol 6, No 1

55

Preliminary

safety analysis:

G. Wells et al.
Table 6 Continued Segregate by distance, barriers, duration and time of day Segregate plant items to avoid certain commonmode failures Segregate fragile items from roads, etc. Isolate plant by shutdown isolation valves systems, emergency

Table 6 Critical examination: Keyword Eliminate Examples of use

keyword

dictionary Segregate

Eliminate by a completely different method or part of a method Eliminate certain chemicals, change the route, use a lean technology Eliminate additives, solvents, heat exchange mediums, additives Change the equipment or processing method Eliminate leakage points; use a weld not a bolted fitting, etc. Eliminate a prime mover or heat exchange or agitator Eliminate a separation stage or step Eliminate intermediate storage Eliminate an installed spare Eliminate manual handling Eliminate sneak paths, openings to atmosphere Eliminate waste Eliminate entry into vessels or disconnection Eliminate products that are harmful in use Eliminate an ignition source, particularly permanent flame Avoid extremes of operating conditions Avoid operating in a flammable atmosphere Avoid possible layering of materials, inadequate mixing Avoid flashing liquids, particularly in extensive heat exchanaer networks Avoid production of large quantities of dangerous intermediates Avoid unwanted reactions in and outside reactors Avoid operating near extremes of materials of construction Avoid operating conditions leading to rapid deterioration of plant Avoid maintenance on demand and in short time periods Avoid items of plant readily toppled by explosions Avoid stage, step or activity by doing something as well as or instead of Modify any topics above Modify batch operation to continuous or vice versa operation

Isolate Improve

Improve plant integrity, reliability and availability Improve control or computer control. Use userfriendly controls Improve response Improve quality of engineering, construction, manufacture and assembly

Avoid

(1:lOO 000) to show all the significant features of the natural and built environment. A scale plan of the site identifying the location and quantities of all significant inventories of the dangerous substances. A description of the process or storage involving the dangerous substance, its inventory and an indication of the conditions under which it is normally held. The maximum number of persons likely to be present on site. Information about the nature of the land use and the size and distribution of the population in the vicinity of the industrial activity to which the report relates. The general information should be sufficient to enable any external threats to the plant to be identified including adjacent plants, major hazard sites in the locality, roads etc. Information on effluents, noise, risk etc. should be assembled. This data should be supplemented by information on the arrangements for safe operation of the site and the new activity, the emergency planning requirements and the requirements for additional expertise for the operation of the plant. A safety audit of the management and organization should be carried out if not carried out earlier for other projects. Preliminary consequence analysis of major hazards The preliminary consequence analysis of major hazards will not give an accurate assessment of the frequency of any incident or the measures used to control or avoid the release. It should however consider ways of dealing with the resulting emergency and instigating the emergency response. The report should at this stage concentrate on the response to the emergency rather than countermeasures to a specific release. However due attention must be given to the possible escalation of the incident, including escalation as a result of mitigating efforts such as fighting fires. The main factors to be considered in the modelling of the behaviour and impact of a substances on release are:

Modify

Alter

Alter the composition of waste, emission and effluents Alter the sequence, method of working Alter the time or duration of an activity (faster/slower, earlier, later?) Alter the frequency of an activity (more/less, why then?) Alter quality, quantity, rate, ratio, speed of any part of an operation or activity Alter who does an activity [why them? more/less people) Prevent emissions and exposure by totally enclosed processes and handling systems Prevent exposure by use of remote control Increase heat transfer and separation capacity Increase conversion in reactions efficiency or

Prevent

Increase

Reduce

Reduce inventory: less storage, hold-up, smaller size of equipment, less piping Reduce amount of energy in system Reduce pressure and temperature above ambient Reduce emissions and exposure by improved containment, piped vapour return, covers, condensation of return, use of reactive liquids, wetting dust Reduce frequency of opening, improve ventilation, change dilution or mixing Reduce size of possible openings to atmosphere

56

J. Loss Prev. Process Ind., 1993, Voi 6, No 1

Preliminary release size, phase and properties duration of release weather and terrain probability of ignition and explosion probability of escape probability of persons evacuated duration of exposure population density proportion of persons indoors building ventilation rates For preliminary studies it is often necessary only to consider general values should no danger arise outside the plant boundaries. Hazardous events and their impact The main hazardous events that should be considered are as follows: fire: flash fire, pool fire, torch fire explosion, explosion: confined chemical dust explosion, physical explosion, BLEVE, vapour cloud explosion Release of missiles Release of toxic materials to humans, water, land, flora or fauna Release in a form liable to cause normal accidents It is particularly important to identify the worst accident which might occur such as the largest release of toxic gas, the most severe contamination of an aquifer and the greatest fire or explosion. This is required for emergency planning purposes. Accurate assessments of damage and harm are difficult especially for a toxic release as the basic toxicology data is generally not based on the effects on humans. On top of this inaccuracy is the probability of mitigation. On detection of a leak about 80% of persons in the immediate vicinity are likely to escape but 20% will act inappropriately or have no opportunity to escape. For a toxic release the general advice is to find shelter (not cars) and evacuation is usually only worthwhile in the event of a change in wind direction during prolonged release or for cases where there is a progressive warehouse fire. This is due to there being little or no opportunity for either plant management or local services to influence the chances of escape. The impact of an explosion is more readily assessed apart from the likelihood of ignition. Escape action is generally obvious for trained personnel. For a BLEVE there is a high probability of escape; a probability greater than 0.5 when the time from initial release to BLEVE is 20 minutes or more. For delayed ignition of a flammable cloud only early escape action by individuals is relevant. In the event of a conventional fire the aim should be to escape immediately, closing any doors in buildings on escape. Also the heat radiating on doors should be checked before opening doors. Unfortunately people act inappropriately on such occasions as events such as the Kings Cross Underground fire have displayed.

safety analysis:

G. Wells et al.

Damage and harm must be considered with respect to people, property and the environment, paying particular attention to the following cases for major hazards: on-site at least three people suffering death or at least five people suffering injury requiring first aid treatment or hospitalization off-site at least one person suffering death or at least five people being physically and directly affected damage to property and sites of historical or archaeological interest and buildings given statutory protection against deliberate change or damage loss of normal occupancy of property for three months permanent or long-term damage to water, land, flora or fauna in a significant area of terrestrial, freshwater or marine habitat It should also be noted how the business will be affected by any incident, considering loss of production or market share, legal liabilities and costs including damages paid in civil actions, and the knock-on effects on other business interests at local, national and international level.

Simplified consequence analysis The sources of major accidents are as follows: failure of vessels giving either an instantaneous loss or a continuous loss for 30 minutes normally assuming connected pipework pipe breaks the loss of process material by discharge through an abnormal opening or the change in a normal product, discharge, vent or product A simplified consequence analysis can be carried out assuming typical leak areas and using historical data for the frequency of failures of pipes, flanges and seals. For a selected leak the consequences can be estimated using appropriate computer software. Obviously these results are most readily interpreted if the consequence analysis tool plots appropriate contours over the site and plot plan. Alternatively qualitative consequences can be expressed based on the experience of analysts or industry. General values for flammable releases (allowing for different size of a leak) can be taken for the probability of ignition and for explosion in the event of ignition. Event trees branch outwards according to different scenarios, consequently for overall reporting it is important to develop a list of accidents seen as TOP events. Part of a preliminary consequence analysis is given in Table 7. At a later stage this can be amplified by preliminary hazard analysis and further branching questions introduced to examine failure to mitigate or escape in more detail.

J. Loss Prev. Process Ind., 1993, Vol 6, No 1

57

Preliminary

safety analysis:

G. Wells et al.

Table 7 Preliminary What if undesired

consequence event

analysis FRiPR 10m3 GA And Failure to mitigate Countermeasures for a release fail: insufficient time for response Countermeasures fail to control fire: fire too great to be put out immediately Countermeasures fire: fire brigade fire (no barrier) Countermeasures fire: fire brigade fire Countermeasures fail fail to control fails to put out PR 1 L 3 s 1 P Consequences Release causes hazardous condition: cloud of flammable material

Significant release of material: catastrophic failure of methanator circuit Ignition ignition of flammable mixture: and torch fire

0.5

And

Escalation

by torch fire

Escalation by fire: further spread of fire to pipe rack

0.2

And

0.5

Escalation by further of material

release

Ignition ignition

of flammable and pool fire

mixture:

1.0

And

fail to control fails to put out for a release

0.2

Escalation by explosion: missiles land on C plant

0.2

And

Escalation by pool fire, generating possible explosion with missiles Escalation by further release of flammable material. Aromatics washed into sewer

Preliminary

hazard

analysis

(PHA)

A preliminary hazard analysis is structured in a similar manner to a HAZOP study. However it is usually possible to partition the plant into fewer sections. Thus instead of proceeding line by line it may be practical to consider just main items of plant and associated lines and heat exchangers. It has been found helpful to consider what happens if the products and planned discharges are off-specification.

Plant information

assembly

mechanical limits: overpressure; over-temperature; machine overload or streic; underpressure; undertemperature critical defect in construction: critical defect left in construction or critical deterioration in construction flow through abnormal opening to atmosphere: abnormal opening left in plant or abnormal opening made in plant adverse change in a planned product or other release: change before leaving plant or change after leaving plant The analyst expands each cause of a dangerous disturbance leading to rupture and discharge by progressing down to immediate cause as appropriate. The immediate causes of incidents are classified as follows:
l l l l l l

Plant information should include process information such as notes on fundamental process chemistry including dangerous reactions and side-reactions; data on hazardous materials; process flow diagrams showing control measures and safeguards; equipment specification sheets and inventory levels and any available operating information, The studies noted earlier should be completed as a precursor to preliminary hazard analysis. It is important prior to the preliminary hazard analysis to have a clear specification of the objectives: a full process specification of feeds, products and wastes; constraints on emissions and effluents; specification of utilities.

inadequate action by personnel defects directly causing loss of integrity plant or equipment inadequate or inoperable control systems inadequate or inoperable deliberate change from design intent environmental and external threats

Partition of the plant into critical sections

The plant is usually partitioned according to the main plant items and their associated ancillary equipment. The design intent of this section should then be defined carefully. If not done previously then a critical examination of the design intent should be carried out. The best starting point of the analysis is at a point on the incident scenario termed dangerous disturbance of plant. The variations of parameters considered to be relevant to a dangerous disturbance form the deviations examined at this stage. They are as follows:
l

disturbances

resulting

in

rupture

on

exceeding

A risk evaluation sheet should be used to conduct the analysis. In this case it is immaterial if the analysis starts at immediate cause and follows the scenario up to consequences of the release. However it is necessary always to return to the dangerous disturbance as the fulcrum of the study. An example, taken from a case study, is given in Table 8. In this particular version of the form up to 2 dangerous disturbances and 3 x 2 immediate causes can be studied. The hazardous disturbances noted on the form correspond to HAZOP style deviations. It is generally unnecessary to complete the form in the detail shown. The risk data is added after and not during the meeting. It is important that the search does not become a

58

J. Loss Prev. Process Ind.,

1993, Vol 6, No 1

Table 8 PSA risk evaluation Priority C S 4 E-6 0.01 3 as hot and release not attenuated 3 in E-4 3 fire-fighting 4 L S L 7 0.01 E-5 1

sheet

PROJECT: TOMHID PLANT: HYDROGEN UNIT: METHANATOR REFERENCE: LOCATION: EOUIPMENT: GLW SHEFFIELD METHANATOR/PREHEAT

SECTION

FUNCTION: Fire escalates Failure to avoid domino Torch fire on section Failure to avoid ignition: 15 mins Release through Operator 0.1 Over-temperature Failure of operator to stop flow to methanetor Failure of shutdown system High temperature Operator High inlet temperature (slow propagation) fails to reduce trend on TAH 1 E-l Downstream blockage (clean duty) in reactor 0.1 0.1 0.2 in reactor E-3 Overpressure Pressure in reactor relief system fails fails to stop all plant flows
l

Fixed bed reactor converting to pipe rack and C plant due to lack of time and ineffective

oxides

of carbon to hydrogen

Consequences

of escalation

Failure to prevent of plant self-ignites

further

escalation

Consequences

of significant

event

Failure to mitigate

or avoid escalation

Significant over-temperature Operator

event to be prevented

E-4

Release through

overpressure fails

E-5 0.1

Failure to recover the situation

action to depressure

Plant in danger:

dangerous

disturbance

E-4 0.01

Inadequate

emergency

control

or action

Hazardous disturbance

High pressure

in section

E-Z

Inadequate

control

or action

Immediate

causes

E-4

Hazardous disturbance Operator or TAH High COs in stream from absorber fails to reduce trend on CO, alarm 0.8 PRC closed Fuel gas overpressure E-l Lack of demand for product 0.01 0.01 E-O

Inadequate

control

or action

Immediate

causes

-u 3 =: 3 5 m 2 B 4, %
Y

Hazardous disturbance Operator fails to reduce trend or TAH or PAH Impurities on CO2 alarm 0.1 PRC closed Fuel gas overpressure line E-Z Off-specification product 0.01 0.01 E-O 1. Operator also alerted by PAR 2. Two relief valves in system and hydrogen is exceptionally free-flowing. 3. Add W-1 and depressuring valve: locate before methanator. 1. Do not depressurise on high temperature unless sure of no flow through methenetor. 2. Operator alert by several alarms. New TAH in and out. 3. Check if start-up line needed if heat exchange circuit modified 4. Alter outlet location of start-up line. Add PAH and TR. Double block and bleed. 5. Check catefvst activation. 6. Improve absorber design to enhance reliability.

Inadequate

control

or action

2 cu

Immediate

causes

in feed: sneak path down start-up

Recommendetionslcommentslactions 1. Public not affected by domino escalation. 2. Business damage would be extensive if spread to complex. *The operator can increase the probability of a release by wrong action and special supervision is required on any methanator problem

Preliminary

safety analysis:

G. Wells et al. ance problems, evaluation of the Gffect of emergency control systems being inoperable, and incident investigation. In most cases it is not necessary to have absolute accuracy for risk estimates as the relative improvement or sensitivity of overall risk to certain criteria is the factor of interest.

preliminary HAZOP study. The main search processes become too similar in nature. The PHA should emphasise disturbances of temperature and pressure whereas a HAZOP usually starts with studying deviations of flow. Sometimes it will be found necessary to expand a particular box. For example, the operator action may need to evaluate whether the operator is alerted or stimulated, whether the correct diagnosis is made and whether the right action is taken. Such action may be drastically wrong. In this case an appropriate continuation sheet can be used or a special note added. Also as forms can get congested, it may be desirable to append a separate action sheet or extend the size of sheet used for the analysis. Simplified sheets are used in meetings to carry out the analysis.

Conclusions
All hazard identification methods aim to model part of the incident (accident) scenario. If one observes the amount of data available to the analyst at any stage during the development of plant then it is clear that the starting point of the search must be selected carefully. Methods start from different points: e.g. FMEA at a failure mode, HAZOP at a hazardous deviation. In the main method described here, preliminary hazard analysis, the analysis pivots around a dangerous disturbance of plant which is identified as a point just before the release of material. Also the method utilizes a model of the incident scenarios for documentation purposes. Furthermore the opportunity is taken to evaluate the risk. It will be noted how all the methods used in preliminary safety analysis combine to produce a comprehensive safety study which can be carried out at an early stage of the design, and can be developed further as the detailed engineering of the plant proceeds. The risk evaluation sheets provide a ready record which can be examined during production to identify the effect on risk should changes in plant and its availability arise.

Target risk and the risk evaluation sheet

Risk is here defined as the likelihood, L, of a specific undesired event occurring within a given period or in particular circumstances. The likelihood is measured as a frequency per year. The severity, S, is a measure of the expected consequence of an incident outcome. The target risk is defined by the equation Target risk = log,,lOL + log,,lOs = L + S

where L is the exponent of likelihood as measured by frequency (a negative value) and S is a severity ranking set by the company and referring to a set of five failure ranges from minor (1) to catastrophic (5). The target risk is only acceptable when its value is equal or less than zero. To reduce the risk measures should be taken to reduce the likelihood of occurrence, which is a measure of the expected probability or frequency of occurrence of an event, or to ameliorate the severity of the consequences of occurrence by appropriate measures. For example, the exposure of an individual to a hazardous substance which cannot be eliminated by other means might involve measures aimed at prevention of exposure, reduction of emission or exposure and provision of means for dealing with residual risk. Results which are clearly not acceptable are prioritized for further study with risk reduction or elimination as the aim. It is particularly helpful to evaluate risk using risk evaluation sheets as this ensures that the contribution to mitigation effected by the operators is particularly noted. This may also highlight the need for specific training. The technique has been applied to mainten-

Acknowledgements
Mike Wardman is sponsored by the UK Science and Engineering Research Council and Cris Whetton by the EC STEP programme.

References
1 Turney, R. D. Process Safety & Environmental Protection, February 1990, 12 2 James, R. A. Applications of HAZOP and the Pre-HAZOP technique, Module 1, PSLP Course, Sheffield, Ott 12-15, 1992 3 Elliot, T. D. M. and Owen, I. M. The Chemical Engineer, November 1968. 377 4 The Control of Industrial Major Accident Hazards Regulations, SI 1984/1902. 1984 5 Lees, F. P. ioss Prevention in the Process Industries, Butterworth & Co Ltd, London, 1980 6 Wells, G. L. Preliminary Safety Analysis, Module 1, PSLP Course, Sheffield, Ott 12-15, 1992

66

J. Loss Prev. Process Ind.,

1993, Vol 6, No 7