2 TECHNIQUE FOR SELECTING THE DESIGN BASES FOR PROCESS SAFETY SYSTEMS 2.1 RISK-BASED DESIGN DECISIONS Anyone involved with process or equipment design sooner or later faces the problem of choosing among alternative designs with differing process effi- ciency, safety, environmental control, cost, and schedule implications. To accomplish this, the formation of a multidisciplinary design team is required at the beginning of a project in order to obtain total integration of process safety with process design and environmental protection considerations (Windhorst 1995). Sometimes the safety considerations clearly dominate and the decisions are already made in the form of special design approaches (e.g., design of nitromethane and ethylene oxide facilities). In some instances codes and standards exist that either mandate or suggest design approaches to known high risks. In a majority of situations, however, no one factor dominates, except per- haps cost. When there are recognized safety implications, optimizing on cost alone is not an acceptable strategy. In the process of arriving at a design basis decision, the risks of each option are typically dealt with judgmentally or quali- tatively (CCPS 1995a). In some instances, one component of risk is quantified (i.e., either consequence or probability) to justify the design selection. For large projects, full risk quantification is sometimes used to assess the combined impacts of multiple hazards. To take a generic case, imagine a core process design at the stage of an ini- tial process flow diagram, whereby designers have specified the general con- figuration of all major system equipment (i.e., for all primary unit operations). At this point, the design is defined in terms of heat and material balances, and basic process controls.
Transcript
2TECHNIQUE FOR SELECTINGTHE DESIGN BASES FORPROCESS SAFETY SYSTEMS
2.1 RISK-BASED DESIGN DECISIONS
Anyone involved with process or equipment design sooner or later faces theproblem of choosing among alternative designs with differing process effi-ciency, safety, environmental control, cost, and schedule implications. Toaccomplish this, the formation of a multidisciplinary design team is required atthe beginning of a project in order to obtain total integration of process safetywith process design and environmental protection considerations (Windhorst1995). Sometimes the safety considerations clearly dominate and the decisionsare already made in the form of special design approaches (e.g., design ofnitromethane and ethylene oxide facilities). In some instances codes and standardsexist that either mandate or suggest design approaches to known high risks.
In a majority of situations, however, no one factor dominates, except per-haps cost. When there are recognized safety implications, optimizing on costalone is not an acceptable strategy. In the process of arriving at a design basisdecision, the risks of each option are typically dealt with judgmentally or quali-tatively (CCPS 1995a). In some instances, one component of risk is quantified(i.e., either consequence or probability) to justify the design selection. Forlarge projects, full risk quantification is sometimes used to assess the combinedimpacts of multiple hazards.
To take a generic case, imagine a core process design at the stage of an ini-tial process flow diagram, whereby designers have specified the general con-figuration of all major system equipment (i.e., for all primary unit operations).At this point, the design is defined in terms of heat and material balances, andbasic process controls.
With the core system established, an engineering team proceeds to detailand enhance the process design. Questions of quality, safety, health, and envi-ronmental impact arise. Designers begin imagining things that can go wrongwith the system, (i.e., failure scenarios). Focusing here on process safety sys-tems, we suggest that designers begin thinking like risk analysts, asking:
• What can go wrong? What failure scenarios can we realistically expectwith this process?
• What impact can those failure scenarios have? Can we live with suchconsequences?
• Do we need to worry about these potential failure scenarios actuallyhappening? How likely are they to occur?
• What is the risk? Can we tolerate the potential consequences at the esti-mated likelihood?
Historically design engineers have typically answered these questionsaccording to their own best judgment. This is how process safety systemscame to be: designers made risk-based decisions when considering the needfor, and when selecting design bases for, process safety systems.
If posed at the conceptual stage of a process design, these questions offergreat opportunity for the application of inherently safer design solutions.While inherently safer solutions should emerge as recurring themes through-out the design cycle (i.e., laboratory stage, pilot plant scale, production design,operations), the earlier the application of inherently safer solutions, the morecost-effective these solutions will be.
It is important to recognize that, irrespective of the specific approachesand the level of effort, engineers and technical managers are already directly orindirectly factoring risk into the selection of design options. Unfortunately,the process used to assess risk is often neither systematic nor comprehensive.This chapter presents a decision process for design bases selection that explic-itly incorporates the elements of risk into process safety system design selec-tion. The purpose of this technique is not to require designers to conductrigorous risk assessments, but rather to provide a logical approach and frame-work for considering risk factors, even when the situation only warrants quali-tative analysis. This decision process can be applied at any stage of the design.
A systematic technique can provide a consistent risk management frame-work for process safety system design basis decisions. Inconsistencies inapproach can develop not only between different processes and facilities, butalso in the case of large, complex design projects, different design engineersmay follow different risk management philosophies.
Consistency with respect to risk tolerability decisions is necessary toassure all stakeholders (e.g., owners, employees, customers, and the general
public) that risks are being properly managed. In some countries, govern-ments are also explicit stakeholders in the effort to reduce the risk of chemicalindustry accidents, providing such regulations as OSHA 1992, EPA 1996,and HSE 1989. Consequently, having a consistent, documented technique forthe selection and design of process safety systems is not only prudent manage-ment, it is evolving into a regulatory requirement.
However, systematic does not necessarily imply quantitative. Quantitativerisk assessment is similar to strong medication—you don't want to overdose! Inmany simple design situations, qualitative approaches will satisfy the require-ments of the technique for selecting process safety system design bases. Morecomplex design cases may occasionally require rigorous quantitative riskanalysis approaches. But even in these complex cases, quantitative approachesshould only be employed to the degree required to make a decision. This con-cept of the selective use of quantitative risk analysis has been incorporated intothe technique presented later in the chapter.
For example, consider a company that has toxic impact criteria limitingpotential off-site vapor concentrations to a specific, quantified level of con-cern. By performing vapor dispersion calculations (i.e., by quantitatively char-acterizing the consequences of potential releases), the company can determinewhether particular loss of containment scenarios associated with specific fail-ures exceed the toxic impact criteria. If the consequences of a scenario satisfythe off-site toxic impact tolerability criteria, then the quantification of the riskstops right there. No analysis of event likelihood is needed to reach a decision.
2.2 THE CONCEPT OF RISK
As mentioned earlier, the design basis selection technique for process safetysystems set forth later in this chapter is a risk-based technique. An overview ofthe concept of risk is therefore useful before presentation of the technique.
In prior CCPS books, discussions of risk evolved from the definition ofhazard. These earlier works defined a hazard as a chemical or physical condi-tion or characteristic that has the potential for causing damage to people, theenvironment, or property (CCPS 1989; CCPS 1993). A hazard represents apotential source of harm.
Based on this concept of hazard, we can define an incident as anunplanned event or series of events with the potential for undesirable conse-quences (CCPS 1992a). An incident has the potential to expose people, theenvironment, or property to the harmful effects of a hazard.
Risk is defined as a measure of loss in terms of both "the incident likeli-hood and the magnitude of the loss" (CCPS 1989). This concept of risk cou-
pies an undesirable outcome, i.e., a consequence such as safety impact orfinancial loss, with the likelihood of that outcome. The likelihood is expressedin terms of frequency or probability of occurrence. The outcome is expressedin terms of impacts such as loss of life, environmental damage, or businessinterruption.
In summary, inherent in the assessment of risk are the dimensions of con-sequences (outcomes/impacts) and likelihood (frequency/probability). Vari-ous techniques, both qualitative and quantitative, have evolved for assessmentof risk. It is not the intent of this book to cover these techniques. A thoroughdiscussion of this subject can be found in Guidelines for Chemical Process Quan-titative Risk Assessment (CCPS 1989) and Guidelines for Chemical Transporta-tion Risk Analysis (CCPS 1995b). For the purpose of this book, the descriptionof four key risk assessment steps in Exhibit 2.1 suffices.
EXHIBIT 2.1Four Key Integrated Activities in Risk Analysis
Activity
1. HazardIdentification
2. ConsequenceEstimation
3. LikelihoodEstimation
4. Risk Estimation
Description
• Systematic identification of hazards and related failure scenariosthat can lead to incidents
• Frequently involves application of standard techniques such asHAZOP, FMEA, and What-If
• Process used to estimate the consequence of failure scenarios
• Typically involves a range of activities from simple application ofqualitative damage criteria to complex computer models for char-acterizing impacts of hazardous materials releases that result infires, explosions, and toxic vapor clouds
• Characterization of the release conditions (i.e., source term) is acritical step in quantitative consequence analysis, having greatinfluence on the validity of the results
• Process used to estimate the likelihood (probability or frequency)of a particular incident or outcome
• Where available, historical data are used to quantify the likelihood
• When historical data are unavailable, incomplete, or inappropri-ate, analytical approaches such as fault tree and event trees areemployed to determine the likelihood of incident/outcomes basedon more fundamental failure data
• Process of combining consequence and likelihood estimations ofall selected scenarios into a measure of overall risk
• Includes various ways of displaying risk such as individual riskcontours or overall likelihood of various levels of consequence
• Prioritization of risks
2.3 SELECTION OF DESIGN BASES FOR SAFETY SYSTEMS
This section describes a systematic risk-based technique for selecting thedesign bases for process safety systems. Use of the technique imposes disci-pline on the thought process, yet allows for flexibility in application. Thedesign bases selection technique is comprised of a number of analysis and test-ing steps detailed graphically in a decision tree (See Exhibit 2.2).
2.3.1 Step /: Identify Failure Scenarios
Step 1 assumes the existence of a core process design. Whether a new processor a modification of an existing process, designers have specified the majorequipment, including heat and material balances. With this core system estab-lished, address things that can go wrong, i.e., failure scenarios. For example,refer to the equipment chapters of this book, consult design checklists, or per-form hazard evaluations by employing the standard techniques described inGuidelines for Hazard Evaluation Procedures (CCPS 1992b).
2.3.2 Step 2: Estimate the Consequences
In this step, estimate the consequences of the failure scenarios identified instep 1. In general terms, these can relate to quality, safety, health, and environ-mental impacts. For these Guidelines, consequences of interest include fires,explosions, toxic material releases, and major equipment damage. Engineersmay, in some cases, uncover potential consequences by direct observation,engineering judgment or use of qualitative consequence criteria. In other casesthe use of quantitative consequence estimation techniques may be necessary.
Consequence estimation requires information on the physical, chemicaland toxic nature of the materials involved in the process, the quantity of mate-rial which could be involved in a scenario, the impact of each scenario on thesurroundings (facility siting) and an economic evaluation of the impact ofequipment damage and lost production.
This information can be obtained from the MSDS or other sources ofproduct safety information. This, combined with the quantity of material inthe process, can be used to assess fire, explosion and toxic effects using appro-priate source terms, dispersion calculations and effect models for scenarioswith the potential for materials release to the environment. Facility sitingissues may also be brought in at this point.
Economic consequences must also be evaluated. These are highly depend-ent on such factors as alternative sources of supply, availability of alternativeproduction facilities, and replacement units.
EXHIBIT 2.2Technique for Selecting the Design Bases for Process Safety Systems
Step 1:Identify failure scenarios
iStep 2
Estimate the consequences
YES
NO
Step 4Estimate likelihood and risk
YES
NO
YES
Step 9Document results
Step 3Are consequences
tolerable?
StepSIs the risk tolerable?
Step 6Consider enhanced and/or alternative designs
Step?Evaluate enhancements and/or alternatives
Step 8Are the risk and costs
tolerable?
2.3.3 Step 3: Determine Tb/erabi/ity of Consequences
In this step, for each failure scenario ask: "Can we tolerate the consequences?"Answering this question requires guidance from established tolerabilitycriteria.
Established criteria might take the form of (1) company-specific criteria(such as not exceeding a specified hazardous material concentration at thefence line), (2) known engineering codes and standards, (3) industry initia-tives, or (4) government regulations. If application of the criteria yields toler-able consequences, then no additional process safety system is needed, and nofurther risk assessment is required. Proceed to step 9 and document theresults. For intolerable consequences, continue the risk assessment in step 4.
2.3.4 Step 4: Estimate Likelihood and Risk
First, estimate the likelihood of the failure scenarios identified in step 1. Fre-quency estimates may derive from comparisons to past experience or writtenqualitative criteria, such as the simple differentiation between scenariosinvolving single failures and scenarios involving multiple failures. Other casesmay require quantified estimates, such as the estimates resulting from faulttree analysis.
Next, to estimate the risk, couple the consequence and likelihood. Meth-ods for combining likelihood and consequence estimates to obtain risk meas-ures are presented in Guidelines for Chemical Process Quantitative Risk Analysis(CCPS 1989a). Again, some cases may reveal themselves by comparison toother systems or past analyses, or by employing qualitative tools such as riskmatrices. Other cases may require quantified approaches, such as determiningrisk profiles or risk contours (see Chapter 7 of CCPS 1992b for a descriptionof various approaches).
Risk estimation can be the single most difficult step in this process. Whileconsequence estimation is objective, likelihood evaluation often involves adirect and specific performance assessment in the ability of both individualsand organizations to manage risk, or the adequacy of a specific design orequipment item given its age and operating history. Because of this, great caremust be taken to ensure its accuracy and lack of bias.
At some point, quantification of likelihood may be necessary, but often itis superseded by standardization into policies, engineering standards and stan-dard practices. For example, failures with no or low consequences may be con-sidered adequately controlled by normal process controls, whereas severehazards (such as those with off-site ramifications) may require two or moreindependent levels of control or mitigation in addition to normal to bring therisk into an acceptable range.
Assessment of likelihood often requires evaluation of both plant systemsand procedures. Equipment failure data are available from a number ofsources, and while there are uncertainties and gaps in the data, these can beobjectively and consistently evaluated through the use of plant data collectionand component failure testing. Also, a comprehensive risk management planbased on the results of studies such as these can provide typical componentfailure rates to be used for a wide range of evaluations. The CCPS book Guide-lines for Process Equipment Reliability Data, (CCPS 1989b) is a source of bothdata and references for additional information.
Reliability of procedural safeguards, on the other hand, is tied to the effec-tiveness of training and the strength of managerial implementation and docu-mentation. Not only are these hard to measure, they can change significantly,in either a positive or negative manner, due to a wide variety of factors, such aspersonnel turnover or change in management.
2.3.5 Step 5: Determine Tolerability of Risk
In this step, ask: "Can we tolerate the estimated risk?" Like step 3, answeringthis question requires guidance in the form of established tolerability criteria.The topic of risk tolerability is discussed in more detail in Section 2.4 of thistext.
If application of the criteria yields tolerable risk, then no additionalprocess safety system is needed; proceed to step 9 to document the results. Forintolerable risk, continue with risk reduction efforts in step 6.
2.3.6 Step 6: Consider Enhanced and/or Alternative Designs
If steps 1-5 established the need for a process safety system, i.e., a risk reduc-tion measure, now consider how to reduce risk, mitigate consequences, lowerthe likelihood of realizing the failure scenario, or prevent the consequencesaltogether via design alternatives. Employ general loss prevention concepts,such as those in the Guidelines for Engineering Design for Process Safety (CCPS1993), or consider the risk reduction design solutions discussed in the equip-ment chapters of this book. The tables in Chapters 3-12, along with other spe-cific references, such as general industry practices, internal companystandards, external consensus codes and standards, and regulations areintended to suggest potential alternatives to enhance the risk tolerability of thedesign. Not all solutions presented in the tables will be applicable to everysituation.
Review the design enhancements and/or alternatives. Ensure that these pro-posed design changes would sufficiently reduce the risk estimated in step 4.Also, evaluate the degree to which the design enhancements and/or alterna-tives introduce new failure scenarios, and therefore new risks; re-estimate therisk by repeating steps 1-4, considering the changes as an integral part of theprocess. Each potential enhancement must be evaluated for:
• Technical Feasibility—Will it work at all?• Applicability to a specific situation—Will it work here?• Cost/Benefit—Is it the best use of resources, or can greater risk reduc-
tions be achieved by spending the same money elsewhere?• Synergistic/Mutual Exclusivity effects—Will this solution work in con-
junction with other potential enhancements, or will its implementationeliminate other potential beneficial solutions from being considered?
• Additional New Hazards—Will this solution create new hazards thatmust be evaluated?
2.3.5 Step 8: Determine Tolerability of Risk and Cost
Based on the risk estimated with the design enhancements and/or alternativesin step 7, ask: "Can we tolerate the risk and cost?55 As in steps 3 and 5, answer-ing this question requires guidance in the form of established tolerability crite-ria. In this instance the tolerability determination must address both risk andcost because, like all design decisions, process safety system designs must sat-isfy the process economics.
Cost information can be coupled with the risk reduction benefit of eachalternative, so that the cost-benefit trade-off can be assessed. In most cases, thecost-benefit analysis is likely to be qualitative in nature (CCPS 1995a). How-ever, when this methodology is applied to a large number of competingprocess safety systems, such as those resulting from process hazard analysis(PHA) reports, quantitative cost-benefit techniques can be applied (Stevensand Stickles 1992).
If application of the criteria yields tolerable risk and cost, then continue tostep 9 to document the results and then implement the design enhancementsand/or alternatives. For intolerable risks or costs, go back to step 6 to consideradditional or alternative risk reduction strategies.
2.3.9 Step 9: Document Results
Document the results derived from applying this technique. The failure sce-narios and the associated consequences, likelihood, and risks comprise the
conceptual design basis for the process safety system. Documentation of thedesign basis captures and preserves vital information, and will prove especiallyimportant during hazard evaluations, management of change situations, andother related risk management activities, including future design efforts.Without proper design documentation (CCPS 1995c), important informa-tion may not be available for consideration in future situations involving safetydecisions.
Even in situations where the tolerability criteria applied in steps 3 or 5determine that no process safety system is needed, it is important to documentthis decision so that the design basis is not contradicted by future operating ordesign changes. If for no other reason, document the rationale to avoid theneed to repeat the exercise in the future.
2.4 GUIDELINES FOR RISKTOLERABILITY
Application of a systematic risk-based technique for selecting safety systemdesign bases depends on the availability and use of risk tolerability guidelines.In steps 3, 5, and 8 of the technique, the designer must ask: "Can we toleratethe risk posed by the process, or do we need to add a process safety system toreduce the risk to a tolerable level?" Answering this question requires practicaland robust guidelines on risk tolerability.
Attitudes about the tolerability of risks vary widely, depending on theindividual, the nature of the risk (Is it voluntary or involuntary? Will it impactone person or many people or the environment?), the presence of other risks,the degree to which the risk can be controlled or reduced, past experience, etc.This helps to explain why there are no universal norms for risk tolerability.Even within a particular community, attitudes change over time. So how doesa company go about establishing a set of criteria to guide it in making deci-sions about the tolerability of certain consequences, likelihoods, or risks—both qualitatively and quantitatively?
It helps to start with the purpose of risk criteria or guidelines. Companiesestablish risk criteria to provide consistency in decision-making about risk,with the end purpose of protecting the community, the environment, employ-ees, and equipment and operations as well as controlling the cost of doingbusiness. The level of concern is not necessarily equal across all these groups,but decisions that protect people will often reduce the risk of property damageor environmental impact as well. Thus risk criteria or guidelines do not repre-sent levels of risk that are tolerable to the public or some other group, butinstead represent levels of risk that an organization believes will minimizeimpacts to continued operations.
Typically, people think risk criteria are used to compare the final results ofa risk assessment against some internal or external standards. However, steps3, 5, and 8 of Exhibit 2.2 all require "risk55 criteria or guidelines of some formfor a company to make consistent, effective decisions. Exhibit 2.3 presentsexamples of both qualitative and quantitative criteria that address conse-quences, likelihoods, risk, and risk and cost together. A description of each ofthe examples appears below. Throughout the descriptions that follow, the ref-erences to "steps55 refer to the steps of the design basis selection technique pre-sented in Exhibit 2.2.
Release Limits
As a means of addressing the tolerability of the potential consequences of arelease, simply consider the amount of material that could be released. The"tolerable55 quantity might vary by material to reflect different hazards andphysical states—such as 200 pounds for chlorine and 5000 pounds for gaso-line. The tolerable quantity might also vary as a function of the receptor(s) ofconcern—such as workers, the public, or the environment. If a potential maxi-mum release does not exceed the established threshold, then application ofrelease limit criteria in step 3 of the technique would yield tolerable conse-quences.
Threshold Impact Criteria for Fence or Property LineUse typical impact criteria, such as those given in Exhibit 2.4, along withcoarse or sophisticated consequence modeling to see if property or fence linevalues exceed the chosen thresholds. If values do not exceed the thresholds,
EXHIBIT 2.3Examples of Tolerability Criteria and Applicationto Design Basis Selection Technique
Applicability
Step 3: Tolerability ofConsequences
Step 5: Tolerability ofLikelihood
Step 5: Tolerability of Risk
Step 8: Tolerability of Riskand Cost
Qualitative CriteriaExamples
Release limits
Single versus multiplecomponent failures
Risk matrix
Risk matrix and costthreshold
Quantitative CriteriaExamples
Threshold concentration levelsfor fence or property line
Concrete or cinder walls(not reinforced) shattered
Probable total destructionof buildings
Likely fatality
Direct Effect
Pain threshold reached
Second degree burns
Pain threshold reached
No discomfort forlong exposure
Indirect Effects
Injury from flyingglass
Injury/fatality fromfalling debris
Injury/fatality frombuilding collapse
then application of threshold impact criteria in step 3 of the technique wouldyield tolerable consequences.
Single versus Multiple Component FailuresAs a qualitative measure of likelihood, companies might choose to tolerateevent scenarios that require three independent failures before the event canoccur, and not tolerate events arising from single component failures. Forevents arising from two component failures, companies might conduct furtheranalysis.
Critical Event Frequency
A critical event is an event with a specified, high consequence such as an eventinvolving an offsite community impact, critical system damage, a severe injuryor a fatality.
In general, a continuum of various threshold frequencies might beselected, e.g., 1 X l(H/year to Ixl0~7/year
5 depending on the extent andnature of worst-case consequences (e.g., property or environmental impact,on-site or off-site fatalities, etc.). As noted previously, companies must consid-er numerous factors in setting such risk tolerability thresholds. One event fre-quency limiting value that is sometimes used is 1X 1(H critical events per year,based on the design-basis event concept used for North Sea platforms andother major installations (Advisory Committee on Major Hazards 1976;Conway 1981; Tompkins and Riffee 1983; Chicken 1986).
Risk MatrixUse qualitative or semi-quantitative frequency and severity categories to esti-mate the risk of an event as illustrated in Exhibit 2.5. If an event has low risk(i.e., a risk rank of "C" or "D" per Exhibit 2.5) then it is considered tolerable instep 5. Exhibit 2.5 is illustrative of an application involving human injury. Thecriteria can be expanded to include environmental impacts and/or propertyloss potential (CCPS 1992b).
Individual Risk CriteriaIn step 5, one can use numerical criteria for the maximum and average levels ofrisk posed to employees and the public. Such criteria consider the frequency ofthe event or events to which an individual might be exposed, the severity ofthat exposure, and the amount of time for which the individual is at risk. Thereis no consensus on appropriate values, but an individual mortality value of1X 10~5 per year at the fence line to represent the maximum risk level for thepublic is not unusual among those using such criteria (Royal Society 1983;Chicken 1986; Bendixen 1988; Gibson 1976; CCPS 1989).
Societal Risk CriteriaInstead of, or in addition to, individual risk criteria, one can use societal riskcriteria such as those shown in Exhibit 2.6. These are criteria that provide amore detailed evaluation of the distribution of risk. That is, both high fre-quency/low consequence and low frequency/high consequence events can beaddressed explicitly. This can be of particular concern if a company hasrecently experienced an undesired event and cannot tolerate another one nomatter how small the consequences, or if there is a potential for an eventinvolving large numbers of people or that would release large quantities of ahazardous material into the environment.
EXHIBIT 2.5Illustrative Risk Matrix
ConsequenceRange
C4
C3
C2
Cl
Qualitative Consequence Criteria
One or more fatalities
Injuries or fatalities within community
Permanent disabilities within localized section of process or building
Lost time injuries or hospitalizations outside of local area
One lost time injury
Multiple recordable injuries
One recordable injury
Emergency response call-out without injury
Likelihood Range
IA
L3
L2
Ll
Qualitative Frequency Criteria
Once in 10 years
Once in 100 years
Once in 1000 years
Less than once in 1000 years
Risk Rank
A
B
C
D
Qualitative Description of Risk
Intolerable risk. Risk reduction required.
Intolerable risk. Risk reduction or more rigorous risk estimationrequired.
Tolerable risk. Consider need for risk reduction.
Tolerable risk. No risk reduction required.
EXHIBIT 2.6Societal Risk Criteria. [Adapted from Health and Safety Commission, U.K. 1991.]
F (f
requ
ency
of
N o
r m
ore
fata
litie
s / y
r)
N (number of fatalities)
Risk Matrix and Cost Threshold
Qualitative assessments in step 8 must account for both the risk reduction andthe associated costs of an enhancement. While this may appear straight-forward if the risk reduction benefit is obviously large and the cost is small, thetradeoffs are usually more complex than this. A risk matrix can help in suchassessments. For example, an enhancement or alternative that reduces a highrisk to a medium risk and costs less than X dollars might be considered feasibleand effective, as might an alternative costing 3QX dollars and reducing a highrisk to a low risk. Specify such "rules55 or thresholds in advance.
Cost-Benefit CriteriaIf one employs quantitative estimates of risk, then it is possible to set specificcriteria for the amount of risk reduction expected for each dollar expended.Consider anything less than this ratio ineffective. In some instances, one mighthave two thresholds—one for the dollars necessary to achieve a tolerable risklevel, and another for any further risk reduction beyond this point.
Select or develop criteria that are representative of your company's phi-losophy and culture, and which match the type of analysis (qualitative orquantitative) you commonly conduct in the design stage. This is a corporateresponsibility and requires the involvement and support of senior management,as it determines the levels and types of risk that the company will tolerate.
2.5 POTENTIAL PROCESS SAFETY SYSTEMS DESIGNSOLUTIONS
2.5. / Four Categories of Design Solutions
Before proceeding with examples illustrating the application of the techniquefor selection of safety system design bases, a review of generic design solutionsfor minimizing risk is appropriate. Safety system designs fall into one of fourcategories.
INHERENTLY SAFER design solutions eliminate or mitigate thehazard by using materials and process conditions that are less hazardous. Foran extensive discussion of the concept of inherently safer chemical processes,see CCPS 1996.
Examples of inherently safer solutions include:
• Substituting water for a flammable solvent• Reducing or eliminating inventories of hazardous intermediates
Approaches to the design of inherently safer processes and plants havebeen grouped into four major strategies by IChemE and IPSG (1995) andKletz(1991):
• Minimize. Use smaller quantities of hazardous substances (also calledIntensification]
• Substitute. Replace a material with a less hazardous substance.• Moderate. Use less hazardous conditions, a less hazardous form of a
material, or facilities which minimize the impact of a release of hazard-ous material or energy (also cidledAttenuation and Limitation of Effects).
• Simplify. Design facilities which eliminate unnecessary complexity andmake operating errors less likely, and which are forgiving of errorswhich are made (also called Error Tolerance).
PASSIVE design solutions do not require any device to sense and/oractively respond to a process variable and have very reliable mechanical design.
Examples of passive design solutions include:
• Using incompatible hose couplings, nonsplash filling using perma-nently installed dip-pipes, permanent grounding and bonding via con-tinuous metal equipment and pipe rather than with removable cables
• Designing high pressure equipment to contain overpressure hazardssuch as internal deflagration
• Containing hazardous inventories with a dike that has a bottom sloped toa remote impounding area, which is designed to minimize surface area
ACTIVE design solutions require devices to monitor a process variableand function to mitigate a hazard.
Frequently active solutions involve a considerable maintenance and pro-cedural component and are therefore typically less reliable than inherentlysafer or passive solutions. To achieve necessary reliability, redundancy is oftenused to eliminate conflict between production and safety requirements (suchas having to shut down a unit to maintain a relief valve).
Active solutions are sometimes referred to as engineering controls. Exam-ples of active solutions include:
• Using a pressure safety valve or rupture disk to prevent vessel overpres-sure
• Interlocking a high level sensing device to a vessel inlet valve and pumpmotor to prevent liquid overfill of the vessel
• Installing check valves
PROCEDURAL design solutions require a person to perform an actionto avoid a hazard. This would include following a standard operating proce-dure or responding to an indication of a problem such as an alarm, an instru-ment reading, a noise, a leak, or a sampling result. Since an individual isinvolved in performing the corrective action, consideration needs to be givento human factors issues (CCPS 1994a), e.g., over-alarming, improper alloca-tion of tasks between machine and person, inadequate support culture.Because of the human factors involved, procedural solutions are generally theleast reliable of the four categories.
Procedural solutions are sometimes referred to as administrative controls.Examples of procedural solutions include:
• Following standard operating procedures to keep process operationswithin established equipment mechanical design limits
• Manually closing a feed isolation valve in response to a high level alarmto avoid tank overfilling
• Executing preventive maintenance procedures to prevent equipmentfailures
• Manually attaching bonding and grounding systems
Throughout the equipment chapters in this volume, design solutions willappear for each failure scenario, divided into three categories: (1) inherentlysafer/passive, (2) active, and (3) procedural.
Inherently safer and passive design solutions often overlap. For thisreason, the inherently safer and passive solution categories have been com-bined in the tables presented in the equipment chapters of this book.
An important aspect in the classification of design solutions is the distinc-tion between inherently safer/passive and active systems. It is generallyaccepted that a containment dike is a passive solution (EPA 1995). Whatabout safety devices such as a rupture disk or end-of-line flame arresters? In thecase of the rupture disk, it can be argued that it must sense pressure in order tofunction and therefore would be an active solution. This analogy does notapply so well to end-of-line flame arresters. However, there are many instancesof flame arresters that have failed to function or otherwise contributed to haz-ardous incidents, due to neglect or lack of preventive maintenance. While theauthors of this book recognize these distinctions are legitimately debatable, itwas decided that both relief devices (pressure safety valve, rupture disks, etc.)and flame arresters would be classified as active solutions. This convention isfollowed throughout the equipment chapters, unless otherwise noted.
Other examples of design solutions that illustrate the classification catego-ries are presented below.
INHERENTLY SAFER/PASSIVEContinuous metal equipment such as a steel pipe is inherently bonded andonce it is grounded permanently at any point (such as via multiple steel pilingsanchoring the equipment) requires minimal maintenance of ground connec-tions. This is an inherently safer design than one incorporating rubber boots,swivel joints or other potential breaks in electrical continuity that wouldrequire external bond connections and associated maintenance.
A vessel designed to contain the maximum pressure predicted due to anycredible upset, such as an internal explosion, is inherently safer than onedesigned to mitigate the event via pressure reliefer suppression systems, etc.
In both the above examples, the systems described are "inherently safer55
via the "simplify55 strategy shown in 2.5.1. However, they would be betterdescribed as "passive systems.55 As discussed, true "inherently safer55 designsreduce the hazard by using materials or process conditions that are less hazard-ous. In the examples, higher levels of inherent safety might be provided bydesigning the process to eliminate flammable atmospheres that would requirebonding or equipment reinforcement.
Passive designs may be complemented by procedural or active systems,especially where transient conditions are routinely experienced. As an example,a passive system might comprise a permanent dip pipe going to the bottom of aflammable liquid storage tank to avoid splash filling. However, until this dippipe is covered by a substantial depth of liquid, splashing may still occur. Vari-ous standards (API RP 2003, 1991; BS 5958, 1991) provide that a slow start(limited flow velocity) be used until the pipe outlet is covered to the recom-mended depth. Since this normally requires operator action to control the flow,
operation may not be entirely splash-free during the initial stages of filling andcontains a procedural element. In principle, the procedural element could bereplaced by an active system controlling flow rate by monitoring liquid depth inthe tank. A completely passive system for avoiding splash filling might involvemaintaining a minimum liquid level in a tank via appropriate elevation of theproduct outlet pipe. However, even if a tank is dedicated to one product andminimum liquid level can be maintained, the presence of a stagnant layer in thetank base may make this solution impractical for product quality reasons.
ACTIVEAn end-of-line flame arrester would be a passive design solution without theneed for maintenance to achieve the desired reliability. In practice it is an"active" solution since the arrester may be subject to corrosion and plugging ofthe element. End-of-line flame arresters require maintenance to ensure there isno blockage which, for example, might cause an atmospheric storage tank toexperience vacuum while being emptied. In-line detonation arresters shouldbe additionally monitored for stationary flames on the arrester face (U.S.Coast Guard 1990) and are usually equipped with pressure taps to monitorincreased pressure drop due to element blockage or corrosion.
Other active solutions include pressure relief valves, deflagration vents,explosion suppression systems, fast acting valves, check valves and regulators.All these devices require maintenance, operate by responding to a process vari-able, or both.
PROCEDURALProcedural reliability tends to be more dependent on human factors and con-sideration should be given to issues such as over-alarming, improper alloca-tion of tasks between machine and person, inadequate support culture, etc.(CCPS 1994a).
Frequently both active and procedural design solutions are used to com-plement each other. For example, in a tank truck bonding procedure, an"active" ground indicating device could be installed to show the presence of apositive ground connection. In such a case, it would still be necessary to ensurethat the system is not defeated by simple neglect of an alarm or even bypassingof the indicating device. A ground indicating device might additionally beinterlocked with a pump to prevent operator error. For an "active55 flamearrester, a complementing "procedural35 system might be monitoring the pres-sure drop periodically and performing maintenance when a specific differen-tial has been reached.
The design solutions presented in the tables are established and often wellproven approaches for mitigating the failure scenarios. However, a potentialdesign solution is false protection if it is not reliably engineered and main-
tained. Active systems in particular may need redundancy (i.e., dual sensors,separation of control and interlock functions) to provide the required level ofreliability and risk reduction. True redundancy must include the absence ofcommon mode failures by providing independence and functional diversity(e.g., independent power supplies, sensors operating on different principles)Additional discussion on redundancy for process safety systems can be foundin CCPS 1989 and CCPS 1994b. The advantage of a risk based approach todesign selection is that it provides the means for determining how muchredundancy is enough.
The design should also take into account the need for periodic inspectionand proof testing of systems. For example pressure safety valves (PSVs) mayneed testing at intervals that are shorter than scheduled plant turnarounds. Agood solution is the installation of dual PSVs with a three-way valve to allowtesting at prescribed intervals without interfering with production.
Safety design solutions can contribute to hazards if not properly main-tained. While system maintenance is not specifically addressed, the bookassumes the safety equipment will be subjected to a systematic maintenanceand inspection program once installed.
It should also be recognized that the failure scenarios presented focus onprocess related hazards rather than maintenance initiated incidents. Therefore,it is further assumed that the facility into which the equipment is placed hasadequate safe work practices, which encompass hot work permits, confinedspace entry, ignition control, lock-out/tag-out, etc.
2.5.2 Characteristics of Design Solution Categories
An illustrative comparison of the four categories of design solutions withrespect to several cost and functional attributes appears in Exhibit 2.7. Whileprocedural solutions can be less complex, they are usually the least reliable. Foractive solutions, as compared to inherently safer/passive solutions, reliability istypically lower and complexity is greater. Inherently safer/passive solutionstend to have higher associated initial capital outlays; however, operating costsare usually lower than those for the other design solutions. Operating costs arelikely to be the greatest for active solutions.
Exhibit 2.8 offers an example of the four types of safety system designsolutions applied to the same design basis situation. The example concerns aheat exchanger with an incompatible process stream and heat transfer fluid. Adesign engineer might choose one of the design solutions offered or choose toutilize solutions from more than one category. Ultimately, design engineersshould make decisions based on the prevailing risk tolerability and cost crite-ria, and their understanding of the operations and maintenance requirementsfor the design.
EXHIBIT 2.7Comparison of Cost and Functional Attributes for Design Categories (typical trends)
Higher
AttributeValue
Lower
Higher
AttributeValue
Lower
Reliability
Inherently PassiveSafer
Active Procedural Inherently Passive Active ProceduralSafer
Initial Capital
OperatingCosts
Complexity
Category of Design Solution Category of Design Solution
As in the case of the heat exchanger example in Exhibit 2.8, engineersshould not consider the four types of design as mutually exclusive. Many oppor-tunities arise for utilizing solutions from different design categories in tandem.In equipment design, this often happens inadvertently, because the design usu-ally has to address multiple safety concerns and failure modes. The goal is to bemore proactive in the consideration of multiple levels of protection.
EXHIBIT 2.8Process Safety System Design Solutions for a Heat Exchanger Failure Scenario
Design Basis Failure Scenario
Tube to tube-sheet joint failure results in mixing of incompatible fluids, resulting in asystem over-pressure and/or the formation and release of a toxic material
Design Solution Type
1. Inherently Safer
2. Passive
3. Active
4. Procedural
Description
A heat transfer fluid compatible with the process fluid
Double tube-sheet construction
Pressure relief system with discharge to safe location
Periodic manual sampling of the lower pressure fluid
Returning to the heat exchanger example in Exhibit 2.8, the overall risk oftoxic vapor release might be further reduced by decreasing the inventory ofhazardous material contained within associated process equipment. A combi-nation of reduced inventory (inherently safer) and double tubesheet construc-tion (passive) might produce the optimal risk reduction alternative.
Historically, designers have underutilized inherently safer solutions. Thisstems in part from an overemphasis on minimizing initial capital investment,and on time constraints which often favor active or procedural systems. Butwith the increased application of risk management practices has come moredependency on multiple layers of alarms (procedural) and interlocks (active)to obtain tolerable risk levels. The economic analysis in the initial design stagesoften fails to account for the cost of maintaining and proof-testing these sys-tems, which can be significant for large process facilities. When comparinginherently safer design solutions to other solutions, designers should includethe total life-cycle cost of each alternative before reaching a decision. Forexample, Noronha et al (1982) describe the use of deflagration pressure con-tainment design in preference to using inciting deflagration suppression orother means of explosion prevention based on lifecycle cost and reliability con-siderations.
Inherently safer strategies should be considered especially for new facilitydesigns. In general, such projects allow more flexibility in the selection of designsolutions as compared to an alteration or upgrade to an existing facility. Forexample, tradeoffs between the level of process integration and safety design areeasier to accommodate in new facilities. Also, designers have more freedom inthe choice of utility services that may have an impact on inherent safety.
When altering or upgrading existing facilities, designers should notsimply overlook inherently safer design solutions because they are harder toimplement. The following provides a good example of an inherently saferdesign solution that was ultimately selected for an existing facility.
At this facility, the design problem was to avoid a significant leak in sev-eral water-cooled heat exchangers. These exchangers had material on theprocess-side that reacted violently with water, producing corrosive and toxicby-products. Alternative solutions considered included combinations of pas-sive (double tubesheet or falling film exchangers), active (multiple sensor leakdetection with interlocks), and procedural (a variety of nondestructive test-ing/inspection techniques, periodic leak testing with inert gas, improvedcleaning procedures). While all of these design alternatives resulted in a lowerrisk level than the original design, none was totally acceptable. When manage-ment realized how much effort and commitment of resources were required tomaintain a less than satisfactory risk level, they chose a design that used a com-patible heat transfer fluid, an inherently safer design.
2.6 APPLYING THE RISK-BASED DESIGN BASES SELECTIONTECHNIQUE
From the outset, the practical nature of this process safety system design basestechnique has been emphasized. This technique applies to all design cases,from the simplest to the most complex. Again, this follows quite naturallyfrom the fact that the technique is derived from the problem-solvingapproaches commonly employed by process design engineers.
To fully illustrate application of the technique, worked examples havebeen prepared and included in the Appendix. To reinforce understanding ofthis risk-based technique, however, two short examples of significantly differ-ent complexity are discussed here.
2.6. / Locking Open a Valve (A Simple Design Case)
Locking open a valve is a commonly used procedural design solution, appliedto a wide range of potential operational and safety problems. At first glance,locking open a valve may not even seem like a design decision. Such a decisionseems more an act of common sense: (1) someone identifies a safety problemarising from the inadvertent closing of a valve; (T) the valve does not get usedthat often; so, the "obvious" solution is to (3) lock open the valve.
For process facilities operating under a strict management of changesystem, the situation is not so clear-cut. Locking open a valve is not merely acommon sense decision; rather, at an operating facility it is a design change. Itis a procedural design solution that requires a documented design basis and asubsequent safety review.
Similarly, locking open a valve in the original design must represent adesign decision. However simple it may seem, the selection of this proceduralprocess safety system must have a documented design basis.
An incident at an oil and gas production facility involving a locked-openvalve illustrates how safety system design logic typically follows the risk-baseddesign basis technique outlined in this chapter. In addition, it emphasizes theimportance of completely following the technique, including the final step ofdocumenting the process safety system design bases.
This incident involved an uncontrolled release of natural gas into a con-fined process area. An analysis reveals that designers followed the first eightsteps of the process safety system design basis selection technique. When itcame time to execute the ninth step, however, the designers failed to docu-ment the design basis for the locked-open valve.
Background Information
The oil and gas production facility handled a stream referred to as "mixedfluids"—crude oil, natural gas, and water. Throughout the process, the facilityhad its pressure safety valves (PSVs) vented to a flare system. The facility'sdesign configuration included (1) a locked-open block valve downstream ofthe PSV to allow isolation from the flare header during periodic inspectionand testing of the PSV, and (2) a piping specification break at the PSV dis-charge flange. A simple diagram of the relief valve configuration is shown inExhibit 2.9.
The designers foresaw high risk from failure scenarios which required aprocess safety system and consequently, the designers provided a risk reduc-tion solution. The designers employed the risk-based design technique, asdescribed in Exhibit 2.10.
Nevertheless, this facility experienced the failure scenario and related con-sequences foreseen by the designers. Many factors contributed to the incident,including failure to clearly document the process safety system design bases(step 9).
Incident DescriptionIn a process upset situation that developed over a number of hours, a PSVstarted to "chatter,55 alternately lifting and reseating. Operations personnelmisdiagnosed the situation, thinking that the chattering involved a malfunc-tion of the PSV rather than an upstream pressure excursion. Concerned about
EXHIBIT 2.9Schematic of Pressure Safety Valve (PSV) Detail
Specification Break
Line rupture occurredhere. (See text fordescription of incident)
High PressureEquipment
Low PressureEquipment
PSV
Block Valve(Locked Open)
To Flare System
Mixed Fluidsfrom 1st StageSeparator
Mixed Fluids to2nd StageSeparator
EXHIBIT 2.1 0Selecting the Design Basis for a "Locked Open" Valve (an example, based onExhibit 2.9, of a failure during design basis selection)
Step in Design Basis SelectionTechnique
1. Identify Failure Scenario
2. Estimate the Consequences
3. Determine Tolerability ofConsequences
4. Estimate the Frequency andthe Risk
5. Determine Tolerability of Risk
6. Consider Enhanced and/orAlternative Designs
7. Evaluate Enhancement and/orAlternatives
8. Determine Tolerability of Risk
9. Document Results
Result from Executing Step
Closing of block valve during system operation
a. Overpressure of system upstream of PSV; or
b. Overpressure of PSV body and outlet pipingupstream of the block valve and downstream of thePSV
Both a. and b. potentially result in an uncontrolledrelease of natural gas.
Intolerable (based on judgment)
High likelihood of human error (based onjudgment)
Intolerable (based on judgment)
Locked open (LO) the block valve
No new operational deviations identified from LOvalve; frequency, and thus risk, of inadvertent clos-ing estimated as low (based on judgment)
Tolerable (based on judgment)
Design bases not documented; P&ID merelymarked as "LO" for locked open
Note: Failure to properly document design basis (Step 9) is the point of failure.
tion of the PSV rather than an upstream pressure excursion. Concerned aboutuncontrolled venting to the flare system in the event of a PSV failure, opera-tions personnel considered unlocking and closing the block valve. Both theoperators and responsible supervisor intuitively thought the locked-open blockvalve (clearly marked as CCLO" on the piping and instrumentation diagram)served solely to ensure an unobstructed PSV relief path.
Facility operations personnel were unaware of the specification break inthe piping and were unaware that an additional design basis of the locked-open valve was to ensure that the low pressure specification piping down-
stream of the PSV did not ever "see" the high system pressure (see step 2results in Exhibit 2.10). When operations closed the block valve to stop thechattering, the low pressure line downstream of the PSV and upstream of theblock valve failed from the over-pressure, resulting in an uncontrolled releaseof natural gas (see point of release depicted in Exhibit 2.9). As a result of thefirst failure, adjacent natural gas lines were damaged.
Fortunately, operations managed to isolate and shut down the system,and the flammable natural gas cloud dissipated without ignition. Conse-quences were limited to equipment damage and production downtime.
A Lesson Learned
As alluded to in the background information, many factors contributed to theincident. Factors relating to operations staffing as well as recent maintenancework aggravated the situation. Since the design basis was not documented orcommunicated to the operations staff or plant supervision, other importantelements of process safety management (PSM), such as training programs andadministrative procedures to regulate valve locking/unlocking, could not besuccessfully implemented. However, the focus is on the absence of designbasis documentation for the locked-open valve, as it was a primary contributorto the incident.
Among the most compelling features of this incident is the universalnature of the design solution: a locked-open valve. How many locked-openvalves are in use in process plants and how many have a well understood anddocumented design basis?
Engineers can easily overlook the importance of clearly documentingdesign bases. Documenting and communicating design bases can prove criti-cal for operations personnel and those who may alter the design at some timeafter startup. Unfortunately, this last step in the technique can appear merelybureaucratic, and it sometimes takes an incident to fully appreciate the impor-tance of documenting and communicating process safety system design bases.
2.6.2 Selecting the Relief System Basis for a Reactor(A Complex Design Case)
This example has its origins in a past engineering design problem where engi-neers faced the task of upgrading a series of existing emergency relief systems.The problem involved selecting the emergency relief system (ERS) sizingbasis for a reactor vessel that processed a potentially reactive chemical system(Bellomo and Stickles 1995). The hazardous chemical was a liquid aliphaticacid chloride (AC). The intended liquid-phase chemical reaction can be sum-marized as:
O
Intended Reaction: R-C-Cl + Reactant X Solvent ^ procjuct Y
In this instance, the risk-based design bases selection technique was delib-erately applied to the problem, as described below.
Step 1: Engineers used a What-If technique to identify the failure scenariosthat might control the ERS design basis. Included in this effort was the devel-opment of a reactivity/compatibility matrix to assess all possible reactivedesign bases for the chemistry at hand. A possible unintended reaction,whereby AC reacts vigorously and exothermically with water to producehydrogen chloride (HCl) gas, coupled with the presence of water at facilitiesundergoing ERS upgrades, strongly influenced the direction of the engineers'problem-solving efforts.
Possible Unintended Reaction:O O
R-C-Cl + H2O > R-C-OH + HCl (v) + Heat
In addition, the engineers had to address the typical ERS case of a firebeneath the reactor vessel. As a result, the engineers ultimately focused theirevaluation on three separate scenarios. Brief descriptions of these three scenar-ios appear below.
• Immediate Unintended Reaction (process induced case of water contamina-tion). Several plausible scenarios were identified (e.g., a residual waterheel from a reactor vessel clean-out) whereby water would come intocontact with unreacted AC, resulting immediately in the unintendedside reaction which generated HCl gas.
• Delayed Unintended Reaction (process induced case of layering and watercontamination). In the absence of strong solvents and mixing, AC andwater will form two liquid layers. In such scenarios, the AC-water reac-tion initially takes place at the interface of the two layers and is diffusionlimited. As the interface heats-up from the reaction, a critical tempera-ture is reached where the vapor pressure of the interface material isgreater than the system pressure plus the liquid head of the top layer.This results in rapid turnover of the liquid and mixing, causing rapidHCl vapor generation.
• External Fire. The third case involved a reactor full of AC and exposed toexternal fire. Since neither the AC, the solvent, nor the product wereself-reactive, and all-vapor venting occurs, conventional ERS sizingapplied.
Step 2: In order to properly characterize the delayed unintended reaction, sev-eral experiments were conducted in small-scale and large-scale reactors.Because the actual chemistry takes place in the presence of a strong solvent,small-scale experiments were also carried out to investigate the behavior in thepresence of solvents. With a solvent present, layering was not observed, andthe reaction with water was essentially instantaneous.
Another factor that needed to be considered in the characterization of thissystem was the solubility effects of HCl in water and AC. An enthalpy-concentration diagram for HCl-water solutions was generated using equa-tions of state and published binary interaction parameters. As a result of thelarge difference between the solubility of HCl in water versus the solubility ofHCl in AC, it was determined that the vessel pressure-temperature behaviorwas much worse (i.e., a higher peak pressure) if water was added to a batch ofAC as opposed to AC added to a batch of water (Melhem et al. 1995).
Using detailed mathematical models, engineers analyzed the consequencesof the study scenarios on reactor vessel temperature-pressure history and vent-ing flow. An evaluation of the model simulation results indicated that protect-ing the vessel from the delayed reaction required an impracticable vent size.
Step 3: Inadequately mitigated pressure rise caused by any of the three scenar-ios could have ruptured the reactor vessel. Such consequences were consideredintolerable. Therefore, an assessment of the risk was necessary.
Step 4: An evaluation of the specific pathways and likelihood for mixing ACand water was performed using fault tree analysis. A fault tree for an extendedexternal fire was also developed. A risk analyst, working in conjunction withdesign and process engineers, assigned frequencies to the basic events in thefault tree. This exercise provided a quantification of the risk.
Step 5: The designers had adopted "working" tolerability guidelines for select-ing ERS design bases. These working guidelines specified that the ERS designhad to accommodate the relief requirements of any scenario estimated at a fre-quency greater than or equal to 1X l(H/year. In contrast, designers would tol-erate scenarios estimated at less than 1X KH/year. That is to say, designerswould proceed with an ERS design that would not necessarily accommodatethe relief requirements of scenarios estimated at frequencies less than1X lO^/year. Comparison of the consequences and likelihood of the scenarioswith the tolerability guidelines revealed that the risk was intolerable for thetwo process-induced scenarios involving the unintended reaction with water.
Incidentally, the threshold frequency used by the designers, 1X !(H/year,related strongly to a worst-case consequence estimation. This worst-case con-
sequence estimation considered the system energy and hazardous materials aswell as the geographic distribution and total number of possible receptors.
Step 6: At this point, it is instructive to review the situation faced by the engi-neers tackling specification of the ERS design. The external fire was the lowestconsequence scenario (step 2, consequence estimation) and did not controlvent size. Accordingly, the external fire scenario was dropped from furtherconsideration and the rationale for doing so was documented.
The delayed unintended reaction scenario represented the worst case — itrequired the largest ERS. As indicated in step 2, however, the designers con-sidered such vent sizing requirements impracticable for the existing facility.Nonetheless, the estimated frequency for this scenario exceeded the thresholdtolerability frequency (i.e., IxlO^/year).
The immediate unintended reaction scenario represented the secondhighest consequence case. Like the delayed reaction scenario, the estimatedfrequency for this scenario exceeded the threshold tolerability frequency.
Since no inherently safer design approaches were readily available, engi-neers turned their attention to passive, active, and procedural design enhance-ments that would reduce the estimated frequencies of the immediate anddelayed unintended reaction scenarios. A number of solutions were identifiedto reduce the likelihood of contacting water and AC, such as incompatiblewater/steam hose connectors (passive), interlocks (active), and water usepermit (procedural).
Step 7: Fault trees developed in step 4 were updated and requantified to reflectthe proposed risk mitigation. Through the application of design enhance-ments, the estimated frequency for both immediate and delayed unintendedreactions decreased. The focus of the design enhancements was on engineer-ing and procedural controls that would reduce the likelihood of getting waterand AC into the reactor vessel in such a way that they would layer. Since theproposed modifications were not considered high-cost items, a detailed quan-titative cost estimate was not prepared.
Step 8: With the addition of the design enhancements, the delayed unintendedreaction satisfied the threshold frequency (i.e., less than lxl(M/year). Sincethe estimation for the immediate unintended scenario remained above thethreshold frequency, the decision was made to select this scenario as the designbasis for ERS sizing.
Step 9: The documentation covered the experimental work, risk evaluationresults, vent sizing calculations, and qualitative cost estimates. This documen-tation became part of the facility's permanent design information file.
2.7 REFERENCES
Advisory Committee on Major Hazards. 1976. First Report. London: Her Majesty's StationaryOffice.
API RP 2003 1991. Protection Against Ignition Rising Out of Static, Lightning, and Stray Currents.Washington, DC: American Petroleum Institute.
Bellomo, PJ., and R.P. Stickles. 1995. Select Design Bases for Emergency Relief and Other Proc-ess Safety Systems Based on Risk. Paper presented at International Symposium on RunawayReaction and Relief Design, August 1995, Boston, Massachusetts.
Bendixen, L.M. 1988. Risk Acceptability in the Chemical Process Industry Working TowardSound Risk Management. Spectrum: Arthur D. Little Decision Resources.
British Standards Institute BS-5958. Code of Practice for Control of Undesirable Static Electricity:Part I, General Considerations, and Part 2, Recommendations for Particular Industrial Situa-tions. London: British Standards Institute.
Chicken, J. 1986. Risk Assessment for Hazardous Installations. Commission of the European Com-munities, Oxford: Pergamon Press.
Con way, A., ed. 1981. Engineering Hazards: Assessment, frequency, and Control. London :OyezPublishing Ltd.
CCPS 1989. Guidelines for Chemical Process Quantitative Risk Analysis. Center for Chemical Proc-ess Safety, New York: American Institute of Chemical Engineers.
CCPS 1992a. Guidelines for Investigating Chemical Process Incidents. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.
CCPS 1992b. Guidelines for Hazard Evaluation Procedures. Second Edition with Worked Examples.Center for Chemical Process Safety, New York: American Institute of Chemical Engineers.
CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.
CCPS 1994a. Guidelines for Preventing Human Error in Process Safety: Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.
CCPS 1994b. Guidelines for Safe Automation of Chemical Processes. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.
CCPS 1995a. Tools for Making Acute Risk Decisions. Center for Chemical Process Safety, NewYork: American Institute of Chemical Engineers.
CCPS 1995b. Guidelines for Chemical Risk Transportation. Center for Chemical Process Safety,New York: American Institute of Chemical Engineers.
CCPS 1995c. Guidelines for Process Safety Documentation. Center for Chemical Process Safety,New York: American Institute of Chemical Engineers.
CCPS 1996. Bollinger, R. E., Clark, D. G., Dowell, A. M., Euwank, R. M., Hendershot, D. C.,Lutz, W. K., Meszaros, S. L, Park, D. E., and Wixom, E. D., Inherently Safer Chemical Proc-esses: A Life Cycle Approach, Center for Chemical Process Safety, New York: American Insti-tute of Chemical Engineers.
EPA 1996. Risk Prevention Program for Chemical Accident Prevention, Environmental ProtectionAgency. 40 CFR, Part 68.
Gibson, S.B. 1976. Risk Criteria in Hazard Analysis. Chemical Engineering Progress 72(2), 59.Health and Safety Executive 1989. Risk Criteria for Land Use Planning in the Vicinity of Major
Industrial Hazards. London: HMSO.Health and Safety Commission 1991. Major Hazard Aspects of the Transport of Dangerous Sub-
stances. London: HMSO.IChemE and IPSG 1995. Inherently Safer Process Design. Rugby, England: Institution of Chemical
Engineers.
Kletz, T.A. 1984. Cheaper, Safer Plants or Wealth and Safety at Work. Rugby, Warwickshire, UK:Institution of Chemical Engineers.
Kletz, T. A. 1991. Plant Design for Safely. New York: Hemisphere.Melhem, G. A. et al, 1995. An Advanced Method for the Etimation of Reaction Kinetics, Scaleup,
and Pressure Relief Design. Process Safety Progress., 14(1), 15-36.Noronha, J., Merry, J., Reid, W., and Schiffhauser, E. 1982. Deflagration Pressure Containment
for Vessel Safety Design, Plant/Operations Progress, 1(1), 1-6.NFT*A 69, Explosion Prevention Systems, Chapter 5 on Deflagration Pressure Containment, 1982.OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119.
Washington, DC: Occupational Safety and Health Administration.Royal Society 1983. Risk Assessment: Report of a Royal Society Study Group, London: Royal Society.Stevens, G., and R.P. Stickles 1992. Prioritization of Safety Related Plant Modifications Using
Cost-Risk Analysis. Paper presented at International Conference on Hazard Identification andRisk Analysis, January 1992, Orlando, Florida.
Tompkins, B., and Riffee, D. 1983. Careful Safety Evaluation Identifies Fire Hazards on OffshoreFacilities. Oil & Gas Journal (October 3): 98-101.
US Coast Guard 1990.^4 Guideline for Detonation Flame Arresters 33 CFR Part 154, AppendixA,United States Coast Guard: US Department of Transportation.
Windhorst, J. C. A. 1995. Application of Inherently Safe Design Concepts, Fitness for Use andRisk Driven Design Process Safety Standards to an LPG Project. Loss Prevention and SafetyPromotion in the Process Industries Volume 77, ed. JJ. Mewis, HJ. Pasman and E.E. De Rade-macker: Elsevier Science B.V.
Suggested Additional Reading
Arendt, J. S., Lorenzo, D. K. and Lusby, A. F. 1989. Evaluating Process Safety in the ChemicalIndustry: A Manageris Guide to Quantitative Risk Assessment. Washington, DC: ChemicalManufacturers Association.
Covello, V. T., Sandman, P. M. and Slovic, P. 1988. Risk Communication, Risk Statistics and RiskComparisons: A Manual for Plant Managers. Washington, DC: Chemical ManufacturersAssociation.
DIERS 1994. Risk Considerations for Runaway Reactions, Design Institute for Emergency ReliefSystems, New York: American Institute of Chemical Engineers.
Greenberg, H. R. and Cramer, J. J. 1991. Ed. Risk Assessment and Risk Management for the Chemi-cal Process Industry. New York: Van Nostrand Reinhold.
Hendershot, D. C. 1996. Risk Guidelines As a Risk Management Tool. Process Safety Progress,15(4), 213-218.
Kathren, R.L., Selby, J. M. and Vallario, E. J. 1980. A Guide to Reducing Radiation Exposure to asLow as Reasonably Achievable (ALARA). WCRP 108.0656, US Department of Energy,April.
Lewis, H. W. 1990. Technological Risk. New York: Norton, W. W. and Co.NFPA 30 1993. Flammable and Combustible Liquids Code. Quincy, MA: National Fire Protection
Association.NUREG/CR-2300. 1982. A Guide to the Performance of Probabilistic Risk Assessment for Nuclear
Power Plants.: US NRC.
Noronha, J., and Torres, A., 1990. Runaway Risk Approach Addressing Many Issues-Matching thePotential Consequences with Risk Reduction Methods, Proceedings of the 24th Loss PreventionSymposium, AIChE National Meeting, San Diego, CA.
Sawery et al. 1991. Risk Assessment and Risk Management fir the Chemical Process Industry. NewYork: Van Nostrand Reinhold.
The Institution of Engineers. Australia 1993 Dealing With Risk. Canberra, Australia.Wang, O. S., and Field, J. G. 1992. Risk Management ofOnsite Transportation of Hazardous Materi-
als. Westinghouse Hanford Company, Richland, Washington.Wells, G. 1996. Hazard Identification and Risk Assessment. Institution of Chemical Engineers,
![Bases Bases Bases Bases Bases Bases Bases Bases Bases ......Hair loss or alopecia is a problem in modern society, which is usually related to hair loss on the scalp [1]. The most common](https://static.documents.pub/doc/80x56/5f692ed64ffcd531a566bfdf/bases-bases-bases-bases-bases-bases-bases-bases-bases-hair-loss-or-alopecia.jpg)
