thirty years of quantifying hazards - institution of …€¦ · · 2011-04-22thirty years of...
TRANSCRIPT
ICHEME SYMPOSIUM SERIES NO. 144
THIRTY YEARS OF QUANTIFYING HAZARDS
J T IUidge, M L Preston, A G King*t ICI Technology. PO Box 8. The Heath. Runcorn, Cheshire, WA7 4QD * ICI Technology, PO Box 90, Wilton. Middlesbrough. Cleveland TS90 8JE t Author to whom correspondence should be addressed
© 1998 Copyright Imperial Chemical Industries PLC
This paper reviews the development of hazard quantification tools, techniques and methodologies in ICI since the 1960's. From early application to Instrumented Protective Systems and toxic gas releases, the techniques have evolved to cover a wide range including safer process design, environmental spills and full Quantitative Risk Assessment (QRA).
Experience from a number of applications is briefly described and difficult areas discussed. Finally issues and needs for training for effective hazard assessment are outlined.
Keywords: Hazard assessment. Hazard analysis, HAZAN
INTRODUCTION
A Hazard has been defined (Ref. 1) as 'a physical situation with a potential for human injury, damage to property, damage to the environment or some combination of these'. As so defined, hazards in the process industry can be associated with physical, chemical or biological effects in the storage, transport or use of chemicals and in the operation of other assets. As long as the hazard remains only a potential to cause harm there is no problem. If, however, the potential is realised, an event causing actual harm occurs and this has been defined as a hazardous event.
Where hazardous events can occur, their likelihood and consequences may be quantified.
Hazard Assessment, Hazard Analysis or HAZAN. is a process for identifying undesired events that lead to the materialisation of a hazard, the analysis of the mechanisms by which these undesirable events could occur and usually the estimation of the extent, magnitude and likelihood of any harmful effects. The relationship of HAZAN to HAZOP is described in the by Trevor Kletz (3) and the development of ICI's HAZOP process over the same period as this paper is detailed in Ref 4.
WHAT IS HAZARD ASSESSMENT USED FOR?
There is little point in quantifying hazards if there is no objective to be met. In many cases, criteria need to be set to allow the acceptability of assessed risks to be judged. In other cases there may be alternative designs or ways of carrying out some operation and a quantification of the hazards may allow the 'safer' alternative to be identified. Hazard assessment may also be used to assess the cost-effectiveness of a proposal. So, within ICI. hazard assessment has
527
ICKEME SYMPOSIUM SERIES NO. 144
been accepted primarily as a decision-making aid rather than as a means of 'proving' that a process is 'safe'. Used in this way. the benefits have been in improved safety of our operations.
HISTORY OF HAZARD ASSESSMENT IN ICI
Within ICI, the first experience of quantifying hazards was in 1966. A serious explosion occurred, which killed two employees, and this was caused by failure of an automatic instrumented protective system (trip system). Advice was sought from the United Kingdom Atomic Energy Authority, and they were able to provide the methodology to re-design the trip system to meet a very high standard of reliability (high integrity). No effort was made to assess either the frequency of demands (events requiring the trip system to operate to prevent hazardous events) or the tolerable frequency of explosions. Procedures and Guidance were developed within ICI for me design and operation of Instrumented Protective Systems to meet a range of reliability targets - the sophisticated and very expensive design of a high integrity system would clearly be inappropriate for a minor hazard.
In 1970, an incident occurred which released chlorine to atmosphere and affected people outside the Works. In response, a major study, using hazard assessment techniques, was started. This study looked at all the operations on the Works and quantified the risks to the public and where these were unacceptably high, appropriate improvements to reduce the likelihood or consequences were identified. The initial stage of the study involved setting quantitative criteria to be met for different potential effects on members of the public outside the Works. The study covered 26 plants and took some nine man-years of effort to complete. Quite a commitment for the first full hazard assessment in ICI.
From 1970 onwards, quantification of hazards on projects to meet appropriate ICI criteria became an established approach to ensuring that process designs were safe enough. The hazard assessment allowed the selection of an appropriate reliability of protective systems, but was also used to assess the acceptability of many diverse aspects of design, including the acceptability of standard pipe joints, bellows, etc., the provision of spare equipment, optimising power supply arrangements, etc. Techniques were developed for assessing flammable hazards and development of improved methods for modelling the effects of gaseous emissions continued (and still continues).
In 1988, the techniques used to assess toxic gas emissions were extended into the assessment of the hazards of spills to the aqueous environment and a number of these studies have been carried out.
A developing technology
When the first significant hazard assessments were being started in me early 1970s, hazard scenarios were developed in words only. This could result in difficulties of understanding with more complicated scenarios and made communications difficult. As experience was gained, the presentation was changed to the graphical form as fault trees, using logic symbols to represent 'AND' and 'OR' logic gates. These fault trees were initially drawn by hand and from the earliest stages it was felt in ICI that fault trees using the international standard symbols for 'AND' and 'OR* gates were difficult to draw, inflexible and not easily
528
ICHEME SYMPOSIUM SERIES NO. 144
—
—
A failed
C failed
o R
A
B
\ .
> ^
c
B failed
C failed
Presentation for in minimum cut-set p
0 R
PL ro
tting grarr
A tailed
\ \
7 B failed
\ M
/
./ C failed
0
R
i
to a Minimum cut-set presentation
Figure
understood by those designing and operating processes. It was decided that the use of simple shapes - a rectangle for an 'OR' gate and a triangle for an "AND' gate was much simpler to produce and understand. Furthermore, the Western world reads from left to right, so it was decided that fault trees should also read from left to right. The decision to use a non-standard notation has been shown in practice to be very well received by the most important people -those managing and operating the processes.
As time went by, computer programs were developed to allow the drawing of logic diagrams to be carried out. At an early stage, these graphics packages simply drew out what the hazard analyst would previously have drawn, and carried out no automatic layout or calculations. Later programs allowed the automatic calculation of the fault tree and also laid out the fault tree automatically to fill the available paper area.
Within ICI we have felt that it was vital that the end user - those managing and operating the processes - should understand both the logic and the calculations in the fault tree and we have therefore avoided the use of sophisticated 'black box" minimum cut-set calculating programs, which require the user to trust what cannot be seen. We have developed the approach to hazard assessment to develop the fault tree directly as a minimum cut-set representation - see figure 1.
Experience over the years is that for hazard assessment, data shortage has been a serious problem only in particular areas. Hazard assessment generally involves assessing the frequency of events with a significant probability of happening in me life of a plant. It entails synthesizing the frequency from data on likely equipment failures, such as pump, compressor and instrumentation failures. Since these are usually relatively common events and there is a large population of similar systems, there is usually good quality data for such events and the
529
iCHEME SYMPOSIUM SERIES NO. 144
hazard assessment of such scenarios is therefore quite accurate, particularly where the final event of concern can arise from several different scenarios. However, there are areas where hazard assessment is particularly difficult. These include:
• Assessment of ignition probability. Even where there is no obvious source of ignition, there remains some probability that flammable mixtures will be ignited by electrical static or some unforeseen event. Estimating the likelihood of ignition in these situations is essentially an experienced guessing game. The value used is particularly problematical where low values of ignition probability have to be predicted. In many cases the ignition probability is a multiplier for all the scenarios in the analysis and so can be very critical.
• Assessment of human error likelihood. Two areas are relevant here - the assessment of how often someone makes a mistake and the prediction of the likelihood of failing to respond correctly to an alarm or other stimulus, particularly in situations which may cause high stress. It is not easy to predict the probability of such events, particularly where the operator may on occasions be subject to many demands at the same time.
• Dependent failures. Dependent failures cause problems particularly where duplication of identical equipment is used to improve reliability. However, even where diversity is used (using different means of achieving the same function) there still remains the potential for dependent failures. Assessing the likelihood of such failures is difficult to do with confidence. Even more difficulties exist in the area of dependency between demands and protective system failures, which is an area where soundly-based methods based on real data seem to be virtually nonexistent.
Following prediction of the frequency by hazard assessment, consequence assessment may be very simple - for example, it will be either a big incident or a minor incident - through more graduated consequences to a full-blown Quantified Risk Assessment (QRA).
CRITERIA FOR HAZARD ASSESSMENT
The first criteria developed within ICI dealt with two areas. The first was the need to ensure that we were good neighbours to those living round our chemical plants as far as the accidental emissions of toxic gases were concerned. Criteria were set according to the severity of potential effect outside the Works (Ref. 2). The second area was in the establishment of criteria for potential fatalities among ICI employees from accidents relating to the process operations. Based on historical data, criteria were set to ensure that as time went by, the risk at work would be no greater than from accidents at home.
Following on from the major incident at Flixborough, further criteria were needed to deal with incidents with the potential for causing multiple fatalities. With the development of QRA methodology, criteria have been required for risk of fatality to a member of the public and for multiple fatalities. Criteria have also been developed for use in assessment of accidental spills to the environment.
In the use of all these criteria, the purpose of hazard quantification has been to ensure that effective and cost-effective decisions about process improvements are made.
530
C -: •'- •"• . .:: 'LM SERISS NO i i4
WHAT'S IN A NAME?
There has been confusion between the terms Hazard Assessment, Hazard Analysis or Hazan and Quantified Risk Assessment (QRA).
Although QRA can in theory be an assessment of any type of risk, it has come by popular usage in the process safety area to refer to the assessment of risk of fatality from an accident and, in particular, affecting members of the public as far as land-based installations are concerned. Such risks are usually only significant for major loss of containment accidents and these are predominantly caused by 'generic' major failures of pipes and vessels, which are rare events. Since diese generic failures are rare events, there is very little data on such failures, and usually any data applies to different designs or situations or operating conditions from that which is being assessed. The assessment of the risk in QRA uses very sophisticated consequence models to predict the likelihood of fatality to an individual or the frequency of killing a number of people. The overall accuracy of a QRA is severely limited by the reliability of the data and the consequence assessment.
EXPERIENCE WITH HAZARD ASSESSMENT
Hazard assessment in the process industry has been used in a wide range of applications. Some examples of these are:
• Assessment of the risks of accidental toxic gas emissions affecting people, to help make decisions about the need for improvements and the effectiveness and cost-effectiveness of modifications
• Assessment of me risks of accidental spills to the environment and the benefits of different improvements
• Assessment of the risks of explosions within the process affecting the safety of people and determining suitable improvements
• Assessment of risks from chronic toxic releases (long-term health risks) and deciding appropriate control measures Assessment of the risks from fires, causing serious damage to plant, buildings or equipment and resulting in major business interruption
• Assessment of the risks of major plant down-time affecting business Assessment of the suitability of a plant location
• Assessment of transport risks and selection of optimal transport routing • Assessment of the most effective plant configuration • Balancing the risk and benefit of a proposed modification
Assessment of the required capacity of vent and flare systems handling multiple streams Identification of the failure modes of equipment to help improve the design, operation or maintenance strategies
Some areas of quantification have consistently proven difficult for the non-expert hazard analyst. A particular area of difficulty has been the calculation of Fatal Accident Rate (FAR). This is a measure of individual risk of death, dimensioned as deaths per 100 million hours exposed to a hazard. It is essentially a simple concept, but as experience within ICI and in the published literature has shown over the years, it is a calculation very prone to error. A more
531
ICHEME SYMPOSIUM SERIES NO. 144
serious error has been where a dominant cause of hazard has been missed, or when a failure has been analysed as being independent of a protective system, when in fact it is functionally dependent on parts of the protective system. The latter type of error can and has caused errors of a factor of 1000 in the overall assessment.
TRAINING FOR EFFECTIVE HAZARD ASSESSMENT
It is very difficult for a non-expert to check, a hazard assessment carried out by someone else. It is therefore likely that errors in hazard assessments will not be detected by checking. Errors may well not be detected in operating experience, particularly where hazard assessment is being carried out on relatively rare events. If an assessment is made that the frequency is 1 in 100.000 years, even an error of under-estimating by a factor of 1,000 in the analysis would still only make the event frequency 1 in 100 years and so it is unlikely that the event will occur in the life of the plant. As mentioned above, errors of this size have occasionally been found. In most cases large errors are caused by a mistake in the logic. To ensure that trustworthy hazard assessment is carried out, there need to be
• Effective training. This needs to deal with many potential pitfalls in the essentially simple methodology.
• Effective early practice and mentoring. It is vital that those who have been trained in hazard assessment start practising the techniques on significant hazard analyses very shortly after training. An experienced hazard analyst should ensure that early hazard assessments are monitored and that the learning has been absorbed effectively and help to build up the competence of the novice hazard analyst by mentoring.
• Refresher training or team working. Working as part of a team with experienced hazard analysts is an ideal way of ensuring an increasing level of competence. However, for those who only spend a very small proportion of their time carrying out hazard assessment or who may not have carried out an assessment for many months, refresher training may be the best way to restore competence.
• HELP. A problem facing the newly-trained hazard analyst, and also the more experienced hazard analyst facing a problem beyond his/her experience, is where to find help. Expertise in hazard assessment is relatively thinly spread and many of the people with expert knowledge are specialists in a particular limited area, such as QRA or protective systems or the mathematics of hazard assessment. The number of people with extensive experience of applying hazard assessment in the process industry and who are acknowledged as 'expert' hazard analysts is small. Within ICI there is a new initiative to use the experts' experience to raise the level of expertise in hazard analysis throughout the company.
TOOLS TO HELP WITH HAZARD ASSESSMENT
It is common experience that in the development of fault trees many different trees are drawn out before the final logic is agreed. A computer program to allow the development of the logic and its neat presentation for inclusion in reports is virtually essential. Within ICI, the original graphics based packages were replaced in the 1980s by a user-friendly DOS based
532
ICKEME SYMPOSIUM SERIES NO. 144
package able to draw fault trees in the ICI preferred format on standard printers. The program featured routines to ensure that the fault trees were logically valid and to lay out the print-out automatically. This original program has recently been pensioned off and a full Windows 95 based 'LOGIDRAW has replaced it. This is a much more powerful package with a graphical interface and it allows printing on any standard Windows printer and offers flexibility to develop many enhanced features.
A further development has been aimed at helping to streamline the assessment of environmental spills. A program RASP (Rapid Assessment of Spill Potential) was originally developed for assessing the risk of liquid spills from stock tank installations. A generic hazard assessment is built into the program. The user can select various different configurations and see the effect on the risks to the aqueous environment. Where the risk is unacceptably high, different improvements can be tried very quickly to see what will be most effective and cost-effective. RASP is being developed to allow hazard analysis of further installations.
From the earliest assessments in 1970, gas dispersion calculations have been essential, particularly for assessing the consequences of toxic gas emissions. ICI has continued development of a gas dispersion program to allow the calculations of concentration to be combined with wind and weather data to assess risks.
DOES HAZARD ASSESSMENT HELP IN OPERATING PROCESSES SAFELY?
A survey of opinions of people within ICI in 1980 (11) showed that a large majority believed that hazard analysis had made process operations safer. This was borne out by the statistics on Fatal Accident Risk caused by process hazards, which had shown a reduction of about a factor of 4 between 1960-69 and 1970-79 and which has continued to reduce through the period since 1979. This improvement has resulted in avoiding about 50 fatalities in the company since 1970. Hazard assessment used in other areas of concern, such as toxic emissions and spills to the aqueous environment, has been shown to provide reliable advice on controlling risks to specified levels.
CONCLUSIONS
Hazard assessment has proven to be a valuable and effective means of making decisions to help improve the safety of processes effectively and cost-effectively. Despite the concerns about the accuracy of QRA, it is helping to ensure that efforts to improve processes are concentrated in those areas where the risk is greatest.
Resources for reducing the risks of processes will always be scarce, so the use of reliable hazard assessment and QRA to ensure that money is spent where it will most improve safety has much to commend it.
533
ICKEMz SYMPOSIUM SERIES NO. 144
REFERENCES
1 David Jones. 1985. Nomenclature for Hazard and Risk Assessment in the Process Industries Second Edition.. Published by the Institution of Chemical Engineers
2 J G Sellers, 1976, Quantification of Toxic Gas Emission Hazards. I Chem E Symposium Series No. 47.
3 T A Kletz. 1992. HAZOP and HAZAN. Notes on the identification and assessment of hazards Loss Prevention Hazard Workshop Modules
4 C D Swann and M L Preston, 1995, 25 Years of HAZOPs, J. Loss Prev. Process Ind. Vol 8. No.6. 349-353
5 T A Kletz. 1971. Hazard Analysis - A Quantitative Approach to Safety. 1 Chem E Symposium Series No. 34: 75-81
6 R M Stewart, 1971. High Integrity Protective Systems. I Chem E Symposium Series No. 34:99-104
7 Bulloch B C. April 1974, The development and Application of Quantitative Risk Criteria for Chemical Processes. Fifth Chemical Process Hazard Symposium. Institute of Chemical Engineers. Manchester, England
8 Gibson S B. Design of new chemical plants using hazard analysis. 1 Chem E Symposium Series. No. 47.
9 Gibson S B, July 1977, Major Hazards - should they be prevented at all costs?, XXIII Annual Meeting of the Institute of Management Sciences
10 Illidge J T and Wolstenholme J, 1978, Hazards of Oxyhydrochlorination. Loss Prevention. Vol 12: 111-117
11 Illidge J T. October 1983, Hazard Studies and Hazard Analysis 10 years on. Loss Prevention Bulletin, issue 53, 1-6
534