Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Inherent Safety
Process Safety Management
Fire and Explosion
Reactive Chemicals
Chemical Exposure
HAZOP
LOPA
Metrics
Human Factors
Culture
Competence
Auditing
Resources and References
Introductions
Richard Gowland.
Technical Director, European Process
Safety Centre. Formerly (until 1 March
2004) Process Safety Associate the Dow
Chemical Co.
Rtgowland@aol.com
Willem Patberg.
Formerly (until mid 2007) Process Safety
Associate the Dow Chemical Co.
wbpatberg@zeelandnet.nl
Richard Gowland
by Richard Gowland
Willem Patberg
2006 - etc.
by Richard Gowland
by Richard Gowland
IN EUROPE.
Accidents in industry kill one person every 2
hours and injure one person every 15 seconds
The death toll is approximately 4,900 every
year from a total of 7.6 million accidents
by Richard Gowland
Outcomes
by Richard Gowland
by Richard Gowland
by Richard Gowland
Drivers:
by Richard Gowland
Corporate Responsibility
The Law
by Richard Gowland
and
link to documents in U.K. Health and Safety
Executive
http://www.hse.gov.uk/pubns/indg417.pdf
by Richard Gowland
by Richard Gowland
Consequences of failure
Financial sanctions
Possible imprisonment
Loss of reputation
Stock price fluctuations
by Richard Gowland
by Richard Gowland
Responsible Care
by Richard Gowland
by Richard Gowland
by Richard Gowland
Performance Monitoring
And
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Examples follow
by Richard Gowland
200
180
179
160
140
129
124
124
120
98
100
80
73
72
76
64
60
38
40
18
20
0
1994
7/23/2002
by Richard Gowland
1995
1996
1997
1998
1999
Dow Restricted
2000
2001
2002
YTD
2003
2004
2005
16
by Richard Gowland
134
PERFORMANCE CHEMICALS
73
THERMOSETS
71
61
CHEMICALS
60
49
DOW AGROSCIENCES
UNALLOCATED
40
33
MARKET FACING
by Richard Gowland
20
40
60
80
100
120
140
152
139
147
135
130
20
111
109
00
80
49
60
40
20
0
1996
1997
1998
1999
DAS
2000
2001
2002
2005 Goal
by Richard Gowland
Existing Operations
New projects and business
opportunities
Mergers and Acquisitions
by Richard Gowland
2003
2004
2005
by Richard Gowland
Level 1:
PROCESS HAZARD ANALYSIS
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
Applied to what?
Existing Operations
New Projects
Mergers and Acquisitions
Contracted out operations
(partial and
by Richard Gowland
by Richard Gowland
by Richard Gowland
1.E-02
1.E-03
1.E-04
1.E-05
Corporate Governance
Elevation Criteria
1.E-06
1.E-07
1.E-08
1.E-09
1.E-10
1.E-11
1.E-12
1
10
100
1,000
10,000
Example 1:
a project
which indicates a predicted risk of a
single fatality at a frequency of 2.5 E07 (i.e. 2.5 chances every 10 million
years.)
The company governance criteria
indicate that Operations Manager can
make this decision on his own
authority and check:
The local Government regulator requirements are
shown in next slide: - indicates risk is broadly
acceptable
by Richard Gowland
Example 2:
a project which
indicates a predicted risk of a single fatality
at a frequency of 7.1 E-06 (i.e. 7.1chances
every 1 million years.)
The company governance criteria indicate
that Operations Manager cannot make this
decision on his own authority
Business leadership must decide accept or
provide resources to reduce risk or
abandon project
The local Government regulator requirements are shown in next
slide: - indicates risk is broadly acceptable
by Richard Gowland
Example 3:
a project which
indicates a predicted risk of a 8 fatalities at a
frequency of 2.1 E-05 (i.e. 21 chances every
1,000,000 years.)
The company governance criteria indicate
that Operations Manager cannot make this
decision on his own authority
Business leadership cannot decide
Executive Board of the company must decide
accept or provide resources to reduce risk
or abandon project
The local Government regulator requirements are shown in next
slide: - indicates risk is tolerable if ALARP
by Richard Gowland
Risk Tolerability
10-4/yr - 10-5/yr
Tolerable if ALARP
Tolerable if ALARP
Tolerable if ALARP
10-5/yr - 10-6/yr
Broadly acceptable
Tolerable if ALARP
Tolerable if ALARP
10-6/yr - 10-7/yr
Broadly acceptable
Broadly acceptable
Tolerable if ALARP
Broadly acceptable
Broadly acceptable
Broadly acceptable
2-10
11-50
10-7/yr - 10-8/yr
Fatalities (n)
by Richard Gowland
ALARP?
As Low as Reasonably Practicable
by Richard Gowland
So what is achieved?
by Richard Gowland
Bhopal
More than 6000 people killed
People still suffering 25 years later
Large release of Methyl Isocyanate during runaway
reaction with water
Cooling system was disabled because of running cost
Scrubber system not operational
Flare system too small
People living close to facility fence no control of
building
by Richard Gowland
Bhopal
Operated by Union Carbide India
Prosecution in Indian Courts
Settlement of $400MM by Union
Carbide
Union Carbide was greatly affected as a
company and never really recovered
Bought out by Dow in 2001
Site remains a problem even today
by Richard Gowland
Piper Alpha
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Enschede Netherlands
by Richard Gowland
Feed Heat
Exchanger
Condensate
Bottom
Product
Feed
Blowdown
stack
Furnace
Raffinate
Splitter
by Richard Gowland
by Richard Gowland
by Richard Gowland
What happened?
Feb. 21
March
22
March
23
by Richard Gowland
Isomerization Unit
by Richard Gowland
by Richard Gowland
Trailer
by Richard Gowland
Isomerization Unit
by Richard Gowland
Double-Wide Trailer
by Richard Gowland
Key Issues
Operator Inattention
Following Procedures
Supervisor Absence
Communication shift handover
Trailers Too Close to Hazards
Abnormal Start-ups
Investigation of Previous Incidents
Blowdown Drum Vented Hydrocarbons to
Atmosphere
Opportunities to Replace Blowdown Drum
Evaluation of Connection to Flare
by Richard Gowland
CRITICAL FACTORS:
UNDERLYING CULTURE:
Safety as a priority
Organizational complexity
by Richard Gowland
Business Context
Motivation
Morale
PAS Score
Inability to See
Risk
(Process) Safety as a
Priority
Emphasis on Environment
and Occupational Safety
Organizational
Complexity &
Capability
Investment in People
Layers and Span of
Control
Communication
by Richard Gowland
Hazard Identification
Skills
Understanding of
Process Safety
Facility Siting
Vehicles
Lack of Early
Warning
Depth of Audit
KPIs for Process
Safety
Sharing of Learning /
Ideas
Protective
Barriers
Weaknesses
Or Holes
Accident
by Richard Gowland
by Richard Gowland
Servo level
Indicator
ATG
atmos. vents
Vented ullage
In/out
T912
by Richard Gowland
1) Fuel cascaded down the tank and formed a rich fuel/air mix, which
collected in dike A
2) CCTV footage showed vapour flowing out of dike A from 0538. The
cloud was initially about 1m deep, but thickened to 2m.
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Overflow prevention
Risk Assessment with new knowledge
Secondary and Tertiary Containment
Management Systems
Emergency Planning
by Richard Gowland
by Richard Gowland
The Accident
by Richard Gowland
The furnaces
by Richard Gowland
by Richard Gowland
The site
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
INHERENT SAFETY
by Richard Gowland
MINIMIZE
the amount of hazardous material that is in use.
SUBSTITUTE
MODERATE
SIMPLIFY
by Richard Gowland
MODERATE
the process conditions of the hazardous materials.
SIMPLIFY
by Richard Gowland
by Richard Gowland
Richard Gowland
Common sense
Given relevance and
brought to reality by
Trevor Kletz
Probably not fully
exploited by industry
by Richard Gowland
Process Engineers
Fire and Explosion
Index
Process Risk
management
or
by Richard Gowland
3 0 0
Higher F.&E.I. =
2 5 0
2 0 0
1 5 0
F .& E .I.
(m a x )
F .& E .I.
(a v e )
1 0 0
5 0
0
1 9
9 1
1 9
9 3
1 9
9 5
by Richard Gowland
by Richard Gowland
300
250
200
150
100
50
0
F.&E.I.
(max)
F.&E.I.
(ave)
19
91
19
93
19
95
by Richard Gowland
MATERIAL FACTOR:
Substitute?
by Richard Gowland
Type of Reaction
Exotherm,
Hydrolysis, nitration
etc
Endotherm
Varying penalties
Can you Attenuate/Moderate?
by Richard Gowland
by Richard Gowland
Attract Higher
Penalties
by Richard Gowland
ACCESS
For Emergency
Purposes
by Richard Gowland
DRAINAGE
What if a spill
OR Fire Water
dont drain safely?
by Richard Gowland
TOXIC MATERIALS
- Effect on operators
- Effect on neighbours
- Effect on Environment
- Effect on emergency response
i.e. SUBSTITUTE
by Richard Gowland
Use of Vacuum
- attenuate or moderate
processing conditions and lower the penalty !!
by Richard Gowland
Dust Explosion:
Reduce penalty by:
Increasing particle size or
handling in alternative form
SUBSTITUTE?
by Richard Gowland
Relief Pressure
by Richard Gowland
Hazardous Inventory in
process or storage
Hardware selection:
- seal-less pumps and
agitators
Double walled pipes
Improved Technology
Avoidance of Knock on effects by using
the index to give plant layout.
by Richard Gowland
Levels 1 4
Summary diagram
by Richard Gowland
Level 1:
PROCESS HAZARD ANALYSIS
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
SIMPLIFIED RISK
MANAGEMENT PROCESS
PROCESS
DETERMINE
RISK REVIEW
REQUIREMENTS
WHEN
&
WHO
IDENTIFY
HAZARDS
REDUCE
RISK
Analyze/Assess
RISK
WHAT
&
YES
HOW
CAN
RISK BE
REDUCED
?
NO
IS
RISK
TOLERABLE
?
YES
NO
DISCONTINUE
ACTIVITY
by Richard Gowland
MANAGE
RESIDUAL RISK
FIGURE 1
Level 1
by Richard Gowland
by Richard Gowland
HAZOP study or
What If or
FMEA
These establish the causes for the consequences
already developed in level 1
List causes and lines of defence from above studies
by Richard Gowland
Level 3
by Richard Gowland
Level 4
by Richard Gowland
Level 1:
PROCESS HAZARD ANALYSIS
by Richard Gowland
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
Level 1:
PROCESS HAZARD ANALYSIS
Level 2:
RISK REVIEW
Level 3
by Richard Gowland
ENHANCED RISK
REVIEW
L4:
QRA
Levels 1 4
Summary diagram
by Richard Gowland
Level 1:
PROCESS HAZARD ANALYSIS
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
by Richard Gowland
by Richard Gowland
by Richard Gowland
SIMPLIFIED RISK
MANAGEMENT PROCESS
PROCESS
DETERMINE
RISK REVIEW
REQUIREMENTS
WHEN
&
WHO
IDENTIFY
HAZARDS
REDUCE
RISK
Analyze/Assess
RISK
WHAT
&
YES
HOW
CAN
RISK BE
REDUCED
?
NO
IS
RISK
TOLERABLE
?
YES
NO
DISCONTINUE
ACTIVITY
by Richard Gowland
MANAGE
RESIDUAL RISK
FIGURE 1
Level 1
by Richard Gowland
Level 1:
PROCESS HAZARD ANALYSIS
Level 2:
RISK REVIEW
Level 3
ENHANCED RISK
REVIEW
L4:
QRA
by Richard Gowland
Detail of PHA
Protocol
Questionnaire as guidance on what matters:
Hazardous Scenario Identification through
by Richard Gowland
Storage
Reactors
Distillation
Heat Exchangers
Pumps
..
PHA
Consequence estimation
E.g. Fire, Explosion, Toxic release
by Richard Gowland
PHA
by Richard Gowland
For all facilities, the following Operational information shall be available in the
facility at the Review:
All information held in the General and Process Safety library of the facility:
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Process Description
Process Flow Diagrams
Worst Case and Most probable Case scenarios
PHA questionnaire(s)
Fire and Explosion Index
Chemical Exposure Index
Explosion Impact Analysis for Occupied Buildings
Electrical Area Classification plot plan
Safe Operating procedures
Key critical control parameters (Critical Process Variables)
Piping and Instrument Diagrams (P&IDs)
Material Safety Data Sheets (MSDSs)
Process Safety Incidents and Accidents
Facility Emergency Response Plans
If the facility qualifies for Level 2 Risk Review, the information relating to Layer of
Protection Analysis and other procedures required by the Process Safety
*Note that when a New Production Manager Review takes place, the
periodic review schedule re-starts. This is to take the full benefit of the
review and to avoid repetition and duplication of effort
Confined Spaces
Process equipment
Vessels, columns, reactors, mixers, tank etc.
by Richard Gowland
by Richard Gowland
by Richard Gowland
Confined space
"Confined space" means a space that:
(1) Is large enough and so configured that an employee can
bodily enter and perform assigned work; and
(2) Has limited or restricted means for entry or exit (for
example, tanks, vessels, silos, storage bins, hoppers, vaults,
and pits are spaces that may have limited means of entry.); and
(3) Is not designed for continuous employee occupancy.
by Richard Gowland
Confined Space
A Confined Space has the three characteristics listed before
(which define a confined space) and one or more of the
following:
Contains or has the potential to contain a hazardous atmosphere
Contains a material that has the potential for engulfing the entrant
Has an internal configuration that might cause an entrant to be
trapped by inwardly converging walls or by a floor that slopes
downward and tapers to a smaller cross section
Has the potential for oxygen depletion through corrosion
Contains any other recognized serious safety or health hazards.
by Richard Gowland
Notification
Rescue Procedure
Preparation
Testing
Personal Protective Equipment
Communication
Permit
by Richard Gowland
Notification
Notification of the responsible persons and emergency services
Rescue procedure
by Richard Gowland
by Richard Gowland
Blinding
Blinding means the absolute closure of a pipe, line,
or duct by the fastening of a solid plate (such as a
spectacle blind or a skillet blind) that completely
covers the bore and that is capable of withstanding
the maximum pressure of the pipe, line, or duct with
no leakage beyond the plate.
by Richard Gowland
by Richard Gowland
Testing
Confirmation of a non-hazardous atmosphere (next slide) by means of a
representative sample shortly before entry
Testing and alarming during entry
by Richard Gowland
Hazardous Atmosphere
"Hazardous atmosphere" means an atmosphere that may expose employees to the risk of
death, incapacitation, impairment of ability to self-rescue (that is, escape unaided from a
permit space), injury, or acute illness from one or more of the following causes:
(1) Flammable gas, vapor, or mist in excess of 10 percent of its lower flammable limit (LFL);
(2) Airborne combustible dust at a concentration that meets or exceeds its LFL;
NOTE: This concentration may be approximated as a condition in which the dust obscures
vision at a distance of 5 feet (1.52 m) or less.
(3) Atmospheric oxygen concentration below 19.5 percent or above 23.5 percent;
(4) Atmospheric concentration of any substance for which a dose or a permissible
exposure limit is published in Subpart G, Occupational Health and Environmental Control,
or in Subpart Z, Toxic and Hazardous Substances, of this Part and which could result in
employee exposure in excess of its dose or permissible exposure limit;
NOTE: An atmospheric concentration of any substance that is not capable of causing
death, incapacitation, impairment of ability to self-rescue, injury, or acute illness due to its
health effects is not covered by this provision.
(5) Any other atmospheric condition that is immediately dangerous to life/health
by Richard Gowland
Communication
Means of communication with outside guard as well as by guard with
controlroom/emergency center
by Richard Gowland
Permit
Permit that confirms the steps taken and documents the test results
Signed by all persons involved
Responsible person signs last. This is usually done at a higher level
than for Safe/Hot Work permits. Delegation only to a higher level
Maximum validity of permit. Maximum is 8 hours or less
Confirmation of Completion
by Richard Gowland
Introduction
Nitrogen makes up 78% of the air we
breath; because of this it is often assumed
that nitrogen is not hazardous.
However, nitrogen is safe to breath only if it is
mixed with an appropriate amount of oxygen.
Additional nitrogen (lower oxygen) cannot
be detected by the sense of smell.
Introduction
Nitrogen is used commercially as an inerting
agent to keep material free of contaminants
(including oxygen) that may corrode
equipment, present a fire hazard, or be toxic.
A lower oxygen concentration (e.g., caused by
an increased amount of nitrogen) can have a
range of effects on the human body and can be
fatal if if falls below 10%
Possible Results
20.9
Normal
19.0
16.0
14.0
12.5
<10
Statistics on Incidents
CSB reviewed cases of nitrogen asphyxiation that
occurred in the US between 1992 and 2002 and
determined the following:
85 incidents of nitrogen asphyxiation resulted
in 80 deaths and 50 injuries.
The majority of incidents occurred in
manufacturing and industrial settings, but
several incidents occurred in other settings
including laboratories and medical facilities.
5%
13%
6%
62%
14%
Laboratories
Statistics on Incidents
(contd)
The majority of incidents
occurred in and around
confined spaces, though
several incidents occurred in
open areas, including inside
buildings and outdoors near
equipment.
Almost half the incidents
involved contractors, including
construction workers.
Contractors account for over
60% of the fatalities.
Statistics on Incidents
(contd)
Causes of the incidents included:
Failure to detect an oxygendeficient atmosphere in and
around confined spaces.
Mistakenly using nitrogen instead
of breathing air.
Inadequately preparing for rescue.
More Information
A safety bulletin and 1-page brochure on
the hazards of nitrogen asphyxiation, as
well as this presentation, are available
from the US Chemical Safety and Hazard
Investigation Board.
www.csb.gov
(202)261-7600
HAZARD CLASSIFICATION
GUIDE
7th edition
January 1994
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
EFFECTS
1.
2.
FIRE EXPOSURE FROM ORIGINAL
RELEASE
3.
by Richard Gowland
CAPITAL DENSITY
*
PROCESS PRESSURE AND
TEMPERATURE
*
*
UNITS CRITICAL TO PLANT
OPERATION
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
1.
Penalty
Range
Used(1)
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
1.00
________
________
________
________
________
0.25 to 0.50
________
Factor
Base Factor
A.
B.
C.
D.
E.
F.
________
by Richard Gowland
by Richard Gowland
D.
E.
F.
G.
H.
I.
J.
K.
L.
1.00
1.
Liquids or Gases in Process (See Figure 3)
______
2.
Liquids or Gases in Storage (See Figure 4)
______
3.
Combustible Solids in Storage, Dust in Process (See Figure 5)______
Corrosion and Erosion
0.10 to 0.75 ______
Leakage Joints and Packing
0.10 to 1.50 ______
Use of Fired Equipment (See Figure 6)
______
Hot Oil Heat Exchange System (See Table 5)
0.15 to 1.15 ______
Rotating Equipment
0.50
______
by Richard Gowland
1.00
Toxic Material(s)
0.20 to 0.80 ______
Sub-Atmospheric Pressure (< 500 mm Hg)
0.50
______
Operation In or Near Flammable Range___ Inerted___ Not Inerted
1.
Tank Farms Storage Flammable Liquids
0.50
______
2.
Process Upset or Purge Failure
0.30
______
3.
Always in Flammable Range
0.80
______
Dust Explosion (See Table 3)
0.25 to 2.00 ______
Pressure (See Figure 2) Operating
______
Pressure ________ psig or kPa gauge
Relief Setting ________ psig or kPa gauge
Low Temperature
0.20 to 0.30 ______
Quantity of Flammable/Unstable Material: Quantity _____ lb or kg
HC = _____BTU/lb or kcal/kg
TYPE OF REACTION
PROCESS TEMPERATURES
PROCESS PRESSURE
QUANTITIES OF FUEL
______
DETERMINE
1.
THE
DETERMINE
3.
AREA OF EXPOSURE
Fire & Explosion Index (F&EI)
Radius of Exposure....(Figure 7) ____ft or
m
Area of Exposure
m2
4.
REPLACEMENT VALUE
Value of Area of Exposure
by Richard Gowland
____ft2 or
by Richard Gowland
Now to an example..
Using the calculation book
by Richard Gowland
Case Study:
You are required to upgrade an Emulsion Polymerisation plant. The relevant units in the upgrade are:
Butadiene Unloading
Butadiene Storage
Monomer Weigh tank (Storage/feed)
Polymerisation Reactor
All other units (Styrene, Acrylonitrile, surfactant etc. handling will not be changed (already optimised))
Resources you will need:
Folders with the Dow Fire and Explosion Index and Chemical Exposure Index calculation methods.
Calculator
Discuss the advantages and disadvantages of the two possible locations and calculate the Fire and Explosion
Indexes for each case
Calculate the Fire and Explosion Indexes for the storage tank for each option selected:
Calculate the Fire and Explosion Index for the Monomer Weigh Tank
Polymerisation Reactor:
Total volume 16 M3
Continuously Stirred reactor (25 KW POWER AVAILABLE). Double mechanical seal on agitator.
For index calculation purposes, the flammable material is taken to be in process.
Materials of construction to give total corrosion resistance
Location within a diked/bunded area which is drained to the run off basin
Location is open air, no enclosures. Access from 2 sides via paved road.
Suggest various modes of operation and describe those they consider to be Inherently Safer.
The participant are requested to calculate the Reactor Fire and Explosion Indexes for all modes they suggest.
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
PROCESS UNIT
DATE
14 MARCH 2001
PREPARED BY:
BUILDING
___ START UP
X_ NORMAL OPERATION
___ SHUTDOWN
BUTADIENE
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
1.00
Feature
a. Emergency Power
Credit
Factor
Used(2)
Credit
Factor
Range
Feature
0.98
f. Inert Gas
0.94 to 0.96
b. Cooling
0.97 to 0.99
g. Operating Instructions/Procedures
0.91 to 0.99
c. Explosion Control
0.84 to 0.98
0.91 to 0.98
d. Emergency Shutdown
0.96 to 0.99
0.91 to 0.98
e. Computer Control
0.93 to 0.99
Credit
Factor
Used(2)
C1 Value(3)
2. Material Isolation Credit Factor (C2)
Credit
Factor
Range
Feature
Credit
Factor
Used(2)
Credit
Factor
Range
Feature
0.96 to 0.98
c. Drainage
0.91 to 0.97
b. Dump/Blowdown
0.96 to 0.98
d. Interlock
0.98
Credit
Factor
Used(2)
C2 Value(3)
3. Fire Protection Credit Factor (C3)
Credit
Factor
Range
Feature
Credit
Factor
Used(2)
Credit
Factor
Range
Feature
a. Leak Detection
0.94 to 0.98
f. Water Curtains
0.97 to 0.98
b. Structural Steel
0.95 to 0.98
g. Foam
0.92 to 0.97
0.94 to 0.97
h. Hand Extinguishers/Monitors
0.93 to 0.98
i. Cable Protection
0.94 to 0.98
d. Special Systems
0.91
e. Sprinkler Systems
Credit
Factor
Used(2)
0.74 to 0.97
C3 Value(3)
(Enter on line 7 below)
Loss Control Credit Factor = C1 X C2 X C3(3) =
................................................................................................................................................................................................
2.
ft or m
ft2
or m2
3.
Area of Exposure.................................................................
4.
5.
6.
7.
8.
9.
$MM
$MM
days
$MM
$MM
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 March 2001
PROCESS UNIT
1,3 BUTADIENE STORAGE
PREPARED BY:
BUILDING
STATE OF OPERATION
___ DESIGN
SHUTDOWN
___ START UP
___
BUTADIENE
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 March 2001
PROCESS UNIT
1,3 BUTADIENE STORAGE
PREPARED BY:
BUILDING
STATE OF OPERATION
___ DESIGN
SHUTDOWN
___ START UP
___
BUTADIENE
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
PROCESS UNIT
DATE
PREPARED BY:
BUILDING
STATE OF OPERATION
___ DESIGN
___ START UP
___ SHUTDOWN
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 MARCH 2001
PROCESS UNIT
MONOMER FEED WEIGH TANK
PREPARED BY:
BUILDING
STATE OF OPERATION
___ DESIGN
SHUTDOWN
___ START UP
___
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 MARCH 2001
PROCESS UNIT
POLYMERISATION REACTOR
PREPARED BY:
BUILDING
___ START UP
__
X_ NORMAL OPERATION
___ SHUTDOWN
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
1.00
AREA / COUNTRY
EUROPE
DIVISION
LOCATION
SITE
MANUFACTURING UNIT
EMULSION POLYMERS
DATE
14 MARCH 2001
PROCESS UNIT
POLYMERISATION REACTOR
PREPARED BY:
BUILDING
___ START UP
___ SHUTDOWN
MATERIAL FACTOR (See Table 1 or Appendices A or B) Note requirements when unit temperature over 140 oF (60 oC)
1.00
1.00
0.30 to 1.25
0.20 to 0.40
0.25 to 1.05
0.25 to 0.90
0.20 to 0.35
0.25 to 0.50
1.00
0.20 to 0.80
0.50
0.50
0.30
0.80
0.25 to 2.00
0.20 to 0.30
0.10 to 0.75
0.10 to 1.50
0.15 to 1.15
0.50
1.00
Butadiene Unloading. Consider worst cases from liquid and gas line fracture and how the discharge might be minimised.
Calculate Chemical Exposure Indexes for credible cases which would result. Course tutor will act as consultant.
b)
Butadiene storage Consider worst cases from liquid and gas line fracture and how the discharge might be minimised. Calculate
Chemical Exposure Indexes for credible cases which would result. Course tutor will act as consultant.
Storage conditions are as described above. Other data is in the provided material. Please substitute the following updated material for
Emergency Response Planning Guidelines
1,3 Butadiene
ERPG 1
22 mg/M3
10 ppm
1-60
61-96
97-128
128 - 158
>= 159
ERPG 2
442 mg/M3
200 ppm
ERPG 3
11060 mg/M3
5000 ppm
Unloading facility
Storage tank
Reactor
Distillation Column
Quench Vessel
Storage Vessel
Loading facility
A designation of the Process Unit must be entered in the appropriate space on the F&EI
form. The Manufacturing Unit designation must also be entered on the F&EI form. A
Manufacturing Unit is the entire production facility including chemical processes,
mechanical processes, warehouse, packaging lines, etc.
It is quite clear that most manufacturing units have many process units. To calculate the Fire and
Explosion Index, however, only process units that could have an impact from a loss prevention
standpoint should be evaluated. These are known as Pertinent Process Units.
Important factors for selecting Pertinent Process Units include:
a. Chemical energy potential (Material Factor)
b. Quantity of hazardous material in the Process Unit
c. Process pressure and process temperature
d. Units critical to plant operation, e.g. Reactor
Important Considerations
A.
The Fire and Explosion Index system assumes that a process unit handles a minimum of
2,500 kg of a flammable, combustible or reactive material. If less material is involved,
generally the risk will be overstated. However, F&EI calculations can provide meaningful
results for pilot plants if they handle at least 500 kg) of combustible or reactive material.
B.
Careful consideration is needed when equipment is arranged in series and the items are not
effectively isolated from each other. An example would be a reaction train without an
intermediate pump. In such situations, the type of process determines whether several
vessels or just a single vessel should be considered as the Process Unit.
It should rarely be necessary to calculate the F&EI for more than three or four Process Units
in a single process area of a Manufacturing Unit. The number of Process Units will vary
according to the type of process and the configuration of the Manufacturing Unit.
A separate F&EI form must be completed for each process unit evaluated.
C.
It is also important to give careful consideration to the state or point in time of the operation.
By their nature, such normal stages as startup, steady-state operation, shutdown, filling,
emptying, adding catalyst, etc., often create unique conditions having an impact on the
F&EI. Generally, good judgment will enable selection of the point in time of operation to
perform the F&EI calculation. Occasionally more than one point in time will have to be
studied to determine the significant risk.
Unlisted Substances
If neither Appendix A, NFPA 49, nor NFPA 325M contains values for the substance,
mixture or compound in question, these values will have to be determined from the
flammability ranking or dust class (St) (see Table l). First, the parameters shown in the left
column of the table will have to be determined. The flammability ranking of liquids and
gases is obtained from flash point data, and the St of dusts or mists is determined by dust
explosion testing. The flammability ranking of combustible solids depends on the nature of
the material as categorized in the left column.
The instability ranking can be obtained from a qualitative description of the instability (or
reactivity with water) of the substance, mixture or compound at ambient temperature.
Definitions in National Fire Protection Association (NFPA) 704 should be used to assign hazard
ratings for materials which are not listed in the F&EI calculation tool in S2S.
Instability Ranking
Non-combustible2
14
24
29
40
14
24
29
40
10
14
24
29
40
F.P. 73 F ( 22.8 C)
< 100 F (< 37.8 C) or
F.P. < 73 F (< 22.8 C) &
BP. 100 F ( 37.8 C)
F.P. < 73 F (< 22.8 C) &
B.P. < 100 F (< 37.8 C)
16
16
24
29
40
21
21
24
29
40
16
21
24
16
21
24
24
24
24
29
29
29
40
40
40
4
10
16
14
14
16
24
24
24
29
29
29
40
40
40
Combustible Solids
Dense > 40 mm thick4
Open < 40 mm thick5
Foam, fiber, powder, etc.6
F.P. = Flash Point, closed cup
1
2
3
Notes:
1 Includes volatile solids.
2 Will not burn in air when exposed to a temperature of 816 C for a period of five minutes.
3 K values are for a 16 Litre or larger closed test vessel with strong ignition source. See NFPA
St
68, Guide for Venting of Deflagrations.
4 Includes wood 2 inches nominal thickness, magnesium ingots, tight stacks of solids and tight
rolls of paper or plastic film5 Includes coarse granular material such as plastic pellets, rack
storage, wood pallets and non-dusting ground material such as polystyrene.
6 Includes rubber goods such as tyres and boots,
In the F&EI system, only one hazard may be evaluated at a time. If the MF is based on a
flammable liquid present in the Process Unit, do not take penalties relating to combustible dusts,
even though dust may be present at a different time. A reasonable approach might be to evaluate
the Process Unit once using the MF of the flammable liquid and a second time using the MF of
the dust. Only the calculation resulting in the highest F&EI and Actual Maximum Probable
Property Damage need to be reported.
One important exception is the hybrid, described previously under Mixtures. If a hybrid
mixture is selected as the most hazardous material present, it is penalized both as a dust and as a
flammable vapor in the Process Unit Hazards Factor sections of this manual.
Some items on the F&EI form have fixed penalty values. For those that do not, determine the
appropriate penalty by consulting the text that follows. Remember analyze only one hazard at
a time, relating the analysis to a specific, most hazardous time (e.g., startup, normal operation or
shutdown). Keep the focus on the Process Unit and Material Factor selected for analysis and
keep in mind that the results of the final calculation are only as valid as the appropriateness of the
penalty assessments.
The entry of all the pertinent information to allow calculation of the Fire and Explosion Index and
the radius of exposure is made in the excel workbook F&EI Calculation workbook S2S July
2006.xls
When the indexes for all pertinent units in the plant have been calculated, the results give an indication of
the ranking of risk of each unit relative to another. This ranking can be used for screening out the lower risk
items and concentrating study on the higher ones.
Materials whose LD50 for acute dermal toxicity is greater than 2000
mg/kg.
Materials whose LD50 for acute oral toxicity is greater than 2000
mg/kg.
Materials that are essentially nonirritating to the respiratory tract,
eyes, and skin.
*For each degree of hazard, the criteria are listed in a priority order based upon the likelihood of exposure.
Degrees of Flammability Hazards
Degree of Hazard
Criteria
4 Materials that will rapidly or completely vaporize Flammable gases.
at atmospheric pressure and normal ambient
Flammable cryogenic materials.
temperature or that are readily dispersed in air and will Any liquid or gaseous material that is liquid while under
burn readily.
pressure and has a flash point below 22.8C (73F) and a
boiling point below 37.8C (100F) (i.e., Class IA liquids).
Materials that ignite spontaneously when exposed to air.
Solids containing greater than 0.5 percent by weight of a
flammable or combustible solvent are rated by the closed cup
flash point of the solvent.
3 Liquids and solids that can be ignited under
almost all ambient temperature conditions. Materials in
this degree produce hazardous atmospheres with air
under almost all ambient temperatures or, though
unaffected by ambient temperatures, are readily ignited
under almost all conditions.
by Richard Gowland
R-3
Separation Distance D
by Richard Gowland
Overpressures
by Richard Gowland
C-6
T-3
R-3
Leak
P-R3
by Richard Gowland
C-6
R-3
T-3
Leak
P-R3
by Richard Gowland
Extent of
Confinement
Fraction of Explodeable
cloud contributing to
Overpressure
C-6
T-3
R-3
Extent of
Confinement
Leak
P-R3
by Richard Gowland
Fraction of Explodable
cloud contributing to
Overpressure
Fraction of cloud
outside confinement
does not contribute
to overpressure
C-6
R-3
T-3
Leak
P-R3
by Richard Gowland
Extent of
Confinement
Fraction of Explodable
cloud contributing to
Overpressure
Fraction of cloud
outside confinement
does not contribute
to overpressure
C-6
R-3
T-3
Confined
Volume = V
Leak
Extent of
Confinement
P-R3
by Richard Gowland
R-3
Separation Distance D
by Richard Gowland
Calculate
R-3
Separation Distance D
by Richard Gowland
How to calculate:
Normal
Hydrocarbons) or High)
Estimate confined volume (M3)
Estimate Confinement restricting exploding
vapour cloud from unconfined expansion (usually
2 D or 1D)
Estimate degree of congestion in the Confined
volume (more congestion makes the expanding
flame front accelerate - bad news)
by Richard Gowland
Velocity) and
Degree of confinement dimension(s) of freedom
for gases to expand on combustion and
Degree of congestion
by Richard Gowland
Low
Medium
High
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Fundamental Burning
Velocity
Low Reactivity
< 45 cm/sec
Medium Reactivity
between 45 and 75
cm/sec
High Reactivity
> 75 cm/sec
1D
2D
Use Curve No
3D
by Richard Gowland
by Richard Gowland
What is dust?
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Fuel Concentration
by Richard Gowland
by Richard Gowland
KSt
by Richard Gowland
Explosion Classes
by Richard Gowland
by Richard Gowland
Secondary explosions
by Richard Gowland
by Richard Gowland
Surface Area
No matter how combustible the
dust may be, a dust explosion will
generally not take place if the
particle size is too large. Although
there is a clear dependence on the
size and surface area of dust
particles, it does not vary linearly
with how explosive the powder
may be.
by Richard Gowland
Ignition
by Richard Gowland
by Richard Gowland
Ignition Sources
ATEX Regulation
by Richard Gowland
Content
Some Definitions
The need for a Reactive Chemicals Programme
Examples
Flammability (pt 2)
Thermal Hazard Evaluation Tools (see separate
intro training in PROMIS)
Static Electricity
Dust Explosions
Inter-reactivity Charts
by Richard Gowland
by Richard Gowland
by Richard Gowland
Reactive Substances
REACTIVE distinguished from THERMALLY UNSTABLE
REACTIVE
by Richard Gowland
by Richard Gowland
Endothermic:
Heat is absorbed
Exothermic:
Heat is released
Nitration
Condensation
Oxidation
Amination
Alkylation
Halogenation
Hydrogenation
Esterification
Combustion
Polymerization
.....
by Richard Gowland
by Richard Gowland
Adsorption
Neutralization
Vaporization
Mixing
Dilution
Wetting
Corrosion
.....
Energy Build-up
by Richard Gowland
reaction
point of
no return
Need to know/predict
control
Temperature
by Richard Gowland
cooling
Batch Reactors
Continuous Reactors
Static mixers (sometimes)
Scrubbers
by Richard Gowland
Batch Reactors
Continuous Reactors
Static mixers (sometimes)
Scrubbers
Pumps
Storage tanks
Adsorbers
Absorbers
Ion Exchange beds
Storage tanks
High surface area substrates (e.g. thermal insulation)
Distillation column trays and packing
Heat Exchangers
Product storage drums
by Richard Gowland
Batch Reactors
by Richard Gowland
Continuous Reactors
by Richard Gowland
Static Mixers
by Richard Gowland
Scrubbers
by Richard Gowland
Adsorbers
by Richard Gowland
by Richard Gowland
Distillation columns
by Richard Gowland
Heat Exchangers
by Richard Gowland
Storage tanks
by Richard Gowland
by Richard Gowland
Pumps
by Richard Gowland
by Richard Gowland
by Richard Gowland
Major Examples 2
The refrigeration unit, designed to keep the stored Methyl
Isocyanate at 0C, had been shut down for 6 months.
The flare on the vent line from the scrubber was out of service
for repair.
Only after the incident started was the units vent gas
scrubber, on standby for about 45 days, restarted.
by Richard Gowland
Major Examples 2
by Richard Gowland
by Richard Gowland
Myths
Its small and shouldnt be a problem...
chemistry...
Ive already done it several times and there
is no problem...
The Thermal Analysis doesnt show
anything...
Its an inert solvent...
We dont expect any reaction at this
temperature...
It is well below the flashpoint.
Ill just let it run over the weekend - no
problem...
by Richard Gowland
Process knowledge
Has Inherently Safer Process Design been addressed?
Think about thermally unstable materials, shock sensitive
materials, pyrophoric materials (ignite when exposed to air),
combustible dusts.
Control systems
Cooling
Mechanical Integrity
Layers of Protection/Lines of defence
Relief systems
Mitigation systems (scrubbers, flares etc.)
by Richard Gowland
-- History
-- Brainstorming
-- Hazard Evaluation
Inherently Safer?
Substitute
Replace hazardous material with a more safe one (e.g. aqueous or higher flash
point solvent)
Minimise
Inventory of hazardous material
Continuous or semi continuous reaction
Moderate
Lower temperature and/or pressure
Simplify
by Richard Gowland
Chemical
Exposure
Index
by Richard Gowland
by Richard Gowland
by Richard Gowland
Scenario Selection
Final Scenario that gives largest
Airborne Quantity
Process Pipes
Hoses
Relief Devices (Assume All Airborne)
Vessels
Overflows & Spills
Other
by Richard Gowland
Scenario with
Largest AQ
Yes
No
Type
Release
Gas
Calculate
AQ
Calculate
Flash
No
No
All
Airborne?
Yes
Figure A
Pool Only
(Styrene)
Figure B
Pool + Flash
(Butadiene)
Figure D
by Richard Gowland
Figure C
All Flash Entrained
(Ammonia)
by Richard Gowland
CEI Calculation
Consequence Based
Based on Continuous Release Dispersion Equation
If flow rate empties in less than 5 minutes, divide inventory by 5
minutes for flow rate.
CEI = 655.1 x
AQ
ERPG-2(MW)
Hazard Distances
Approximate distances
each ERPG concentration would travel
for assumed weather conditions.
HD (Metres) = 6551 x
AQ
ERPG-x(MW)
by Richard Gowland
2.
______________________________________________________________________________________
3.
___________
___________
___________
4.
kg/sec
lb/min
Hazard Distance
Concentration
3
mg/m
ERPG-1/EEPG-1
ERPG-2/EEPG-2
ERPG-3/EEPG-3
________
________
________
PPM
________
________
________
5.
Distances to:
Public (generally considered property line)
Other in-company facility
6.
The CEI and the Hazard Distance establish the level of review needed as determined in the Dow
Process Risk Management Guidelines for Facilities and Distribution.
7.
If further review is required, complete Containment and Mitigation Checklist (Chemical Exposure
Index Guide , 2nd Edition Appendix 2, page 26) and prepare Review Package.
8.
List any sights, odors or sounds that might come from your facility and cause public concern or
inquiries (e.g., smoke, large relief valves, odors below hazardous levels such as mercaptans or amines, etc.)
meters
________
________
________
feet
________
________
________
meters
________
________
________
feet
________
________
________
________________________________
_____________________________________________________________________________
________________________________
_____________________________________________________________________________
________________________________
_____________________________________________________________________________
Prepared by:
______________________________________________________________________________________________________
______________________________________________________________________________________________________
Reviewed by:
Date
________
________
________
___________________________________________________
___________________________________________________
___________________________________________________
by Richard Gowland
Chemical Exposure Index based on 2 inch leak vapour and liquid (x 10 = distance to ERPG2 conc.)
1000
900
CEI
800
700
Gas Release
600
Liquid Release
500
400
300
200
100
Styrene
Toluene diisocyanate
Ethylene dichloride
Epichlorohydrin
Propylene oxide
Vinyl acetate
Vinyl chloride
Acrylonitrile
Vinylidene chloride
Allyl chloride
Benzene
Methyl chloride
Ethylene oxide
Sulfuryl fluoride
Butadiene
Hydrogen fluoride
Sulphur trioxide
Ammonia
Hydrogen sulfide
Sulphur dioxide
Carbon monoxide
by Richard Gowland
Chlorine
Hydrogen chloride
Phosgene
Review Process
Purpose of Review
Focus on what CAN and WILL BE DONE to:
Eliminate Release
Reduce Release Quantity
Mitigate Release After It Occurs
by Richard Gowland
Workshop
Determine Scenarios of Butadiene
) Process Pipe
) Hoses
) Relief Devices
) Vessels
) Overflows & Spills
) Other
by Richard Gowland
CEI Scenario
POLYMER PLANT
2
2
Liquid
Butadiene
Butadiene
Vapor
T-110
5
760 kg/m
25C
2
Piping
Hoses
Overfill
Relief Device
1
2
3
4
5
6
Vapor Line
Pump Suction Line
Pump Discharge Line
2 Unloading Hose
Assumes 760 kg/min Unloading rate
Vapor 225 kg/min
by Richard Gowland
by Richard Gowland
USE OF SYSTEM
Read operating procedure (README FIRST.DOC)
Download English or SI units folder
by Richard Gowland
Parting Shot
CEI is a screening tool!
Three Keys
Provide Mitigation
by Richard Gowland
WB3
DESIGN INTENTION
HAZOP is a method for generating these
DEVIATIONS using GUIDE WORDS
by Todd Hoffmann
Slide 2
Patberg, 1/2/2012
WB3
WB4
by Todd Hoffmann
Slide 3
WB4
Patberg, 1/2/2012
by Todd Hoffmann
by Richard Gowland
HAZOP method
by Richard Gowland
HAZOP method
by Richard Gowland
Typical nodes
NODE 1
E 201
R 201
P 201
NODE 2
by Richard Gowland
Nodes
small
If the team gets confused, the node is probably too
big
by Richard Gowland
by Richard Gowland
Flow
Temperature
Pressure
Level
Composition
Agitation
Anything it is important to control
by Richard Gowland
No
Less
More
Reverse
Instead of or Other than (e.g. something else or
wrong composition)
by Richard Gowland
No flow
Less flow
More flow
Reverse flow
Flow of something not planned
More temperature
Less temperature
And so on...
by Richard Gowland
More temperature
Less pressure
by Richard Gowland
PARAMETER
CAUSES
CONSEQUENCES
ACTION
by Richard Gowland
Team gives all the causes for no flow in the lines and
by Richard Gowland
PARAMETER
Flow
CAUSES
CONSEQUENCES
ACTION
by Richard Gowland
When you think you have all causes, list the possible
Consequences:
GUIDE
WORD
No
PARAMETER
Flow
CAUSES
CONSEQUENCES
ACT
by Richard Gowland
After no flow
(usually similar to
no flow
Repeat exercise for more flow
Repeat exercise for reverse flow
Repeat exercise for composition (other than
expected material composition)
UNTIL FLOW is completely studied
by Richard Gowland
After flow
by Richard Gowland
by Richard Gowland
Guideword
P&ID no
Node No.
Parameter
Node Description
Cause
Consequence
Design Intention
Existing
Safeguards
Recommendation
By
Course Tutors:
Richard Gowland
Willem Patberg
CONTENTS
This manual explains the technique of HAZOP study. It accompanies the training
programme delivered by the named course tutors.
Further literature is referred to in the appendix.
The manual is in sections, which will be covered at various points in the course. The
sections are:
Introductory Remarks
Appendices
Course Tutors:
Introductory Remarks
Plant & equipment that is fit for the purpose of reducing the risks from
identified hazards as far as is reasonably practicable (so you have to identify
these hazards first).
People who are competent, through knowledge and skills to operate the plant
and equipment and to implement the systems and procedures
Systematic: The HAZOP study should consider all parts and all modes of the plant
or operation, not just the things that seem at first sight to be a problem. The plant or
operation is split into nodes or lines, which are studied individually. This study
extends from normal steady state operation to start up and shut down, as well as
commissioning and decommissioning and any other state you can imagine. Dont
ignore minor parts of the system (e.g. utilities).
Deviations: These describe possible ways that a process may go from a safe to
unsafe condition. For example, the temperature of the reactor goes outside
the designed safe range. In HAZOP, deviations are normally combination s of
guide words and parameters. E.g. More Flow or Less Flow.
HAZOP Team: HAZOP is not a solo exercise. An appropriate HAZOP team will
include a range of competent persons who can contribute to improving safe
operation.
Guide Words: These help to identify possible deviations. These have been
developed over many years and found to be applicable to a wide range of situations.
Typical guide words are: more, no, less, instead of, reverse, etc.
Parameters: These are the process conditions of interest. Typically these are flow,
pressure, temperature, phase, composition, etc.
Evidence for the regulatory authorities (and e.g. the Insurance Company) that
a comprehensive safety review has taken place;
Additional safety documentation for the lifetime records, which are also
applicable to design changes and any modifications that may occur during the
lifetime of the installation.
Selecting nodes:
Usually the selection of a node is for a unit operation such as a reactor, distillation
column, reboiler, condensate receiver, etc.
The HAZOP team:
A team of people knowledgeable about different aspects of the plant design and
operation.
Start-up;
Shut-down;
Commissioning;
Decommissioning;
Proposed modifications.
HAZOP Outcomes:
which can be:
Process calculations.
Interlock schedules.
The HAZOP experience of the team should be checked prior to the meetings, and
informally brief any individuals new to HAZOP in what will go on.
The HAZOP STUDY: The HAZOP team leader should explain how the nodes on the
first P&ID are selected. Process Knowledgeable person (e.g. Process Engineer)
should describe the design intent of the node being studied. This should be recorded.
A check list of guide words and relevant properties or parameters will have been
specifically prepared by the Team Leader for application to the particular study and
by means of this deviations from normal operation can be identified.
The Leader then introduces the first parameter to be studied, e.g. FLOW.
combines this with a GUIDE WORD e.g. NO or NONE.
He
The team is then required to give all the causes for NO FLOW. These are recorded.
For each of these causes, the CONSEQUENCE which could occur is now offered by
the team and each is recorded.
In each of these cases, the safeguards which prevent the deviation/consequence or
respond to it are recorded (with tag numbers)
The team assigns an approximate likelihood and severity scale to each of the cases.
This is used to highlight and prioritorise action and follow up.
The team makes a judgment about the adequacy of the protection and if not
satisfied, can recommend more protection or further study. This is entered into the
record as RECOMMENDATION
When the team is satisfied, the next combination of GUIDE WORD and
PARAMETER e.g. Reverse Flow and carries out the same procedure.
8
When all the deviations relating to flow are complete, the next parameter e.g.
Temperature is addressed. More temperature, Less Temperature etc.
When all the deviations, flow, temperature, pressure, phase, composition, other
than/instead of have been studied, the next node is addressed.
This repeats until the whole scope of study is competed.
Is there a
Cause for this
Deviation?
N
Other Causes or
choose next Word
& identify Deviation
Next Node
Identify Safeguards
Y
Safeguards Inadequate or is
there anything else that needs
to be checked?
HAZOP Review
Make
Recommendation
All Words
Applied?
10
Guide word
None/ No
Reverse
Parameter
Flow
Pressure
Level
Flow
Part of
Flow
Pressure
Quantity
Temperature
Level
Flow
Pressure
Quantity
Temperature
Level
Composition
More than
Composition
Other
than/instead
of
Flow
Sooner than
Later than
Action
Action
More
Less
Typical Deviation
No forward flow when required.
Each industry has its own set of (parameter) words. To identify the parameters of
interest, look for what is being controlled on the plant in the first instance.
After identifying the deviation,
Guide word + Parameter = Deviation
The team has to identify any possible causes (see Appendix A for a suggested set of
issues to investigate), which could result in the deviation from either design or
operating intent.
The team needs to conclude if the deviation is credible and can be studied. Non
credible deviations should also be recorded along with the reasoning for this.
11
If it is established that the deviation is credible (i.e. if a cause can be identified for the
deviation), then the potential consequences ignoring any safeguards
Safeguards
The proven safeguards (preventative, indication and mitigation) that have been
designed into the system against such a possibility must also be identified.
proven means that they can be proved to be in place and up to the job demanded of
them typically they are capable of a test and are tested in an appropriate way.
The team (not the leader or an individual) must then make some judgement on
whether or not the safeguards are adequate and complete. In judging this, the
following must be considered.
The consequences of the deviation. The more severe this is, the greater the
degree of protection is needed.
How the operator becomes aware of the deviation and is able to respond (time
available etc.)
Whether the safeguards prevent (act on the cause) or mitigate (act on the
consequences) the deviation.
The primary safeguards to be defined for any fault sequence should be, in order of
preference:
If it is judged that the installed safeguards are inadequate, then the team will either
(a) make a recommendation or (b) ask further written questions from an identified
source or (c) refer to further study such as LOPA. (all listed in the Recommendation
or Action column of the record sheet) to ensure that further precautions are taken.
This need is often defined by combining the seriousness and probability using a
Risk Ranking Matrix.
Recommendations / Actions
Recommendations should be clear and complete, and include all necessary follow
up with the persons responsible for action. There needs to be a formal means of
13
ensuring that this follow up is completed. This could include an agreement to provide
further protection or a reason why the recommendation was not applicable or an
alternative provided.
Risk Ranking:
The team may assign a Consequence Severity and Likelihood to each case. This can
be used to prioritorise action and highlight areas where safeguards may not be
adequate.
Set below is an example:
Prioritizing Grid
Severity
1
High
10
10
10
Medium
Low
Severity:
Likelihood
1 Catastrophic (Fatality/Major Damage)
1 High (>1/yr)
2 High (Severe Injury/Property Damage)
2 Moderate (1/yr 1/3 yrs)
3 Medium (Moderate Injury/Property Damage)
3 Medium (1/3-10 yrs)
4 Low (Light Injury/Property Damage)
4 Low (1/10-30 yrs)
5 None
5 Very Low (1/30-100 yrs)
30
14
Team Leader.
Secretary/Scribe.
Operational personnel
Maintenance personnel
15
Uses his experience to prompt, encourage and guide the team towards a
conclusion.
Understanding of the process studied: This allows the leader to ask questions
to prompt the study;
Technically competent in the project (ie knows all the words, numbering
conventions, etc);
Recognise that things can, and do, go wrong and that even the most
improbable incident imagined in the HAZOP is possible;
17
Drawing/Operation No___________________________
Deviation
Cause
Consequence
Date____________
Sheet________of ______
Mod__________________
Existing Safeguards
Recommendation
By
Notes
18
A Report.
Recommendations
HAZOP makes Recommendations during the discussion. In HAZOP, the team (not
the leader) defines them. These need to go into the follow up system of the company.
All recommendations need to be considered, but the HAZOP team is not responsible
for the final decisions on implementation.
The HAZOP study is completed when all recommendations have achieved closure.
Report
A HAZOP Report will form part of the Operational Discipline for the plant and
maintained through document management and updated via Management of Change
and periodic review.
The contents of a study report should include:
Scope, i.e. the facility, process or operation studied, and the aim of the study (I
have carried out studies aimed at identifying safety and operability problems
HAZOP study records (see notes below on recording for what these should
cover).
Supporting Material (e.g. signed drawings marked with the nodes studied).
Advantages
Recording in Full
Recording by Exception
20
21
Workshop Exercises
1
22
Suspended water has a pronounced deactivating effect on the catalyst in the reactor
downstream of the Reactor Feed Settling Tank (RFST). The extremely small quantity
of dissolved water (a few ppm) has little or no effect. The design of the RFST is such
that any free water will collect in the boot from where it is manually drained at regular
4 hourly intervals.
v
At the design flow rate and normal water content (0.2% /v) the boot (0.5 m ) will take
3
10 hours to fill with water and there is further settling capacity (4.5 m ) in the wet
side of the RFST.
Several consecutive manual draining operations would therefore have to be missed
under normal operating conditions before there is any real chance of free water carryover into the reactor feed pumps system.
HAZOP Scope
You are to HAZOP the manual draining of the boot on the RFST. Be sure to think
about potential operator errors, as these will probably dominate the risk.
Hint: Draw out in flowchart form the actions required to complete the operation, and
be aware that people are carrying out these actions.
23
24
25
26
TEMPERATURE
FLOW
LEVEL
MECHANICAL
REACTION
CHEMICAL ATTACK
ELECTRIC
FAILURE MECHANISM
High Pressure.
Low Pressure.
Vacuum.
High Temperature.
Low Temperature.
High Flow.
Low Flow.
No Flow.
Abnormal Opening to Atmosphere.
Change in Planned Discharge.
High Level.
Low Level.
No Level.
Stress/Fatigue.
Impact.
Vibration.
Erosion.
Fouling.
High Reaction Rate.
Low Reaction Rate.
No Reaction.
Wrong Reaction.
External Corrosion.
Internal Corrosion.
Hardening/Swelling.
Power Supply Failure.
Galvanic Attack.
Static Electricity.
27
Identify as separate nodes any additional line sections for each branch off
the main process flow line.
Emergency Shut Off Valves are often useful as termination points for
nodes. The next node can be considered as isolated from the current
node in any fault situation. During the study, the safeguards that close the
ESOV should be specified, with an explanation of their operation.
If too many small nodes are selected then the workload will be increased
significantly and this will lead to extensive duplication.
The division of a drawing into too few very large nodes can result in
important deviations and consequences being missed.
Each section should contain active components i.e. components that can
introduce deviations. Piping should not be considered as a node in its own
right unless it contains for example a control valve which could give rise to
flow deviations or a heat exchanger which could cause deviations in
temperature.
Each node must be clearly identifiable on the P&ID; the terminal points for
each node must be agreed at the start of the HAZOP study and the P&ID
clearly marked up accordingly.
28
The same level of detail must be applied throughout the study. Dont study
e.g. drains in detail on one part of the plant then ignore them on another.
29
Node 0
Line from the reflux drum to the Intermediate Storage Tank (IST) which
should have already been HAZOP studied.
Node 1
Line from the IST through the J1 pumps to the Reactor Feed Settling
Tank (RFS'I).
Node 2
Node 3
Node 4
Line through the relief valve from the IST to the flare system.
Node 5
The IST.
Node 6
Node 7
Line from the RFST to J2 Pumps and the spill back line associated with
the J2 Pumps system.
Node 8
Node 9
Line through the relief valve from the RFST to the flare system.
Node 10
The RFST.
Note
30
31
Line from the J2 pump through the shell side of the feed / product
exchanger, feed preheater exchanger, reactor, tube side of the
feed / product exchanger, air cooler system and through the
pressure control system.
Node 2
Node 3
Node 4
Node 5
32
The HAZOP team must have the knowledge, skills and experience to
proceed efficiently and at speed.
The more actions that need to be generated, then the longer the study time
required (as they generate the most argument!).
The HAZOP team must not short circuit the study so as to keep to an
estimated time schedule.
In estimating the time required for a study common sense dictates that you should
apply all three methods, modifying them as necessary and take a mean. In addition,
this estimation can help you gauge the thoroughness of your study if you estimate
10 hours to complete a drawing and it takes you 30 minutes to study, thats a good
clue that your team hasnt been thorough enough. On the other hand, if you estimate
30 minutes and it takes an hour you cannot claim that as evidence that you have
been extremely thorough. You cant win!
For batch processes double any of these estimates.
Method 1 - Drawings
33
This is the simplest approach and involves counting the number of drawings and
based on experience estimating an average of 4 - 5 hours per drawing. This
approximate rule of thumb approach has proved to be quite accurate.
It is sometimes the case that certain drawings are extremely simple and require
significantly less than the above average time quoted above. Similarly it is also often
found that one or more drawings may be significantly more complicated than all of
the others and consequently much longer than the average time per drawing is
required to complete the HAZOP study of these.
Method 2 Major Plant Items
Based on experience 2-3 hours study time is allocated to each plant item e.g. reactor,
furnace, distillation column, boiler etc.
Method 3- Drawing Complexity
Again the main plant items are identified and a study time allocation of an average of
at least 20 minutes is made for each process line entering or leaving each such plant
item.
34
Dont waste time by spending too long discussing one issue. If the team has
not reached a conclusion within 5-10 minutes, its time for an Action.
Make sure as you go that the team reaches consensus on all cases.
Use the record to focus your teams attention. A record is easy to refer to
whereas a verbal description can be lost.
35
Overview
Historical Perspective
A New (2000) Concept for Safety Related Control
systems
by Richard Gowland
Section 1
Overview of LOPA
LOPA tools
The 7 steps in LOPA
Other methods
Competent authority position
by Richard Gowland
Historical Perspective
by Richard Gowland
A New Concept...
by Richard Gowland
That is addressing .
Complex Mathematical
terms & Systems
Simple
Tools
T1
PFD ODU MTTR ODD
MTTR
2
1 + 1 + 2 = 4 or
0.1x0.01x0.07=0.00007
by Richard Gowland
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
by Richard Gowland
COMMUNITY EMERGENCY
REPSONSE
COMMUNITY
EMERGENCY
RESPONSE
PLANT EMERGENCY
EMERGENCY REPSONSE
PLANT
RESPONSE
LAH
1
by Richard Gowland
IPL2
IPL3
Impact Event
Occurs
PFD3 = y3
PFD2 = y2
Impact Event
Frequency,
f3 = x * y 1 * y 2 * y 3
f2=x * y1 * y2
PFD1 = y1
success
f1= x * y 1
Initiating Event
Estimated
Frequency
fi = x
Safe Outcome
success
Safe Outcome
success
Key:
Arrow represents
severity and frequency of
the Impact Event if later
IPLs are not successful
Safe Outcome
Impact
Event
Severity
IPL
- Independent Protection Layer
PFD - Probability of Failure on Demand
f
- frequency, /yr
by Richard Gowland
Frequency
PER YEAR
10-5
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
10-1
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
10-1
PROBABILITY OF
EXPOSURE
PROBABILITY
100%
10-0
INDEPENDENT LAYER OF
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
10-1
INDEPENDENT LAYER OF
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS?
by Richard Gowland
PER YEAR
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
PROBABILITY OF
EXPOSURE (e.g.)
PROBABILITY
100%
INDEPENDENT LAYER OF
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
INDEPENDENT LAYER OF
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS OR SOMETHING
ELSE?
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Factors and Credits in classic LOPA (based on order of magnitude approach as in U.S.)
Most useful for screening work
Initiating Events
Initiating Event Factor = integer of initiating event frequency (e.g.
failure frequency of 1 per 10 years, IEF = 1) LOPA Target Factor
(TF) = integer of tolerated event frequency (e.g. 1 event in 100000
years TF = 5)
Enabling Events
EE Credit Factor = integer of e.g. time at risk 1%, 10%, 100%
Factors are 2,1 or 0
Conditional modifiers
CM Credit Factor= integer of e.g. probability of ignition 1%, 10%,
100% factors are 2, 1 or 0
IPL = Independent Layer of Protection
IPL Credit Factor = integer of Probability of Failure on demand (PFD
of 0.01 gives Credit Factor of 2)
Each case is treated individually without attempting to allow for the
fact that a single scenario may have more than one Initiating Event
by Richard Gowland
Factors and Credits in advanced LOPA (based on PSLG final report recommendations for LOPA on fuel
storage sites)
by Richard Gowland
by Richard Gowland
INDEPENDENCE
Independent Layer of Protection
(IPL)
Must be
effective,
testable
auditable
by Richard Gowland
PER YEAR
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
PROBABILITY OF
EXPOSURE (e.g.)
PROBABILITY
100%
INDEPENDENT LAYER OF
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
INDEPENDENT LAYER OF
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS OR SOMETHING
ELSE?
by Richard Gowland
Tools
Paper Worksheets
Excel workbooks
Examples follow:
by Richard Gowland
Scenari
o No.
P&ID/Equ
ipment
No.
Scenario Description:
Reasoning/Justification
Study team
Consequence
Description/Category:
Frequency/yr
Initiating Event
Frequency
ATG Fails
1.00E-05
1.00E-01
Conditional Modifiers
Fatality on site
1.00E+00
Confined or unconfined
1.00E+00
Operator on patrol
0.1 Probability of
Exposure
1.00E-01
0.07
7.00E-02
7.00E-04
PFD (read cell
comments)
by Richard Gowland
Probability
(read cell
comments)
1.00E-01
LOPA workbooks
by Richard Gowland
1. ScenarioA definitionor
2. Assign severity and
B
1. Scenario
definition
2. Assign severity and
target frequency
3. Initiating events
4. Enabling events
5. Conditional Modifiers
6. Independent Layers of
protection
7. Output result
target frequency
3. Initiating events
4. Enabling events
5. Independent Layers of
protection
6. Conditional Modifiers
7. Output result
This is a choice where CMs may be left until last or dealt with before IPLs
by Richard Gowland
Systematically identify all initiating events and related enabling events/conditions that could (if
all other measures fail) lead to the harm being considered and document the scenarios for
each.
For each initiating event list those risk reducing measures (prevention and mitigation
protection layers, conditional modifiers etc.) that relate to that initiating event, including any
existing or proposed high level Safety Instrumented Function.
See section 5
Conduct LOPA to calculate the frequency of harm for that initiating event
Compare this total with target frequency for the level of severity
Yes
No
See section 4
No
Is the risk
ALARP?
Yes
Finish
by Richard Gowland
Starting
R e t u r n t o A n a ly s is W o r k s h e e t '
T a rg e t F a c to r
Im p a c t o n P e o p le
O n - s it e
O f f - s it e
1 . 0 0 E -0 3
A m i n o r i n j u r y w i th n o p e r m a e n t
h e a l th d a m a g e
N u isa n c e c o m p la in t
1 . 0 0 E -0 4
S e rio u s p e rm a n e n t in ju ry - o n e o r
m o re p e rso n s
A n e v e n t re q u irin g n e ig h b o u rs
b e i n g to l d to t a k e s h e l te r i n d o o r s .
1 . 0 0 E -0 5
S i n g l e fa ta l i ty
1 . 0 0 E -0 6
M u l ti p l e fa ta l i ti e s
1 . 0 0 E -0 7
n e ig h b o u r in ju ry
1 . 0 0 E -0 8
n e i g h b o u r fa ta l i ty
1 . 0 0 E -0 9
C a ta s tr o p h i c e v e n t - m a n y f a ta l i ti e s .
A n e v e n t l e a d i n g to th e n e e d to
e v a c u a te n e ig h b o u r s.
M u l ti p l e fa ta l i ti e s to n e i g h b o u r s .
by Richard Gowland
Risk Tolerability
10-4/yr - 10-5/yr
Tolerable if ALARP
Tolerable if ALARP
Tolerable if ALARP
10-5/yr - 10-6/yr
Broadly acceptable
Tolerable if ALARP
Tolerable if ALARP
10-6/yr - 10-7/yr
Broadly acceptable
Broadly acceptable
Tolerable if ALARP
Broadly acceptable
Broadly acceptable
Broadly acceptable
2-10
11-50
10-7/yr - 10-8/yr
Fatalities (n)
Risk matrix for scenario-based safety assessments (Buncefield PSLG Final report)
by Richard Gowland
Environmental
Category
Unacceptable if frequency
above
Catastrophic
Major
Severe
Significant
Noticeable
1
Minor
by Richard Gowland
Category
Definitions
Catastrophic
Major
Severe
Significant
Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance
Major breach of Permitted emissions limits with possibility of prosecution
Numerous public complaints
Noticeable
Minor
Nuisance on site only (no off-site effects)
No outside complaint
by Richard Gowland
by Richard Gowland
1.E-01
1.E-01
1.E-01
1.E-01
1
1
1
1
Pump Failure
Pump Seal Failure
Cooling Water Failure
Loss of electrical power
General Utility Failure
1.E-01
1.E-01
1.E-01
1.E-01
1.E-01
1
1
1
1
1
1.E-02
by Richard Gowland
LOPA uses
orders of magnitude
You need to justify the data used
Explanatory notes in IEC 61511 should be
used with care.
E.g. lower limits stated in IEC 61511-1 8.2.2
cannot be assumed. Need to justify
Human error rates need to be formulated
properly
by Richard Gowland
by Richard Gowland
Conditional Modifiers
by Richard Gowland
value is 0
by Richard Gowland
Examples
R e tu rn to A n a ly s is W
P r o b a b ility o f Ig n itio n
O rd in a ry H y d ro c a rb o n s L o w M .I.E (< 0 .3 m J )
m a te ria ls
A m o u n t o f F la m m a b le M a te ria l
R e le a s e d , k g
P r o b a b il i ty o f
I g n i ti o n
E n a b li n g
F a c to r
P r o b a b il i ty
o f I g n i ti o n
E n a b lin g
F a c to r
5 - 50
51 - 501
1 . 0 E -0 2
1 . 0 E -0 2
2
2
1 . 0 E -0 2
1 . 0 E -0 1
2
1
501 - 5000
1 . 0 E -0 1
by Richard Gowland
by Richard Gowland
Probability of Exposure
Conditional
Modifier
Probability
Conditional
Modifier LOPA
factor
1x10-1
1x10-2
1x10-1 or 1X10-2
1 or 2
by Richard Gowland
by Richard Gowland
1.E-02
SIS - SIL 1
1.E-01
SIS - SIL 2
1.E-02
SIS - SIL 3
1.E-03
1.E-01
1E-1 to 1E-2
1 to 2
1.E-01
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid credits if they require the failed sensor
to function.
If a final element failure is the Initiating Event, BPCS and Operator action on Alarm IPL are not valid credits if they
require the failed final element to function. (most common could be a control valve.)
If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS or Alarm IPL, unless the Alarm IPL is a
completely separate system.
If an Alarm is an IPL, the operator must have time to prevent the scenario. No credit shall be taken if the operator
has less than 10 minutes to respond. May be able to take credit if this is a recognized case in the Emergency
Response plan.
Maximum of only one (1) BPCS and one (1) Alarm IPL credit are allowed for a case.
Sharing of BPCS and SIS elements may be allowed when there is evidence of adequate independence. (see rules for
sharing SIS elements by the BPCS)
Mechanical safety devices such as over-speed trips are not Instrumented IPLs. However, they may qualify as an
Independent Safety Related Protection System under the Other Safety Related Protection System column.
by Richard Gowland
Relief devices
Flares
Containment
Other Safety Related Protection Systems
(SRPS - see later)
by Richard Gowland
Technical Issues
PER YEAR
INITIATING EVENT
FREQUENCY
PER YEAR
CONTROL SYSTEM
LOOP FAILS
PROBABILITY OF
IGNITION (e.g.)
PROBABILITY
PROBABAILITY OF
EXPOSURE (e.g.)
PROBABILITY
100%
INDEPENDENT LAYER OF
PROTECTION 1
PROBABILITY OF
FAILURE ON DEMAND
BPCS?
INDEPENDENT LAYER OF
PROTECTION 2
PROBABILITY OF
FAILURE ON DEMAND
SIS OR SOMETHING
ELSE?
by Richard Gowland
by Richard Gowland
operating parameters
BPCS and SIS may both act as IPLs
A BPCS is very unlikely to meet > SIL1
PFD or Fault requirements (May even be
prevented unless certified as a SIS or
proven in use)
Certification requirements are different
Documentation requirements are different
Testing requirements are different
by Richard Gowland
by Richard Gowland
2
3
4
5
6
Then
by Richard Gowland
by Richard Gowland
DIN 19250
DIN V 19250
C1
W3
W1
AK1
AK2
AK4
AK2
F2
AK5
AK3
F1
AK6
AK4
F2
AK7
AK5
AK8
AK6
C2
C4
No SIS required
AK3
F1
C3
IEC61511
SIL 1
SIL 2
SIL 3
SIL 4
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Used by some
Competent
Authorities
Simple Qualitative
Does not demand
much data
by Richard Gowland
Disadvantages
Do not find scenarios
Imprecise
Subjective
Does not allow easy
ALARP evaluation
Cumulative risk from
several scenarios
difficult to evaluate
Multiple initiators
problems
Independence of
protection is not clear
LOPA
Advantages
Opportunity to
quantify
assistance in QRA
Clear indication of
most cost effective
way to close gaps
Easy to mandate a
corporate method to
gain consistency
Disadvantages
Demand for reliability
data
time consuming
Does not find
scenarios
Lots of arguments
Too many easy
targets for experts?
Multiple initiators problems
by Richard Gowland
by Richard Gowland
Lets Discuss
by Richard Gowland
Sensor
BPCS
Output
(CV)
Sensor
Logic
Solver
Output
(ROSOV)
Control/Safety System
Sensor
Sensor
by Richard Gowland
Control o
i
u
n
t
SIP
CV
ROSOV
OSHA
U.K.H.S.E.
U.K. Environment Agency
Belgium (Flanders anyway)
Netherlands
France
Germany agrees it is equivalent and alternative to
risk graph
by Richard Gowland
Buncefield aftermath
by Richard Gowland
STEP 1:
IDENTIFY
SCENARIO OF
INTEREST
STEP 2:
STEP 6:
MAKE
RISK
DECISIONS
SELECT
THE NEXT
INITIATING
EVENT
CONSEQUENCES
STEP 5:
STEP 3:
ADD NEW
IDENTIFY
INITIATING
EVENTS
IPLS IF
NEEDED
STEP 4:
IDENTIFY
EXISTING
IPLS
by Richard Gowland
IDENTIFY
Is it:
event consequence
by Richard Gowland
What is a scenario?
or:
initiating cause
event consequence
Is it:
initiating cause
event consequence
or:
initiating cause
event consequence
or:
enabling condition
initiating cause
or:
enabling condition
IPL1
fails
IPL2
fails
event consequence
by Richard Gowland
by Richard Gowland
Covered here
consequences
It sometimes brings in the initiating cause
Later sections will give more details on
causeconsequence pairs
enabling conditions (conditional modifiers)
independent protection layers
by Richard Gowland
Identifying scenarios
Process knowledge
Control knowledge
Instrumentation knowledge
Other technical resources
Plant operating staff
LOPA Facilitator
Developing scenarios
Plant experiences
Existing hazard study reports
Industry experience
must know what consequence types are of
interest
must have an understanding of scenario
credibility and of tolerable risk
must estimate scale of consequences qualitative or semi-quantitative. May use
computer models
by Richard Gowland
by Richard Gowland
Identifying scenarios
by Richard Gowland
Study 2:
Study 3:
Study 4:
Construction/design verification
Study 5:
review
Pre-commissioning safety
Study 6:
review
by Richard Gowland
Process
development
Project
sanction
Stage 1
Stage 2
Concept
Process
design
Operation
Stage 3
Stage 4
Stage 5
Stage 6
Detailed
engineering
Construction
Precommiss
ioning
Post
commiss
ioning
by Richard Gowland
Hazard identification
Possibilities include:
HAZOP
Checklists
What-if
FMEA
FTA
Human factor analysis
Incidents (own and industry)
by Richard Gowland
by Richard Gowland
Key points
by Richard Gowland
by Richard Gowland
ignition
Major overfill liquid in bund, vapour cloud, ignition
and tank fire
Major overfill liquid in bund, vapour cloud, ignition
and vapour cloud explosion and big fire
by Richard Gowland
Possible consequences
by Richard Gowland
Exposures to people
Nuisance effects
Minor Injury
Disabling injury (e.g. exposure to
Severity Estimation
2/COMAH
Simple estimation tools (e.g. EPA RMP COM,
Dow Fire and Explosion Index, Dow Chemical
Exposure Index)
TNO Multi Energy (Fires and explosions)
PHAST modelling (DNV)
by Richard Gowland
by Richard Gowland
by Richard Gowland
Target Factor
Impact on People
On-site
Off-site
Nuisance complaint
1.00E-03
1.00E-04
1.00E-05
Single fatality
1.00E-06
2-5 fatalities
Neighbour injury
1.00E-07
6-20 fatalities
Neighbour fatality
1.00E-08
21-100 fatalities
1.00E-09
An event requiring
neighbours being told to take
shelter indoors.
An event leading to the need
to evacuate neighbours.
by Richard Gowland
Risk Tolerability
10-4/yr - 10-5/yr
Tolerable if ALARP
Tolerable if ALARP
Tolerable if ALARP
10-5/yr - 10-6/yr
Broadly acceptable
Tolerable if ALARP
Tolerable if ALARP
10-6/yr - 10-7/yr
Broadly acceptable
Broadly acceptable
Tolerable if ALARP
10-7/yr - 10-8/yr
Broadly acceptable
Broadly acceptable
Broadly acceptable
Fatalities (n)
2-10
11-50
by Richard Gowland
Target Factor
Impact on People
On-site
Off-site
Nuisance complaint
1.00E-03
1.00E-04
1.00E-05
Single fatality
1.00E-06
2-5 fatalities
Neighbour injury
1.00E-07
6-20 fatalities
Neighbour fatality
1.00E-08
21-100 fatalities
1.00E-09
An event requiring
neighbours being told to take
shelter indoors.
An event leading to the need
to evacuate neighbours.
by Richard Gowland
by Richard Gowland
Individual Risk
a specific individual
due to a single MAH
scenario (f)
Percentage of year
individual is at work (t)
Number of fatal MAH
events the individual is
exposed to at work (n)
Aggregate likelihood of
fatality for the specific
individual (Individual
Risk). (F)
tx
i 1
fi
by Richard Gowland
Category
Catastrophic
Major
Severe
Significant
Noticeable
Minor
Unacceptable if frequency
above
For the purposes of this guidance, the categories from Table 3 have been aligned to COMAH terminology as follows,
Acceptable if frequency less than equates to the Broadly Acceptable region
Acceptable if Reduced as Reasonably Practical and frequency between equates to the Tolerable if ALARP region
Unacceptable if frequency above equates to the Intolerable region
by Richard Gowland
Definitions
Catastrophic
Major
Severe
Significant
Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance
Major breach of Permitted emissions limits with possibility of prosecution
Numerous public complaints
Noticeable
Minor
1 Heading and introduction from Section 3.7 in IPPC H1: Integrated Pollution Prevention and Control (IPPC) and
Environmental
Assessment and Appraisal of BAT, Version 6 July 2003.
2 For discussion & review
Table 3 Risk matrix for environmental risk
by Richard Gowland
BUT!
by Richard Gowland
by Richard Gowland
by Richard Gowland
Types of event
events
Human failure-related initiating
events
by Richard Gowland
earthquake
floods
lightning strike
Third party activities, e.g.
domino effects from adjacent plant
crane or vehicle impact damage
contractors digging up power cables
Terrorism or sabotage
Not normally taken into LOPA
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Industry sources
Safety (CCPS)
Guidelines for
Chemical Process Quantitative Risk Analysis
Process Equipment Reliability Data with Data
Tables
Improving Plant Performance through Data
Collection and Analysis
Layer of Protection Analysis: Simplified Risk
Assessment
by Richard Gowland
Industry sources
by Richard Gowland
by Richard Gowland
0.1 yr-1
0.01 yr-1
0.01 yr-1
0.01 yr-1
0.001 yr-1
by Richard Gowland
Human behaviour
Sources include:
CCPS Guidelines for preventing Human
Error in Process Safety
Human error, J T Reason, CUP, 1990
An engineers view of human error, T A
Kletz, IChemE, Rugby 1990
D E Embrey, Quantitative and qualitative
prediction of human error in safety
assessments, Major Hazards Onshore &
Offshore, IChemE Symp. Ser. 103, 1992
by Richard Gowland
These include:
by Richard Gowland
operation
Operator must
hear alarm or be alerted to the developing
problem
then correctly analyse what is wrong
then decide on a correct action
then carry out the action in time
This should enable you to make a reasonable
estimate of the failure rate
by Richard Gowland
Pfailure
1.0
0.5
0.1
0.07
0.01
0.0003
Task
Probability of
failure
Complex, non-routine
>1 in 4
(P>0.25)
Non-routine with other
simultaneous tasks
1 in 10
(P=0.1)
Routine needing care
1 in 100 (P=0.01)
Routine, simple
1 in 1000 (P=
0.001)
Simplest possible action 1 in 104 (P=0.0001)
by Richard Gowland
Range (yr-1)
Selected
1x10-2 to 10-4
1x10-0 to 10-2
1x10-1 to 10-2
1x10-3 to 10-4
1x10-2
1x10-1
1x10-1
1x10-3
1x10-2
by Richard Gowland
Overall summary
by Richard Gowland
Section 3
by Richard Gowland
by Richard Gowland
hours)
Initiating event (e.g. loss of cooling water) may
only matter in a short critical stage a few hours
per week
Suppose this is twice a week for an hour a time
so loss of cooling only matters for 1x2x52
hours per year
Fraction of time at risk is 1x2x52/8760=0.012
If frequency of cooling water loss is 1x10-1 yr-1
then frequency of the initiating event is 0.012x
1x10-1 yr-1 or, as a round number, 1x10-3 yr-1
Alternatively, treat criticality as an enabling
condition and bring the 0.012 factor there
by Richard Gowland
Time at risk
by Richard Gowland
by Richard Gowland
(SRPS)
There may be others (like gas detection or
diagnostic equipment for turbines and in
special cases non return valves may
qualify)
by Richard Gowland
by Richard Gowland
by Richard Gowland
10
0.1
0.001
0.0001
0.00001
0.000001
1
10
100
1000
2
3
4
5
6
If BPCS and Alarm IPLs use the same sensor, take credit for one IPL only
The Alarm IPL requires an operator action to prevent the scenario.
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid
credits if they require the failed sensor to function.
If a final element failure is the Initiating Event, BPCS and Operator action on
Alarm IPL are not valid credits if they require the failed final element to
function.
If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS
or Alarm IPL, unless the Alarm IPL is a completely separate system.
If an Alarm is an IPL, the operator must have time to prevent the scenario.
No credit should be taken if the operator has less than 10 minutes to
respond.
Only one (1) BPCS and one (1) Alarm IPL credit are allowed for a case.
8 Sharing of BPCS and SIS elements may be allowed when there is evidence
of adequate independence.
9 Mechanical safety devices such as over-speed trips are not Instrumented
IPLs. However the may qualify as an Independent Safety Related
by Protection
Richard Gowland System as Other Safety Related Protection Systems. (SRPS)
Relief Devices
by Richard Gowland
by Richard Gowland
Un-contained relief
Dikes or bunds
Automatic Fire protection
Emergency Plans
Be wary, these may provide mitigation and not
prevention and in some cases are not
quantifiable. All IPLs are safeguards but not
all safeguards are IPLs
by Richard Gowland
Management Systems
Inspection
Buddy system to reduce frequency of
initiating event or use as a Conditional
Modifier (choice of where to use it)
Mechanical devices
by Richard Gowland
Emergency Response
Shelter in place
Procedures
Personal Protective Equipment (e.g. Cl2
respirators)
by Richard Gowland
Internal discipline
by Richard Gowland
Section 4
ALARP
Uncertainties and Sensitivities
Cumulative initiators
by Richard Gowland
ALARP issue
Unacceptable
region
Tolerable
region
Broadly acceptable
region
by Richard Gowland
by Richard Gowland
Cost = Capital +
by Richard Gowland
by Richard Gowland
Consideration of other layers of protection - only to be used if gap is closed and you need to do cost benefit on further
IPLs! (e.g.test for ALARP)
Description
Independent Trip of steam supply with block valve linked to independent temperature loop.
by Richard Gowland
200
50
1.00E+01
50
1000
3500
9.0000000E-06
450.000000
7.78
by Richard Gowland
UNCERTAINTIES
Uncertainty:
by Richard Gowland
SENSITIVITIES
Sensitivity:
by Richard Gowland
Case
Scenario
Initiating Event
Conditional
Modifier
IPL
Action
1.0
R 101
rupture due
to runaway
reaction
Capacity of
facility will
always dictate
that the hazard
is present <10%
of the time
Recent history
of fouling on
Relief Valve
places a doubt
on PFD
Modify entry to
relief section to
ensure
incoming
solvent cleans
nozzle every
batch. Add
quarterly
inspection.
by Richard Gowland
SENSITIVITY
Case
Scenario
Initiating Event
Conditional
Modifier
IPL
Action
1.0
R 101 rupture
due to
runaway
reaction
Capacity of
facility will
always
dictate that
the hazard is
present <10%
of the time
Relief Valve
action PFD
is 1e-02
indicates
that there is
a heavy
reliance on
this IPL.
Failure to
function on
demand has
a major
effect on
frequency of
top event
Modify entry
to relief
section to
ensure
incoming
solvent
cleans
nozzle every
batch. Add
quarterly
inspection.
by Richard Gowland
Advice
by Richard Gowland
Conservatism
by Richard Gowland
Cumulative initiators
Can/should LOPA consider multiple initiators?
mimic bow tie
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
by Richard Gowland
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
Case 1
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Consequence A
Release
Initiating Event 3
Consequence B
3c
3a 3b
Consequence C
4a
Initiating Event 4
by Richard Gowland
Case 2
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
Case 3
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Consequence A
Release
Initiating Event 3
Consequence B
3c
3a 3b
Consequence C
4a
Initiating Event 4
by Richard Gowland
Case 4
Prevention
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
4a
Initiating Event 4
by Richard Gowland
Consequence A
Consequence B
Consequence C
should more
specific and (hopefully) more accurate failure
frequencies be used?
Alternative version of simple software can
accommodate this
by Richard Gowland
Suggestion
by Richard Gowland
Section 5
The LOPA study session
Recommendations
Process control
Instrumentation
Technology or Chemistry expertise
Operations
Operator
Shift Leader
Programmer
Safety Contact
Trained LOPA facilitator
Materials/resources
Piping and Instrument Diagrams
Process Flow sheets
Process Conditions (Flow, pressure, phase, temperature
etc.)
Normal operating envelope for process
Equipment data (Max. allowable working pressure,
Pressure Safety Devices set pressures, temperature
limitations)
Trip and alarm settings
List of loops and systems which are bypassed
Procedure 1
Systematic examination of each process unit
(Column, pump, reactor, storage vessel, heat
exchanger, receiver, rotating equipment, filter
etc.
For each process unit, list hazardous scenarios
of interest
One member to follow proceedings with the
HAZOP report (if available) keep them honest
and dont miss anything already evaluated
Procedure 2
Log equipment tag and scenario in workbook
Assign severity target to scenario enter in
workbook
Consider first initiating event which can cause
the scenario (usually failure of a control system)
- enter in workbook
Consider conditional modifiers (ignition,
probability of exposure) enter in workbook
Procedure 3 (IPLs)
Consider action of Basic Process Control System
trip (if any) remember the rules of
independence - enter in work book
Consider alarm and response remember the
rules on independence and operator ability to
respond enter in workbook
Consider Pressure Safety Devices (overpressure
scenarios only) enter in workbook
Consider other Safety Related Protection
Systems remember rules on qualification
enter in workbook
Procedure 4 (SISs)
If protection gap exists or there is already a SIS
Drawback:
Many loops may not influence hazardous
events you might lose your team!
Finally - caution
Be very careful that the credits taken for
conditional modifiers do not change with
time or plant capacity. E.g. if you assume
that the operation is taking place less than
10% of the time, what happens if the
plant doubles its utilisation. Is the credit
still true, or is the time at risk greater?
Controversial areas
The BPCS as a Layer of protection
Need to pay attention to requirements in BS
EN 61511
Controversial areas
Operator Response as a layer of
protection:
Recommendations
If you choose LOPA
Final warning
Dont massage the numbers to get the
answer you want.
Servo level
Indicator (ATG)
atmos. vents
Vented ullage
Gasoline
Case 2 PADDING/INERTING
Nitrogen Control valve
Set +5 mbar (vac)
+ 20 mbar press
N2 at 10mbar
N2 at 2 bar
Vent
Pressure/Vacuum relief
Fill
T-25
LT
LSL
Storage of Xylene
f.c.
Case no 3
f.o.
Vent to scrubber
FT
Pyridine compound
f.c.
NaOH
000
flow
VV 201
Conservation
vent
PSV 201
water
f.c.
A 201
amps
alarm
CV 201
R 201
T
weigh
TE 201b
P 201
To Esterification
section
TE 201a
Condensate out
V 201
T
Steam in
Case 4
What scenarios can occur?
To Mixing unit
V 301
P 301
Heat Ex product
out heats feed in
Condensate
Atmospheric
Blowdown
stack
Product out
PAH
Dist.
Column
o
Feed
Hydrocarbon
in
LAH
LAH
Furnace
c
LAH
Overflow
to sewer
VE 206
Op. press. 25 Barg
M.A.W.Press. 30 Barg
L.P.G. feed
P
To flare
FCV 206
8 in.
VE206
Overheads
to C 207
stm
LIC206
E 206
LIC206a
VE 207
Op. press. 12 Barg
M.A.W.Press. 15 Barg
FIC 206
P
BV 206
stm
E 207
LIC 207
Case:
FIC 207
To VE 208
VE 206
Op. press. 25 Barg
M.A.W.Press. 30 Barg
L.P.G. feed
P
To flare
FCV 206
8 in.
VE206
Overheads
to C 207
stm
LIC206
E 206
LIC206a
VE 207
Op. press. 12 Barg
M.A.W.Press. 15 Barg
FIC 206
P
BV 206
stm
Flowsheet for Case 6
Case: Low level in VE 206 opens
up FCV 206 and admits high
pressure gas into VE 207
E 207
LIC 207
FIC 207
P
To VE 208
L.P.G. feed
24-25 barg
VE 206
Op. press. 25 Barg
M.A.W.Press. 30 Barg
FCV 206
8 in.
VE206
Overheads
to C 207
stm
LIC206
E 206
LIC206a
VE 207
Op. press. 12 Barg
M.A.W.Press. 15 Barg
FIC 206
P
BV 206
stm
Flowsheet for Case 6
Is there adequate protection
Against loss of level in VE 206?
Possible solution?
E 207
LIC 207
FIC 207
P
To VE 208
Servo level
Indicator (ATG)
atmos. vents
Vented ullage
Gasoline
No.
Hazardous
phenomenon
Possible consequence
(fire, explosion, toxic
exposure, environmental
accident)
Hazard (injury,
fatality,
environment
severity)
Initiating Events:
Control failures
N2 at 10mbar
N2 at 2 bar
Vent
Pressure/Vacuum relief
Fill
T-25
LT
LSL
Xylene is offloaded from road tankers into an inerted storage tank (Max
All. W.P. 30 mbar hyd full. When unloading takes place the tanker pump
is connected (rated at 150 l/min at 250 kpa) to the fill line and the vent
line from the tank is connected to the vapour space on the road tanker.
When filling is complete, the vent line and the fill line are closed off so that
the tanker may be disconnected safely.
The xylene is then used in the manufacturing process. It is transferred
using the pump located outside the tank bund/dike.
The nitrogen inert gas is provided from a service main via a self acting
spring control valve which is set to produce a pressure of 100mm w.g. If
pressure rises above 200 mm w.g. the Pressure/Vacuum control valve
relieves to atmosphere. If the pressure in the tank drops below 50 mm
w.g. the Pressure/vacuum relief valve opens to allow nitrogen from the
padding supply to enter the tank.
The tank is in a diked area capable of taking 110% of the tank volume.
The bund area is classed as zone 2 above grade. All below grade areas
(Drains etc.) are zone 1.
Hazardous
phenomenon
Possible consequence
(fire, explosion, toxic
exposure, environmental
accident)
Hazard (injury,
fatality,
environment
severity)
Initiating Events:
Control failures
f.c.
Case no 2
f.o.
Pyridine compound 00
f.c.
NaO
H
water
f.c.
Vent to scrubber
FT
flow
VV 201
Conservation
vent
PSV 201
A 201
amps
alarm
CV 201
R201
Steam in
V201
weigh
TE 201a
Condensate out
f.c.= fail closed
f.o. = fail open
TE 201b
P 201
To Esterification
section
Each batch takes about 4 hours and normally 5 to 6 batches are done each
day on about 330 days per year.
Material and reaction properties
There are no flammable or vapour toxic hazards of concern. The caustic
soda solutions are very corrosive to the skin. Both Cl-Py and the sodium
chloro-pyridinate salt are mildly toxic. There is a risk of thermal burns
from the reaction system and also from the Cl-Py lines which are heated to
100 oC by steam tracing.
All the raw materials are thermally stable to at least 400 oC.
Kinetic studies and adiabatic calorimetry have confirmed that the normal
reaction is fast at the temperatures used (>150 oC) and that no other
exothermic reactions occur. Under adiabatic conditions, the maximum
attainable mixture temperature is 375 oC.
If the concentration of sodium hydroxide exceeds 20% at the
beginning of the reaction stage, the exotherm will be slow to start with but
will run faster at higher temperatures. Thus a significant shortage or
absence of the water charge risks a reaction rate which could greatly
exceed normal temperature limits.
The vessel, lines etc are constructed from suitable materials and there are
no corrosion problems.
Basis for safe operation
The main hazard is a runaway reaction in the vessel leading to
overpressure and possible vessel rupture. This could occur by
accumulation of unreacted Cl-Py in the reactor followed by uncontrolled
mixing and reaction or by starting the Cl-Py addition without any water
present i.e. sodium hydroxide concentration would be too high. In the
latter case the initial reaction would be very slow, with little temperature
rise, so the Cl-Py addition would continue at the high initial rate.
These situations are prevented by:
1
2
3
4
The presence of water. This acts as a heat sink and ensures the
correct sodium hydroxide concentration
Continuous agitation with an amperage alarm on the agitator.
Maintaining the mixture temperature at 150 oC to 160 oC to
ensure rapid reaction; this temperature is maintained by the
exotherm without additional heating
A maximum possible addition rate for Cl-Py of 40 kg/min.
Uncontrolled addition at this rate will take the temperature to
about 180 oC when the pressure in the reactor will cause the relief
valve to lift. The relief valve is sized for this event with relief
7
Hazardous
phenomenon
Possible consequence
(fire, explosion, toxic
exposure, environmental
accident)
Hazard (injury,
fatality,
environment
severity)
Initiating Events:
Control failures
10
by Richard Gowland
Process Safety
A process safety incident as defined by the Center for Chemical
Process Safety is an unplanned event arising
from the manufacturing process that results in a product spill,
fire, explosion, or injury. By managing, tracking and reporting
process safety incidents, Responsible Care
companies can benchmark their performance and set goals for
improvement. Responsible Care companies
publicly report process safety incidents on an annual basis,
surpassing government requirements.
Responsible Care companies are working to make the industry
even safer for our employees and communities.
ACC member companies operate 1,500 facilities nationwide
and reported 254 process safety incidents in 2010,
down from 531 in 1995. More than half of ACC members had
no process safety incidents in 2010. In addition,
of the reported 254 incidences in 2010, only 4 percent of
incidents warranted a Severity Level of 1, according
to ACCs Severity Rating Index.
by Richard Gowland
New metrics
system starts
here
by Richard Gowland
Major strength:
Good participation
Mandatory for American Chemistry Council members
Major Weakness:
Changes:
by Richard Gowland
by Richard Gowland
Total # Incidents
Negligible Incidents
Level 4 Incidents
Level 3 Incidents
Level 2 Incidents
Level 1 Incidents
2010
2010
2010
2010
2010
2010
3M
Albemarle Corporation
Company Name
Arkema Inc.
by Richard Gowland
Now in Europe
by Richard Gowland
by Richard Gowland
HRA Assessment
Unfamiliarity (x17)
Time shortage (x11)
Operator inexperience (x3)
Unreliable instrumentation (x1.6)
Assessment of how important each is
Nominal Human
Unreliability
0.003
Task F
0.003
Assessed Proportion
of Affect (from 0-1)
Procedures
x2
0.8
Checking
x3
0.8
Instrumentation
x1.6
0.4
Impoverished info.
x3
0.2
Assessed
Affect
A fundamental need
Texas City
Error Reduction
Cost-effective measures
Error Reduction
Inexperienced
operator
Low morale
Checking
Sleep cycles
Unclear roles
Instrumentation
Procedures
Impoverished
information
Summary
by Richard Gowland
groups
by Richard Gowland
by Richard Gowland
by Richard Gowland
HAZOP
Human error scenarios
HuFs Review
Safety critical tasks
Pre-screen risk ranking
PRA
Preliminary Risk Assessment
LOPA
Layers of Protection Analysis
QRA
by Richard Gowland
post
PHA
leading to no flow
Human error reducing effectiveness of safeguards
e.g. not responding to an alarm
Ultimate credible consequence no safeguards
Frequency by order of magnitude calculation
by Richard Gowland
by Richard Gowland
What is acceptable?
HIGH
10-3
marginal
RISK
10-6
broadly
tolerable
LOW
by Richard Gowland
HAZOP
Human error scenarios
HuFs Review
Safety critical tasks
Pre-screen risk ranking
PRA
Preliminary Risk Assessment
LOPA
Layers of Protection Analysis
QRA
by Richard Gowland
post
PHA
Pre-screened risk is U x S
So a risk which is severe (3) and has poor safeguards gets a
score of 9 and is high priority
by Richard Gowland
Challenger
z Liquid hydrogen tank explodes, ruptures liquid
oxygen tank
z Resulting massive explosion destroys the shuttle
10
1.
2.
3.
4.
5.
6.
11
12
14
16
International
Space Station
deadline
19 Feb 04
17
Perform Valid/Timely
Hazard/Risk Assessments
z NASA lacked consistent, structured approaches for
identifying hazards and assessing risks
z Many analyses were subjective, and many action items
from studies were not addressed
z In lieu of proper risk assessments, many identified
concerns were simply labeled as acceptable
z Invalid computer modeling of the foam strike was
conducted by green analysts
Any more activity today on the tile damage or are people just relegated to
crossing their fingers and hoping for the best?
Email Exchange at NASA
hazard analysis processes are applied inconsistently across systems,
subsystems, assemblies, and components.
CAIB Report, Vol. 1, p. 188
18
19
An Epilog
z Shuttle Discovery was launched
on 7/26/05
z NASA had formed an
independent Return To Flight
(RTF) panel to monitor its
preparations
z 7 of the 26 RTF panel members
issued a minority report prior to
the launch
Expressing concerns about
NASAs efforts
Questioning if Columbias
lessons had been learned
22
An Epilog
z During launch, a large piece of foam separated from the
external fuel tank, but fortunately did not strike the
shuttle, which landed safely 14 days later
z The shuttle fleet was once again grounded, pending
resolution of the problem with the external fuel tank
insulating foam
23
Turning Inward
- Our Industry -
Piper Alpha
z On 7/6/1988, a series of
explosions and fires
destroyed the Piper Alpha
oil platform
z 165 platform workers and
2 emergency responders
were killed
61 workers survived
by jumping into the
North Sea
25
26
27
28
29
30
31
Flixborough
z On 6/1/1974, a massive
vapor cloud explosion
(VCE) destroyed a UK
chemical plant
z Consequences:
28 employees died
and 36 were injured
Hundreds of off-site
injuries
Approx. 1800 homes
and 170 businesses
damaged
33
6
2020-inch
bypass
34
125 psi
35
z No qualified mechanical
engineer on-site
z Inadequate concern with
the cause of the reactor
failure
z Jumper connection
considered a routine
plumbing job
No detailed design
for jumper
36
z Hurry up
attitude of management
Overworked staff
did not take time to
properly analyze
their actions
37
38
Optional: Paste
Company logo
here
Optional: Paste
Company logo
here
41
Optional: Paste
Company logo
here
42
Optional: Paste
Company logo
here
43
Indicators Of Organizational
Culture Weaknesses
The following slides provide
examples of indicators that
your organization is
NOT Maintaining a
Sense of Vulnerability
45
NOT Preventing
Normalization of Deviance
46
NOT Establishing An
Imperative for Safety
z Staff monitoring safety related decisions are not
technically qualified or sufficiently independent
z Key process safety management positions have been
downgraded over time or left vacant
z Recommendations for safety improvements are
resisted on the grounds of cost or schedule impact
z No system is in place to ensure an independent review
of major safety-related decisions
z Audits are weak, not conducted on schedule, or are
regarded as negative or punitive and, therefore, are
resisted
47
48
49
50
The extent to which the workforce feels free to report safety related
incidents, near misses, and concerns without fear of retaliation;
o What is the near miss reporting system?
The Process Safety awareness, knowledge and competency of the
workforce;
o Is there a formal competency requirement for operators with a
requirement for periodic revalidation?
Relationships and trust between different constituencies, including
management and the workforce, management and contractors and
contractors and the workforce
Whether deviations from policies are tolerated
The extent to which safety related information flows freely among all levels
of the facility.
o To what extent are operations people involved in the actual formal
study of risk
Whether the workforce has a shared belief that safety comes first,
regardless of financial, scheduling or cost objectives
The extent to which the workforce is vigilant about process safety risks,
continuously tries to reduce them and seeks to learn from incidents and
near misses.
o Does the workforce understand the process risks and the role they
have in managing them or what can go wrong if they make a
mistake?
Corporate
requirements for
Process Safety
Process Safety
Management
System
Process Safety
Training
Process Safety
Incident or issue
reporting: Generally
there are legal
requirements for
reporting hazardous
events and injuries.
These do not always
include releases or
events where there
were no reportable
injuries or
environmental
insults.
Self Assessment
and Audit process
Training which is
graduated to be
able to address
needs at each
operational level in
the company. Is
there a means of
determining
competence?
CCPS or API
reporting systems
designed to meet
requirements of
Responsible Care
by Richard Gowland
by Richard Gowland
by Richard Gowland
by Richard Gowland
Is training effective?
What have people learnt from experience?
Have skills eroded?
Have we been lucky so far? - lack of competence
by Richard Gowland
by Richard Gowland
Poorer examples
by Richard Gowland
Better examples
inventories;
Operator technicians write operating
instructions to be validated by technical
supervision
Measurable performance standards, eg
simulations of process deviations;
Mix of simulation, tests & on the job review;
Scheduled re-assessment, eg re-assess every 3
years;
Trained assessors;
Active involvement in PHAs, Self Assessments,
Audits, HAZOPs, LOPAs
by Richard Gowland
by Richard Gowland
by Richard Gowland
A generic
Competence assessment
framework for hazardous
installations
A framework
Identify safety critical tasks
Define measurable
performance standards
Monitor
performance
outcomes &
modify
assessment
Assessor needs
Re-assessment needs
by Richard Gowland
Techniques
Task analysis,
What if & HAZOP
Review of major accident scenarios
by Richard Gowland
by Richard Gowland
by Richard Gowland
But:
Too generic?
What about rare tasks?
Is level of assessment proportionate to risk?
by Richard Gowland
by Richard Gowland
Level of assessment
Factors
Task complexity
Process vulnerability to error
Degree of supervision
Degree of assessment
Highest: Licensing/certification
Moderate: Tests, qualifications & observation
Lowest: On the job observation
by Richard Gowland
Ongoing re-assessment
Frequency
Safety criticality;
Rate of skill erosion;
People change;
Learning Experiences
Frequency of equipment / procedural change
by Richard Gowland
Training
Trainer
As part
of initial
training
Duration/
frequency
Operator
Process Safety
Management
System basics.
x The PSM
x Risk
Matrix
x HAZOP
x LOPA
Worst Case
Scenarios and
safeguards for
their process
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus 3
year
refresh
2 hours, 3
yearly
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus
refresh
every
year
1 hour,
annual
Process
Safety
Activities
Process Safety
Management System
basics.
x The PSM
x PHA
x Risk Matrix
x HAZOP
x LOPA
x Fire
x Explosion
x Hazardous
vapour
dispersion
x Mechanical
Integrity
x Process Safety
Audit
Process
Safety
Specialist
Yes plus
refresh
every 3
years
1 day every 3
years
Role
Training
Trainer
As part
of initial
training
Duration/
frequency
Operator
Process Safety
Management
System basics.
The PSM
Risk
Matrix
HAZOP
LOPA
Worst Case
Scenarios and
safeguards for
their process
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus 3
year
refresh
2 hours, 3
yearly
Process
Support
Engineer
or
Process
Safety
Specialist
Process
Support
Engineer
or
Process
Safety
Specialist
Yes
plus
refresh
every
year
1 hour,
annual
Yes
plus
refresh
every
year
1 hour,
annual
Most Credible
Case scenarios
and safeguards
for their process
Productio
n support
Engineer
Process
Support
Engineer
Yes
plus
refresh
every
year
1 hour
annual
Process Safety
Management
System basics.
Process
Safety
Specialist
Yes
plus
refresh
1 day
every 3
years
Process
Safety
Activities
Member of
HAZOP study
teams
Job Safety
Analysis
writing
Reporting
incidents,
unsafe
conditions,
deviations
and near
misses as
KPIs
Member of
Root Cause
Investigations
First level
estimate of
every 3
years
The PSM
PHA
Risk
Matrix
HAZOP
LOPA
Fire
Explosion
Hazardou
s vapour
dispersio
n
Mechanic
al
Integrity
Process
Safety
Audit
Fire,
Explosion and
Toxic vapour
dispersion for
consequence
ranking
Lead HAZOP
studies
Lead LOPA
studies
(verification by
PSM
specialist)
Above on
PSM system
requirement
frequency (3-5
years)
Lead self
Assessment of
PSM at plant
Process
Safety
Worst Case
Scenarios and
safeguards for
their process
Technolo
gy
Specialist
Most Credible
Case scenarios
and safeguards
for their process
Technolo
gy
Specialist
Process
Safety
Specialist
Electrical Area
Classification
Process
Safety
Specialist
Process Safety
Management
Process
Safety
Yes
plus
refresh
every 3
years
Yes
plus
refresh
every 3
years
Yes
plus
refresh
every 3
years
Yes
plus
refresh
every 3
years
Yes
plus
1 hour
1 hour
1 hour
Coach users
in the system
2 hours
Carry out
hazardous
area
classifications
Profession
al
Validate
those
Specialist
System
elements and
tools.
The PSM
PHA
Risk
Matrix
HAZOP
LOPA
Fire
Explosion
Hazardou
s vapour
dispersio
n (e.g.
DNV
PHAST
Hazardou
s Area
Classifica
tion
Mechanic
al
Integrity
Process
Safety
(PSM)
audits
Leader
for
company
plus
internal
and
external
Subject
Matter
Experts.
refresh developme
as a
nt plan
professi
onal
develop
ment
plan
items
carried out
by
Production
support
Engineers.
(Fire,
Explosion,
Vapour
dispersion)
Facilitate
HAZOPs
and
LOPAs
Lead or
carry out
more
sophisticat
ed activity
(vapour
dispersion,
frequency
assignmen
t, risk
quantificati
on)
Technical
detail of
PSM audit
Lead
selected
PSM
audits
Project Engineer
Production Manager
Educational Qualification
Bachelor degree in one of the
following:
Chemical Engineering
Mechanical Engineering
Control Engineering
Electronic or Electrical
Engineering
Chemistry
Technical Expertise:
Legal framework for Operation (Major
Hazard Legislation)
System elements and tools.
The PSM
PHA
Risk Matrix
HAZOP
LOPA
Fire
Explosion
Hazardous vapour dispersion
(e.g. DNV PHAST
Hazardous Area Classification
Mechanical Integrity
Process Safety (PSM) audits
Why do we audit?
by Richard Gowland
Questions
The effectiveness of follow up and
resolution/correction of faults found
by Richard Gowland
What is an audit?
by Richard Gowland
principles
by Richard Gowland
Visual principle
by Richard Gowland
by Richard Gowland
External
Review
3 year Cycle for normal
Operations.
May vary by risk or performance
Rolling programme
To achieve annual
Self Assessment
Audit to validate
Self Assessment
Deep drill key items.
By Audit Team
independent of the facility
By trained Operations
Self Assessors in
facility
by Richard Gowland
By Operations
Needs to be stated:
Occupational Safety
Environmental
Occupational Health/Industrial Hygiene
Process Safety
Security
..
May be combined within a single EH&S Audit (Common with
organisations which have sufficient resources to handle a big
audit programme e.g. all done in one week)
May be separated (common where a smaller organisation may
need to break the programme into manageable sections)
by Richard Gowland
by Richard Gowland
Specialist Auditors:
Document review
Verification of any self assessments done
deep drill subjects of
High Hazard
Impression gained from facility inspection
Recent incidents
Company initiatives
Agree true status of detail findings with the facility specialist
Interview the operators and maintenance team! (verification of what really
happens)
by Richard Gowland
No surprises later
Outline Action Plan
what is to be done from audit findings
Schedule proposed by facility leadership
Follow up and progress method
by Richard Gowland
Auditor skills
This is available
Sometimes internally
Sometimes from specialist companies e.g.A.D. Little, ABB
by Richard Gowland
IAEA-TECDOC-743
ASCOT Guidelines
Guidelines for organizational self-assessment of safety culture
and for reviews by the
Assessment of Safety Culture in Organizations Team
The IAEA does not normally maintain stocks of reports in this series.
However, microfiche copies of these reports can be obtained from
INIS Clearinghouse
International Atomic Energy Agency
Wagramerstrasse 5
P.O. Box 100
A-1400 Vienna, Austria
Orders should be accompanied by prepayment of Austrian Schillings 100,in the form of a cheque or in the form of IAEA microfiche service coupons
which may be ordered separately from the INIS Clearinghouse.
ASCOT GUIDELINES
IAEA, VIENNA, 1994
lAEA-TECDOC-743
ISSN 1011-4289
Printed by the IAEA in Austria
May 1994
FOREWORD
In 1991 a Safety Series report on Safety Culture of the International Nuclear Safety
Advisory Group (INSAG) was published as 75-INSAG-4. This document represents probably
the most complete description so far of the safety culture concept along with its definition,
features and tangible manifestations.
Very soon after the publication of 75-INSAG-4, interest was expressed as to whether
it was possible to make an assessment of safety culture in a particular organization.
Difficulties of performing such review should not be underestimated, since so much of the
required characteristics lie below the surface. Certainly any comprehensive checks on
equipment, documentation and procedures would not necessarily reveal the strength of safety
culture.
EDITORIAL NOTE
In preparing this document for press, staff of the IAEA have made up the pages from the
original manuscript (s). The views expressed do not necessarily reflect those of the governments of the
nominating Member States or of the nominating organizations.
The use of particular designations of countries or territories does not imply any judgement by
the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and
institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as registered)
does not imply any intention to infringe proprietary rights, nor should it be construed as an
endorsement or recommendation on the part of the IAEA.
CONTENTS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.
1.2.
1.3.
1.4.
1.5.
1.6.
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
Options for an ASCOT review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Objectives of ASCOT reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Assessment method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Review schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Structure and application of ASCOT Guidelines . . . . . . . . . . . . . . . . . . 12
14
2.1. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2. Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3. ASCOT GUIDELINES: SAFETY CULTURE INDICATORS
AND QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
16
16
18
22
22
22
24
25
26
27
28
29
30
33
40
41
42
42
50
56
56
59
59
60
. . . . . . . . . . .
61
63
67
1. INTRODUCTION
1.1. BACKGROUND
The International Nuclear Safety Advisory Group (INSAG), in its publication Safety
Series No. 75-INSAG-4, defines safety culture as follows:
INSAG took the view that although such matters as style and attitude are generally
intangible, they do lead to tangible manifestations which might be used to test what is
underlying.
INSAG also took the view that sound procedures and good practices are not fully
adequate if merely practised mechanically. This led to the proposition: safety culture requires
all duties important to safety to be carried out correctly, with alertness, due thought and full
knowledge, sound judgement and a proper sense of accountability.
In order to properly assess safety culture, it is necessary to consider the contributions
of all organizations that influence it. Therefore, in assessing safety culture in different types
of organizations, governmental, operating and supporting, it is necessary to consider at least
the local regulatory agency, the utility's corporate headquarters and the nuclear facility itself.
The ASCOT review is based on tours of facilities and discussions with the hosts'
personnel, at least at the regulatory agency, utility headquarters and at the plant. Most of the
time, however, should be spent at the plant.
These guidelines are based strictly on the Appendix of Safety Series No. 75-INSAG-4.
All the questions proposed in this appendix are addressed and they appear in the guidelines
as Basic INSAG Questions. As mentioned in the reference INSAG document they can be
expanded and it has been done in this document through the Guide Questions. Key Indicators
that follow are intended to illustrate what is considered a sound safety culture.
In short it can be stated that the ASCOT Guidelines are intended to test the safety
culture in an organization merely against the principles layed down in 75-INSAG-4 and in
particular against indicators layed down in its appendix.
In a very few instances, the Basic INSAG Questions have been slightly modified, when
they were seen as promotion of the IAEA services. In all those cases changes have been
clearly marked by insertion into parentheses.
1.2. OPTIONS FOR AN ASCOT REVIEW
The form the ASCOT review can take depends very much on the desire of a host
country. Basically there are three options or forms of an ASCOT review:
(1)
(2)
The ASCOT review can be combined with other IAEA services such as ASSETs
(Assessment of Safety Significant Events Teams) or SRMs (Safety Review Missions).
In this case an ASCOT representative would join the team. This expert would be
dedicated to drawing conclusions on safety culture aspects from his/her own review
plus from the findings of other team members who would, while performing their usual
parts of the review give additional attention to safety culture aspects.
(3)
In the case where the host country would like to become familiar with the ASCOT
approach and its basic principles in order to conduct a self-evaluation of its
organizations, the transfer of methodology can be accomplished through the ASCOT
Advisory Service. It is envisaged that this service would involve two ASCOT experts
for two days, who would present the ASCOT approach in a workshop through a series
of lectures, discussions and exercises. These presentations could be accompanied by
special lectures by another in-house (IAEA) or outside consultant on specially selected
topics, which the host country would preselect.
The assessment method is based on consideration that safety culture is the assembly of
commendable attributes of any organization or individual contribution to nuclear plant safety.
The effectiveness can therefore best be assessed by addressing different groups of
organizations, governmental, operating and supporting.
The assessment of safety culture in a host country would normally begin with
discussions at the government/regulatory office. During these discussions, the
government/regulatory commitment to safety and their safety policy should be addressed. The
discussions at the government/regulatory offices will in general terms follow the questions
and items outlined in Section 3.1 of these guidelines.
After visiting the regulators, a visit to the corporate headquarters should be arranged,
where the corporate commitment to safety, its statement of safety policy and its interaction
with the plant are assessed. At the corporate level the discussion would be guided by the
questions outlined in Section 3.2.1.
The majority of the time is spent at the plant. The assessment begins with an initial
overview. Certain manifestations of safety culture are readily apparent on a walk-through of
the plant and an overview of the documentation. Plants which do not appear well kept are
likely to have areas where safety culture can be significantly improved. On the other hand,
a good overall impression from an initial walk-through may be a positive indication of
effective safety culture.
With these factors in mind, a practical assessment of safety culture should include an
initial walk-through and overview of documentation. The following list could be a starting
point:
Plant tour
Access control: efficiency, effectiveness,
General state of plant: leaks, lighting, labelling, etc.,
Housekeeping: rubbish, storage areas, cleanness,
Use of protective equipment: wearing of hard hats, ear protection and film badges, use
of warning notices, etc.,
Alert and watchful attitude of control room staff,
Availability of procedures and manuals: in control room and in plant.
Documentation overview
Log-books and associated documentation,
Records of operation and maintenance,
Number of plant defects and documentation amendments outstanding,
Existence of training programme for key safety related activities,
Availability of safety policies (company or corporate),
Consistency of safety policy with safety culture concept,
Plant policy on procedures and adherence to procedures,
Documents identifying key safety responsibilities,
Organizational charts,
Existence of corporate safety review committee including its agendas, its expertise and
the involvement of plant management.
Following the initial overview, the main conclusions on safety culture would be
established through discussions and interviews with personnel following the indicators and
questions underlined in the third part of this report.
The questions posed are deliberately open to invite discussion and explanation. The
actual question asked may need to be tailored to the job of the person being interviewed so
that it can be related to that person's practical experience. In each case notes are provided
to guide the reviewer so that supplementary questions can be asked if necessary. The key
indicators to safety culture are listed so that responses can be judged as indicative of safety
culture effectiveness. The guidelines avoid any type of scoring or numerical rating since the
objective is highlighting areas for improvement rather than comparing one plant with another.
The assessment team would concentrate their discussion and evaluation on individual
and collective attitudes and knowledge rather than the technical content of procedures and
systems.
In conducting interviews, the assessment team should keep in mind that the plant safety
culture should span conventional, radiological and reactor safety aspects. The respondents
might not always have these distinctions in mind; therefore the assessment team must use the
appropriate terminology to ensure that the respondent's answers cover all aspects of plant
safety.
Assessment report
At the end of an assessment the review team should prepare a concise report. The
contents of an ASCOT review report are outlined in Appendix I. The report will highlight
any areas in which safety culture could be strengthened. Where possible the report should
give specific suggestions that would guide the plant management in effecting such
improvements. The report should avoid any suggestion of grading, rating or comparison with
other plants since this is not seen as a constructive way of striving for improvement. On the
other hand the report should point out good practices which could be adopted by others to
achieve effective safety culture.
The ASCOT review should present and hand over to the host the draft report of the
assessment findings. The report will be treated as confidential until commented on by the
hosts, finalized by the ASCOT team and released by the host country.
The schedule of the ASCOT review will be determined based on the option the member
country selects for the safety culture assessment.
1/2-1 day:
1/2-1 day:
2-2 1/2 days:
1/2 day:
1/2 day:
10
The majority of activities and discussions will be conducted by the team as a whole.
To cover as many aspects as possible the specific items can be addressed by team members
individually. It is expected that following individual discussions the team members will
regularly exchange their findings and conclusions.
Option 2: ASCOT review combined with other IAEA reviews
In case where the safety culture review is combined with another IAEA review, the
duration is adjusted to the duration of that review (normally 2 or 3 weeks). The conduct of
the safety culture review would in that case be led by the ASCOT representative, who would
co-ordinate constant interactions with other team members. As information on safety culture
could be obtained directly or indirectly from each area of the other review, reviewers will
receive a briefing and training specific to the needs of safety culture assessment.
The specific areas of review in organizations which are not initially included in the
scope of the review activities will be covered by the ASCOT representative. In this context,
the ASCOT representative would in addition to the exchange of information with other
reviewers independently concentrate on interviews with, for example, corporate personnel,
and government or regulatory organizations.
Option 3: ASCOT Advisory Service
(a)
(b)
Basic Safety Principles, International Nuclear Event Scale, ASSET Highlights, The
Safety of WWER and RBMK NPPs, Use of PS A for Safety Enhancement, etc.
Further details of these topics and their presentation are provided in the Appendix II.
11
Once at the plant and following a site visit and documentation overview, team members
will schedule their time and commence structured discussions with nominated staff and
managers. The ASCOT Guidelines set out sample questions and suggested lines of enquiry
which are intended to lead the team members or other reviewers along the path to
determining attitudes and perceptions which influence safety culture.
Each section of questions in the guidelines is labelled with prefixes as per the following
table denoting the levels and organizations to be covered by specific areas of questioning:
I
M
C
R
S
These are recommended areas of enquiry and may be permutated to suit the individual
ASCOT review.
ASCOT members must collect responses from each level and gather corroborative or
alternative information to construct an accurate impression of the situation. Questions are to
be developed ad hoc by the team to ensure that facts and statements are valid. During this
process appropriate notes must be taken. At regular intervals the team members will compare
notes and will then develop a strategy for covering outstanding areas of the assessment. The
team would further hold regular meetings with the hosts throughout the review to apprise
them of any salient points prior to the final draft report being presented.
Each section of the ASCOT specific guidelines contains a key indicators listing. These
are for the guidance of team members or other examiners in highlighting key areas of safety
culture assessment. The list is not exhaustive and has essentially been restricted to key words
or phrases indicative of effective safety culture. Successive reviews may add to these key
12
indicators with the aim of developing a more comprehensive set of references which will
assist in the strengthening of safety culture. Team members should avoid pursuing a narrow
line of questioning and must encourage free discussion and voluntary statements from those
being interviewed.
13
process is very specific to each organization and should relate the different influences in a
similar way as described previously.
The biggest problem for anyone undertaking a review of safety culture is how to
identify, within a short period, the tangible evidence of an essentially intangible concept. It
can be done but needs careful scrutiny that goes beyond the mere checking of documentation
and review of management systems. It requires collection of information which can then be
related to the characteristics of safety culture listed in 75-INSAG-4. This relationship is not
easy to identify and often is not unique. For example an attribute or concept usually affects
several facts and it is difficult to establish the degree of influence that different concepts have
on a measurable fact.
Take for example the question of audits. This activity spans many of the layers
previously mentioned. Most plants have a technical audit programme. Usually, the
requirement for audits comes from corporate or even regulatory level. Audits are very often
concerned with checking safety related practices. At the purely documentary level, it is quite
straightforward to look at the audit programme, reports from audits done and clearance of
any corrective actions that have resulted. However, in terms of safety culture there are many
other aspects which can be assessed:
14
(1)
(2)
Another important safety culture indicator is the willingness to strive for improvements.
No plant management should consider that there is no scope for improvement when it comes
to safety; this would be complacency. The tendency to question current systems and seek
improvement, along with management support and commitment for the process, is an
indication of safety culture. The following is a list of possible areas which could be checked
for improvement programmes (the list is not exhaustive):
(1)
(2)
(3)
(4)
(5)
Training: Increasing the time allocated, number of people being trained. Improving the
quality of training or improving systems of qualification that are aimed at checking that
competence is the result of the training given.
Technical improvements: These could be improving the quality of procedures or
introducing new safety assessment methodologies.
Trying to anticipate problems: It is widely accepted that for every serious safety
incident there are a large number of 'near misses'. Programmes aimed at reporting and
learning 'from near misses' are good safety practice.
Plant and operational improvements: These can be very wide, ranging from actual plant
modifications (which should be strictly regulated) to improvements in the working
environment.
Development of indicators: It is often said that what cannot be measured, cannot be
managed. Many plants use a variety of indicators, some safety related. None of these
are perfect, but they can be used to indicate the trend in safety performance.
The question of audits and improvement programmes discussed above are examples to
show how ASCOT methodology can get real indications of safety culture that would not be
identified by checking on the existence of and adherence to procedures. These concepts and
methods should be borne in mind when posing the questions contained in the next section.
15
3. ASCOT GUIDELINES:
SAFETY CULTURE INDICATORS AND QUESTIONS
These guidelines are based on the Appendix of Safety Series No.75-INSAG-4. All the
questions proposed in this appendix are addressed but as mentioned in the reference
document they can be expanded. It could be difficult to use all these in the available time.
Selection of particularly significant items should be done through ASCOT team discussion.
3.1.
Within the safety culture framework the influence of government and its legislation
forms a critical basis from which regulatory policy, funding and public notification are
determined. The following questions and key indicators provide a framework wherein an
understanding of the prevailing situation may be formed. Other areas of enquiry may present
themselves during the discussion with governmental representatives and these should be
pursued if they affect plant operation. Opportunity to corroborate or clarify information
gained elsewhere must be taken; however, the primary objective of highlighting good
practices and promoting plant safety must not be forgotten. It will be advantageous to request
and study the relevant legislation prior to the ASCOT review.
Ql (CMR)
Basic
INSAG Questions: Is the body of legislation satisfactory? Are there any undue impediments
to the necessary amendment of regulations? Do legislation and
government policy statements emphasize safety as a prerequisite for the
use of nuclear power? Are there any instances of undue interference in
technical matters with safety relevance?
Guide Questions:
16
What is the mechanism and how long does it take to make changes to
your nuclear legislation?
What is the scope of the government regarding the control and
administration of nuclear power? Is the authority and responsibility of
the regulatory agency clear and understood by all parties? Are
communication lines between government, regulatory agency and
utilities well defined?
What are the experience and qualifications of the regulatory agency
management? What are the selection criteria? Are periodic audits
considered?
What role of the regulatory agency in the construction and operation
of nuclear plants defined in the legislation?
What is the regulatory agency's responsibility for assessing design
safety standards and proposed designs as part of licensing procedure?
What is the process for granting a licence to build and operate an
NPP in your country?
How is the assessment of the safety level of nuclear plants carried
out?
What design and operational safety documentation is required by the
regulatory agency for its assessment as part of the licensing process?
Q2 (CMR)
Basic INSAG Qs: Have budgets for regulatory agencies kept pace with inflation, with the
growth of the industry and with other increased demands? Is funding
sufficient to allow the hiring of staff of adequate competence? Does the
government provide adequate funding for necessary safety research? Are
the research results made available to other countries?
Guide Questions:
Key Indicators:
Q3 (R)
Basic INSAG Qs: How free is the exchange of safety information with other countries?
Does the country support relevant international activities [such as] the
17
Key Indicators:
responses which will assist the team in determining the effect of the regulator on the plants'
safety performance. Care must be taken not to evaluate or compare the regulatory style with
that in other countries. The safety culture should be well developed in the regulatory
organization and its staff and should be set out in its own policy statements. A strong
commitment to implement legislation and to act to promote plant safety and the protection
of individuals, the public and the environment are the essential attributes of a positive
regulatory safety culture. The influence of the regulator at corporate and plant levels of the
utility is to be determined within the constraints of questioning, discussion and overview of
documentation overview and not simply on intuitive feelings. Where the regulatory body is
being assessed separately from the plant, emphasis should be placed on the national and
social constraints governing the regulatory authority. Elements of the plant questions may
also be adapted to the regulatory body as a stand alone review, the objective still being the
same, to assess the safety culture.
Ql (RCM)
Basic INSAG Qs: Are regulatory safety objectives annunciated clearly, meaningfully and
so that they are neither too general nor too prescriptive? Do they permit
a proper balance between innovation and reliance on proven techniques?
Guide Questions:
18
Key Indicators:
Q2 (RCM)
Basic INSAG Qs: Are comments on regulatory requirements sought from competent
bodies? Have such comments been taken into account frequently enough
to encourage future comments?
Guide Questions:
Key Indicators:
Q3(R)
Basic INSAG Q:
Is there a predictable and logical process for dealing with issues that
require a consideration of both safety and economic factors?
Guide Questions:
Key Indicators:
Q4 (RCM)
Basic INSAG Q:
Guide Questions:
- How many delays have been incurred at the plant due to regulatory
constraints?
- What avenues of appeal does the utility have in the event of delays by
the regulator?
Key Indicators:
Q5 (R)
Basic INSAG Q:
Guide Questions:
Key Indicators:
Q6(R)
Basic INSAG Q:
Guide Question:
Key Indicators:
Q7(R)
Basic INSAG Q:
Guide Questions:
Key Indicators:
Q8 (RCM)
Basic INSAG Qs: Are reports on important safety problems published routinely by the
regulatory agency? Does the regulatory agency periodically publish a
summary review of the safety performance of plants?
Guide Questions:
20
- How do you ensure that important safety issues are made available to
other plants, countries and the public?
- What is the regulatory policy on the publishing of plant safety
performance data?
- What are the arrangements for timely notification and dissemination
of information in case of incidents and accidents?
Key Indicators:
Q9 (RCMI)
Basic INSAG Qs: What is the nature of the relationship with licensees? Is there an
appropriate balance between formality and a direct professional
relationship?
Guide Questions:
- What would you consider to be the status of the regulator in the eyes
of the utility?
- What level of co-operation exists between the regulator and the plant?
- How could the regulatory body improve its image at the plant?
Key Indicators:
Q10 (RCMI)
Basic INSAG Qs: Is there mutual respect between the regulatory staff and the operating
organization based on a common level of competence? What proportion
of regulatory technical experts have practical operating or design
experience?
Guide Questions:
Key Indicators:
Qll (RCM)
Basic INSAG Q:
Guide Questions:
- How often do the regulator and utility meet to discuss requests for
changes in regulatory requirements?
- At which stage do the regulator and utility meet to discuss requests
for changes in regulatory requirements? To what extent are
Emergency Planning and Accident Management issues adequately
considered as part of the Nuclear Safety Programme?
Key Indicators:
Q12 (RCM)
Basic INSAG Q:
To what extent does the regulatory agency rely on the internal safety
processes of the operating organization?
Guide Questions:
Key Indicators:
Q13 (RMI)
Basic INSAG Q:
What are the nature and extent of the regulators presence at the plant?
Guide Questions:
Key Indicators:
necessary the demands of production or project schedules. Essential areas of enquiry are
indicated by the questions and key indicators which stress the importance of unequivocal
support for safety over all other considerations and the understanding of policy statements
by all levels of staff. Questions should be posed to discover the importance attached to the
corporate safety policy, how it is documented, disseminated, authorized, reviewed and
implemented. Key indicators are an unambiguous statement of safety above all else endorsed
by the highest corporate level and translated into 'ownership' by the corporate management.
It is very important to discern whether the corporate safety policy is understood and
supported at all levels of the national nuclear industry.
Ql(CMI)
Basic INSAG Qs: Has a safety policy statement been issued? Is it clear? Does the policy
express the overriding demand for nuclear safety? Is it brought to staff
attention from time to time? Is it consistent with the concept of safety
culture presented in the 75-INSAG-4 report?
Guide Question:
Key Indicators:
Q2 (CMI)
Basic INSAG Q:
Are managers and workers familiar with the safety policy and can staff
cite examples that illustrate its meaning?
Guide Questions:
- Have you ever quoted from the safety policy to highlight safety in a
meeting or discussion?
- What can you not do in terms of the safety policy statement?
- Who signs and takes responsibility for the policy statement on nuclear
safety at corporate level?
- Do you have a copy of the safety policy?
- Have you ever discussed this document with your staff/peers?
- What do you consider the advantages and disadvantages of the safety
policy?
- Does it need changing?
Key Indicators:
23
Ql (CMI)
Basic INSAG Qs: Does the corporate board have expertise in nuclear plant safety?
Do formal meetings at this level include agenda items on safety?
Do operating staff attend to discuss the safety performance of plants?
Guide Questions:
Key Indicators:
Q2 (CM)
Basic INSAG Q:
Guide Question:
Key Indicators:
24
Q3 (CM)
Basic INSAG Qs: Is there a senior manager with nuclear safety as a prime responsibility?
How is he supported and assisted in his duties? What is his standing
compared with that of the heads of other functions?
Do senior managers visit the plant regularly? Do they give attention to
safety matters?
Guide Questions:
Key Indicators:
Q4 (CM)
Basic INSAG Qs: Are the resource requirements for the safety function reviewed
periodically at corporate level? With what results?
Guide Questions:
Key Indicators:
Team members must always look out for good practices and give examples of
improvements of safety culture. The accent should always be on positive aspects of
performance and the promotion of enhanced safety culture within the organization and
nuclear industry. However, where negative aspects exist these need to be brought out for
assessment.
Basic INSAG Qs: Does the plant manager hold periodic meetings with his senior staff that
are devoted solely to safety? Are there opportunities for nonmanagement staff to participate in meetings devoted to safety? Do these
meetings cover safety significant items at that plant? At other plants in
the company? At other plants in the country? At other plants in the
world?
Guide Questions:
Key Indicators:
Q2 (CM)
Basic INSAG Q:
Guide Question:
Key Indicators:
Q3 (MI)
Basic INSAG Qs: Is there a process by which more junior staff can report safety related
concerns directly to the plant manager? Is the process well known? Is
26
Key Indicators:
Q4 (CMI)
Basic INSAG Qs: Do systems of reward include factors relating to safety performances?
Are staff aware of the system of rewards and sanctions relating to
safety?
Guide Questions:
Key Indicators:
related observations.
- A visible tendency for those who actively promote safety issues to be
more likely to be promoted.
3.2.2.2. Definition of responsibilities
Ql (RCMI)
Basic INSAG Qs: Has the assignment of safety responsibilities been clearly annunciated?
Has the responsibility of the plant manager for nuclear safety been
clearly stated and accepted?
Guide Question:
Q2 (MI)
Basic INSAG Qs: Are the documents that identify safety responsibilities kept up to date
and reviewed periodically? With what result?
(To be partly covered in the review of documentation)
Guide Questions:
Key Indicators:
Ql (CMI)
Basic INSAG Qs:
Guide Questions:
Key Indicators:
Q2 (CMI)
Basic INSAG Q:
Guide Questions:
Key Indicators:
28
Q3 (CMI)
Basic INSAG Q:
Guide Questions:
Key Indicators:
Guide Question:
What is the nature of the relationship between the plant management and
the regulation agency?
Note: An open and constructive relationship with the regulator is in the
interests of safety. Staff may require guidance on how they should
respond to requests from regulatory inspectors for access and
Guide Questions:
- What is the role of the regulator in the everyday running of the plant?
- Do you consider the regulator to be effective in monitoring activities?
29
- How often do you see the regulatory inspector? Do you discuss your
work?
Note: The regulator is expected to strike a balance between formality
and a direct professional relationship. Mutual respect between the
regulatory staff and the operating organization should be based on a
common level of competence. Regular joint discussions of the licensee's
problems and experience and the impact of the regulatory requirements
must take place. Individuals in the operating organization should be
aware of the mechanisms by which the regulator assures himself or
herself of the safety issues. Site inspectors should be technically credible
to the operator with a high degree of personal integrity. Regulatory
requirements should be clearly understood by all staff members at the
site and the safety objectives accepted at all levels.
Key Indicators:
Guide Questions:
Key Indicators:
Q2 (CM)
Basic INSAG Qs: Are the results of safety reviews acted on in a timely way? Is there
feedback to managers on the implementation of lessons learned? Can
managers identify changes that resulted from reviews?
Guide Questions:
30
- What is the average time it takes for safety items raised at review
meetings to be resolved?
- What benefits have been derived directly from safety review lessons
learned?
Key Indicators:
Q3 (CM)
Basic INSAG Qs: Are managers aware of how the safety of their plant compares with that
of others in the same company? In the country? In the world?
Guide Questions:
Key Indicators:
Q4 (CMI)
Basic INSAG Q:
Key Indicators:
Q5 (RCMI)
Basic INSAG Qs: Is there a system of safety performance indicators with a programme for
the improvement of performance? Are the safety performance indicators
understood by staff?
Guide Question:
What do you know of any systems at the plant for measuring safety?
Note: The question is about the use and comprehension of safety
indicators as a means of judging the effectiveness of any improvement
initiative.
Key Indicators:
plant availability;
radiation exposure;
lost time accident rate;
number of unplanned trips;
pending work orders.
Another key indicator of safety culture is the ability to quote some
specific initiative at the plant aimed at improving safety, perhaps
using an indicator as an example of success.
Q6 (CM)
Basic INSAG Q:
Guide Question:
How does the management monitor and review the nuclear safety and
performance of the plant?
Note: There should be a range of monitoring measures and practices
which go beyond the traditional perception of Quality Assurance. For
anything to be effectively managed, it needs to be measured. Therefore
the establishment of safety indicators is expected. There should also be
a recognition that management needs to be seen by the staff to be giving
a high priority to safety matters. This might mean the establishment of
special reviews and meetings.
Key Indicators:
Q7 (RMI)
Basic INSAG Qs: What arrangements exist for reporting safety related events at the plant?
Is there a formal means for evaluating such events and learning the
lessons? Is there a formal mechanism by which staff who were included
in a significant event are consulted on the final contents of a report?
Guide Questions:
Key Indicators:
32
Q8 (MI)
Basic INSAG Qs: Is there a full time safety review group which reports directly to the
plant manager? Does the organization have effective safety information
links with operators of similar plants? Does the organization contribute
effectively to an international safety reporting system?
Guide Questions:
Key Indicators:
Q9 (RCMI)
Basic INSAG Q:
Guide Questions:
Key Indicators:
3.2.2.6. Training
Basic INSAG Qs: Does all critical training and retraining culminate in formal assessment
and approval for duties? What is the success/failure record? What is the
proportion of operating staff's time devoted to training and how does
this compare with the practice of other nuclear plant operators?
Guide Questions:
- What kinds of job related training have you received since coming to
work at the plant?
- What specific training have you received in the areas of:
personnel/industrial safety practices;
radiological protection;
33
Guide Questions:
Key Indicators:
Q2 (CMI)
Basic INSAG Qs: What resources are allocated to training? How does this compare with
the allocations of other nuclear plant operators?
Guide Questions:
Key Indicators:
Q3 (CM)
Basic INSAG Q:
34
Guide Questions:
Key Indicators:
Q4 (RMI)
Basic INSAG Qs: Is there a periodic review of the applicability, correctness and results of
training courses? Does this review take into account operating
experience feedback? Can training staff cite examples of operating errors
that have resulted in modifications to a training programme?
Guide Questions:
Key Indicators:
Guide Questions:
Key Indicators:
- Attitude of doing more than what is required, i.e. not just attending
because it is mandatory.
- Preparation - operational feedback - input.
- Influencing of content by staff.
- Training proposals included from staff performance appraisals.
35
Q5 (MI)
Basic INSAG Q:
Guide Questions:
Key Indicators:
Q6 (MI)
Basic INSAG Qs: Do staff understand the significance of the operating limits of the plant
in their areas of responsibility? Are the staff educated in the safety
consequences of the malfunction of plant items?
Guide Questions:
Key Indicators:
36
07 (Ml)
Basic INSAG Qs: Are staff trained in the special importance of following procedures? Are
they regularly reminded? Are they trained in the safety basis of the
procedures?
Guide Questions:
Key Indicators:
Q8 (RMI)
Basic INSAG Qs: For control room operators, do retraining sessions on simulators take
into account the difficulties that staff have experienced and the questions
that they have raised? Are training simulator modifications made as soon
as the plant is modified?
Guide Questions:
Guide Questions:
Key Indicators:
38
Q9 (MI)
Basic INSAG Q:
Guide Questions:
Key Indicators:
Q10 (MI)
Basic INSAG Q:
Guide Questions:
Key Indicators:
39
Basic INSAG Q:
Has the plant manager instituted any safety related initiatives that go
beyond requirements set at the corporate level?
Guide Questions:
Key Indicators:
Q2 (RMI)
Basic INSAG Qs: Are records on the performance or maintenance of components and
systems easily retrievable? Complete? Understandable? Accurate? Up to
date? (to be partially covered by documentation review)
Guide Question:
Key Indicator:
Q3
Basic INSAG Q:
What is the general state of the plant in terms of general appearance and
tidiness, steam and oil leaks, the tidiness of log-books and records? (to
be covered by a plant tour)
Q4 (CMI)
Basic INSAG Q:
What are the arrangements for supervising, reviewing and signing off
maintenance work carried out by supporting organizations?
Guide Questions:
Key Indicators:
40
Basic INSAG Qs: What is the working style of the senior supervisors on shift? Do they
seek information? Are they well informed? Do they visit routinely the
areas where safety related work is being done? Are they interested in the
problems or solely the schedules? What fraction of the tune of the senior
person on shift is spent on administrative duties?
Guide Questions:
Key Indicators:
Guide Questions:
Key Indicators:
3.2.2.9. Work-load
Ql (RCMI)
Basic INSAG Qs: Is there a clear policy on limits to overtime worked? To which staff does
it apply? How is overtime controlled, monitored and reported to the
plant manager and higher management?
Guide Questions:
- How do you get assurance that staff are fit for duty at the start of a
shift/day?
- Where are the limits for overtime stated?
Note: It is important that staff are not permitted to take up duties if they
are unfit to do so through tiredness, illness, drugs, alcohol, etc. In
addition to management controls, staff should be encouraged to develop
and follow codes of practice covering the above.
Key Indicators:
Ql (CMI)
Basic INSAG Q:
Guide Questions:
42
Key Indicators:
Q2 (RMI)
Basic INSAG Q:
Are the schedules and content of work for annual shutdowns examined
by an internal safety review process?
Guide Question:
Key Indicators:
Q3 (MI)
Basic INSAG Q:
Guide Question:
Key Indicators:
Q4 (MI)
Basic INSAG Q:
Guide Questions:
- In periods of heavy work-load and high pressure, what would you and
your manager discuss regarding action plans and safety measures?
43
Q5 (CMI)
Basic INSAG Qs: Do managers explain their commitment to safety culture to their staff?
Do they regularly disseminate relevant information such as objectives,
expenditure, accomplishments and shortcomings? What practical steps
are taken to assist management commitment, such as establishing
professional codes of conduct? How often have directions from
management been aimed at the improvement of safety?
Guide Question:
Key Indicators:
Q6 (MI)
Basic INSAG Qs: Do managers disseminate to their staff the lessons learned from
experience at their own and similar plants? Is this a training topic?
Guide Question:
44
- How are the lessons learned from incidents on site and from other
plants disseminated?
Note: The question is posed to reveal the incident reporting and
operational feedback systems. The aim is to reveal the extent and
effectiveness of any systems which exist.
Key Indicators:
07 (CMI)
Basic INSAG Qs: Is there a system for bringing safety related concerns or potential
improvements to the attention of higher management? Is its use
encouraged by managers? Do managers respond satisfactorily? Are
individuals who transmit such concerns rewarded and given public
recognition?
Guide Questions:
Key Indicators:
Q8 (MI)
Basic INSAG Qs: What is the attitude of managers and staff to safety reviews and audits
affecting their activities? Do they discuss with their staff the results and
the means by which deficiencies may be corrected? How responsive are
they to improvements made as a result? What is the attitude of managers
to the application of quality assurance measures to their activities?
Guide Questions:
Q9 (CMI)
Basic INSAG Qs: Does management regularly review the performance of personnel, with
assessment of their attitude to safety? Do managers give recognition to
staff members who take actions beneficial to safety?
Guide Questions:
- Do you think the station staff are qualified and have sufficient
experience to handle any abnormal situations?
- How would management reward exceptional safety actions by staff?
- For operating and maintenance staff particularly, what is the staff
turnover rate and are there any implications here for nuclear safety?
Note: The responses must be substantiated with questions regarding the
perceived level of experience needed in critical posts and the
contribution to safety. A high staff turnover rate can be an indication of
poor staff morale. Even when all training requirements are met, it is still
desirable to keep a balance of experience in all groups so that there are
some long serving members in each group.
Key Indicators:
Q10 (RCMI)
Basic INSAG Q:
Guide Questions:
46
Qll (CMI)
Basic INSAG Qs: What systems exist to apprise managers of safety accomplishments or
shortcomings? How effective are they? Are managers alert to the need
to identify weaknesses in their staff, to specify training requirements or
to provide other support?
Guide Questions:
- How well do managers know the safety attitudes of their staff? How
can they measure them?
- How does a manager ensure that any extra training or support for
staff is put into effect?
Key Indicators:
272 (CMI)
Basic INSAG Qs: Do managers participate in staff training courses at which safety policies
and procedures are explained? Do they present any of the training
material? Do they follow the training of their staff and are they aware
of their training status and levels of ability? Do they encourage staff
members to spend time as instructors? Do managers themselves undergo
retraining in safety matters?
Guide Questions:
- What training programmes exist for your staff? What are the critical
areas of training for your staff related to personnel and plant safety?
- Is any or all of the training required by regulations? Is any or all
required by the plant as a requirement for duty? As such, are records
kept and/or certificates or licences issued? Who determines standards
for passing?
- As a manager, what attention do you give to assessing the content and
results of training for your staff?
- Do you have any difficulties providing time or facilities for the
training you want?
47
Guide Questions:
- Who are the trainers? Do you feel they are able to help you improve
or maintain your skills?
- Do your supervisors or managers ever observe your training sessions
or take part in them?
- Do trainers and managers discuss the content or results of your
training with you?
- What kinds of results are discussed?
Note: As a further demonstration to staff of their commitment to safety
culture and related training, as well as being good management practice,
managers should periodically observe what is being taught and how
training is being received by staff. Managers should be open to
suggestions by staff for ways to improve training. If staff do not feel that
there is sufficient management interest in training, then staff will tend
to be less motivated.
Key Indicators:
Q13 (MI)
Basic INSAG Qs: Does the plant manager from time to time inspect the conduct of safety
related work? Do managers review regularly the assignment of their
staff's duties? Are the relevant documents up to date? Do managers
attend regularly at the work-place to review safety related activities? Do
middle managers often make first hand inspections of the conduct of
safety related work for which they are responsible?
Guide Questions:
48
- How often do you have a visit from your managers during the
working day/week/month?
- Do managers help you by their visits?
Q14 (CMI)
Basic INSAG Q:
Guide Question:
Key Indicators:
- Positive factors are satisfaction with the work-place and the conditions
associated with carrying out tasks safely and efficiently.
- A feeling of confidence in management's interest and concern for the
workers' environment indicates a healthy situation.
- Some of the negative factors may be apparent from an on-site
inspection of the environment.
- Questions may then be forwarded to determine the attitudes of
individuals to any shortcomings.
49
Guide Questions:
Q2 (MI)
Basic INSAG Qs: Can personnel state ways in which safety might be prejudiced by their
own erroneous action? And by those of others working in related areas?
Do staff stop and think when facing an unforeseen situation? In such
cases are their actions 'safety inspired'?
Guide Questions:
50
Guide Question:
- What are the things that you would change if you could to help you
do your job even more safely than you do now and to make this a
safer plant?
Note: The individual should be able to relate the importance of his/her
job in the context of the safety of the plant as a whole. Each response
will have to be evaluated according to the influence it has on the safety
situation. The degree of importance will depend on the amount of
inhibition it exerts on the individuals' or group's performance. Examples
of suggestions on safety improvement initiated by the individual or group
may be stated; however, the results should be explored to determine the
reaction and attitude of management to these responses.
Key Indicators:
Q3 (CMI)
Basic INSAG Qs: Can staff clearly enunciate their own responsibilities? Can they cite the
documents that define them?
Guide Question:
- What are your responsibilities and in particular what are they with
respect to safety?
51
Q4 (MI)
Basic INSAG Q:
Guide Questions:
- How often has the plant been operated outside the safety limits?
- Who is responsible for analysing and reporting on violations of safety
limits?
- Have you ever been involved in reviews of safety violations?
- Does your experience include an unforeseen event at the plant?
- Where were you at the time and what did you do?
- What was the outcome? Was it discussed later?
- How did you react at the time? Although you have not had such an
event yet, how do you think you would react?
Note: Reaction to unforeseen events is extremely difficult to assess prior
to an event. However, the reinforcement of procedural methods of
rectification and a clear understanding of the channels of communication
to be followed for unforeseen events will be necessary. Individuals must
be trained to alert supervisors and management to such events while also
taking actions to ensure plant safety. Experiences should be reviewed
regularly to ensure lessons are learned, the necessary corrective
measures identified and timely implementation pursued. The
thoroughness of reviews and the strength of corrective responses are
important safety culture indicators. The results of safety analyses,
including probabilistic safety analysis, should be consulted regularly to
support decisions as specific issues arise, as well as to provide staff with
the insight into the important safety features of plant design and
operation.
Key Indicators:
52
Q5 (MI)
Basic INSAG Q:
Are laid down procedures followed strictly even when quicker methods
are available?
Guide Questions:
Key Indicators:
Q6 (RMI)
Basic INSAG Q:
How attentive are staff to the completeness and accuracy of records, logbooks and other documentation?
Guide Questions:
- Are there regular checks that records logs and other documentation
arp complete?
rnmnlftf?
are
- How easy is it to retrieve records?
Key Indicators:
07 (MI)
Basic INSAG Qs: What steps would staff take if they observed actions that might reduce
safety margins? What attitude do individuals take towards their own
mistakes that might prejudice safety?
Guide Questions:
- How would you react if you observed that safety margins were being
or could be reduced?
- What exceptions would be considered acceptable?
- Do you inform your superior of all actions you took outside the
procedure, even if it was a positive action?
Key Indicators:
Q8 (MI)
Basic INSAG Q:
Guide Questions:
- How often have you found a mistake in a procedure? What did you
do about it?
- How much confidence is placed in procedural accuracy and the
relevance of procedure content?
Key Indicators:
Q9 (MI)
Basic INSAG Qs: Do staff use the mechanisms for reporting on safety shortcomings and
suggesting improvements? Is the mechanism used to report individuals'
errors? Is it used even when no detrimental effect is apparent? Do staff
respond satisfactorily to the investigation of safety problems assisting
effectively in seeking the causes and implementing improvements? Do
co-workers look favourably on those who exhibit a good safety attitude
by actions such as attention to housekeeping, completeness of entries in
log-books and adherence to procedures?
Guide Questions:
Key Indicators:
Q10 (RMI)
Basic INSAG Q:
Do control room staff show a watchful and alert attitude at all times?
Guide Questions:
54
Key Indicators:
Qll (RMI)
Basic INSAG Qs:
Guide Questions:
Key Indicators:
Q12 (RCMI)
Basic INSAG Qs:
- Are there any influences external to the plant which tend to impede
Q13 (RCMI)
Basic INSAG Qs: What is the attitude of staff to safety reviews and audits affecting their
area of work? How responsive are they to improvements sought as a
result?
55
Key Indicators:
3.3.
RESEARCH ORGANIZATIONS
Questions and indicators may have to be adjusted by team members to suit the type and
format of the relevant organizations. Throughout, the emphasis should be on the research
input to safety analyses for both the plant and the regulatory body. Any stand-alone
assessment of research organizations must take into account the interfaces with the users and
sponsors. Therefore, the specific guideline questions should be reviewed and adapted for
application to a research or supporting body.
56
Qi (S)
Basic INSAG Qs: Do researchers ensure that they understand how the results of their work
will be used in safety analyses? Are they familiar with how their data
are used in interpolating or extrapolating for ranges of parameters
different from those in their experiments? Do researchers identify the
shortcomings and limitations of their results?
Guide Questions:
Key Indicators:
Q2(S)
Basic INSAG Qs: Do they keep abreast of safety analyses to permit them to identify any
misuse of their work? Do they report any potential misuse or
misinterpretation?
Guide Questions:
- What system do you have for the validation and assurance of research
results?
- How are the limitations of results specified and recorded?
- Are you consulted by plant designers, utility or the regulatory body
when extrapolation of your results is needed?
- What method of quality assurance do you employ to assure the
standards of computer modelling?
Key Indicators:
Q3(S)
Basic INSAG Qs: On any particular topic, is it clear which group or individual is
responsible for monitoring new material or international data? What
personal contacts have been developed to keep abreast of new data? Is
there a mechanism for reporting new information that may invalidate
previous safety analyses? What is the appeal route if the first level of
notification is ineffective? How often are these mechanisms used?
Guide Questions:
Q4(S)
Basic INSAG Q:
Guide Questions:
Key Indicators:
Q5 (RS)
Basic INSAG Qs: How promptly are the results of research fed into the design and
regulatory process? Is there a policy for regular publication of research
results in journals that insists on peer reviews?
Guide Questions:
Key Indicators:
58
Qi (S)
Basic INSAG Qs: What processes exist for verification and validation of computer
modelling codes? Do these involve the relevant researchers? Are the
safety design codes verified and validated for the specific circumstances?
Are the limitations of codes taken into account explicitly in the design
review process? What is the formal mechanism for reporting the matter
if it is considered that the previously reported outputs of a computer
model may be invalid? Has there been a need to use this mechanism?
Guide Questions:
Key Indicators:
Q2(S)
Basic INSAG Qs: In which international standard problem exercises have analysts
participated to test national computer modelling codes? What efforts
have been made on a bilateral or multilateral basis to compare work with
that of experts in another country?
Guide Questions:
Key Indicators:
59
Ql (RS)
Basic INSAG Qs: In which areas has outside expertise been used to supplement in-house
capability? How was the competence of the outside experts established?
Guide Questions:
Key Indicators:
Q2 (S)
Basic INSAG Q:
Guide Questions:
Key Indicators:
Q3 (RS)
Basic INSAG Qs: Has the design review process been audited by internal Quality
Assurance auditors? By the regulatory agency? By a peer group of
national or international members?
Key Indicators:
60
Appendix I
CONTENTS OF AN ASCOT REVIEW REPORT
The Introduction should include the background, scope and objectives of the review and
set out the approach, methodology and practical application of ASCOT to the particular
situation.
The headings should include details of findings, recommendations and suggestions for
improvements, if applicable and good practices. All recommendations/suggestions and good
practices should be uniquely numbered to facilitate identification.
EXECUTIVE SUMMARY
1.
INTRODUCTION
2.
3.
OPERATING ORGANIZATION
RESEARCH ORGANIZATIONS
5.
DESIGN ORGANIZATIONS
OTHER ORGANIZATIONS
7.
GOOD PRACTICES
8.
62
Appendix II
ASCOT ADVISORY SERVICE
Host country
Duration:
2-2 Vz days
Participation:
Lecturers:
Objectives
Today it is widely recognized that sound safety culture is one of the most important
contributors to the safe operation of NPPs. In order to promote the safety culture concepts
and its importance, the IAEA has developed the ASCOT seminar. Participants from the
regulatory body, operating organization and supporting institutions are expected to attend the
seminar. The purpose of the seminar is:
to present internationally recognized indicators of an effective safety culture,
to demonstrate the basic approach and principles of ASCOT, i.e. methodology for the
assessment of safety culture,
to give examples of good and bad practices from different NPPs in the world in order
to illustrate on practical examples obtained from incident analysis and previous ASCOT
reviews/seminars, the impact of safety culture on nuclear safety,
to receive through the discussion among the participants the response on national
practice for further dissemination.
The seminar lasts 2-2 2 days and takes the form of a workshop, at which the
objectives are reached through a series of lectures, discussions and exercises.
Seminar schedule
1. Lecture/discussion: Concept of safety culture (approx. 1 h)
It is essential that the participants obtain at the outset a thorough understanding of the
concept of safety culture. More specifically, the participants should understand the definition
and universal features of safety culture. They should also understand that although safety
culture is intangible, its presence has tangible manifestations. Finally, the participants should
understand some of the broad characteristics of an effective safety culture and learn to
appreciate the long term usefulness of this concept.
63
The lecture will be presented by the ASCOT representative and will cover the concept
of safety culture as presented in 75-INSAG-4. The ASCOT representative will cover each
section of 75-INSAG-4 with special emphasis on the definition and characteristics of safety
culture (Section 2), the tangible evidence of safety culture (Section 4) and the universal
features of an effective safety culture (Section 3). The ASCOT representative will augment
the information in 75-INSAG-4 with illustrative examples based on experience from other
ASCOT reviews/seminars, safety culture indicators (discussed in the Appendix of
75-INSAG-4) will not be discussed in detail at this time but will be covered later as part of
the lecture/discussion on the ASCOT Guidelines (Item 4).
2. Lecture/discussion: Examples of good safety culture practice (approx. 2 h)
Once the participants have obtained an understanding of the concept of safety culture,
it is essential that they develop an appreciation for what is generally considered good safety
culture practice. That is, the participants should be exposed to examples of especially
effective safety culture.
Discussion will follow and will be led by the ASCOT representative. To encourage the
participants to think in terms of sound safety culture, the ASCOT representative will invite
participants to give examples of what they consider to be an effective safety culture in their
own organization. This lecture/discussion will be supplemented by selected video
presentations on related subjects.
Within this framework a national presentation on the country's (organization's)
perspective to safety culture, given by a senior representative is encouraged.
5. Lecture/discussion:
7. Invited lectures related to the subject of the Seminar (optional 1/2 day)
Special lectures on selected subjects, which might be of interest to the host country can
be arranged. Examples of such lectures, which all should relate to safety culture, are: Basic
Safety Principles, OSART and ASSET highlights, Safety of East European and CIS reactors,
International Nuclear Event Scale, Maintenance and Outage Planning Good Practice, etc.
65
Aro, I.
Dusic, M.
International Atomic Energy Agency
(Scientific Secretary)
Hall, A.C.
Homke, P.
Libmann, J.
Mavko, B.
Orvis, D.
Reig, J.R.
Root, W.C.
Thomas, C.
Vienna, Austria: 15-19 July 1991, 16-March 1992, 15-19 June 1992
67
ublications
Global experience
The International Association of Oil & Gas Producers has access to a wealth of technical
knowledge and experience with its members operating around the world in many different
terrains. We collate and distil this valuable knowledge for the industry to use as guidelines
for good practice by individual members.
Disclaimer
Whilst every effort has been made to ensure the accuracy of the information contained in this publication,
neither the OGP nor any of its members past present or future warrants its accuracy or will, regardless
of its or their negligence, assume liability for any foreseeable or unforeseeable use made thereof, which
liability is hereby excluded. Consequently, such use is at the recipients own risk on the basis that any use
by the recipient constitutes agreement to the terms of this disclaimer. The recipient is obliged to inform
any subsequent recipient of such terms.
This document may provide guidance supplemental to the requirements of local legislation. Nothing
herein, however, is intended to replace, amend, supersede or otherwise depart from such requirements. In
the event of any conflict or contradiction between the provisions of this document and local legislation,
applicable laws shall prevail.
Copyright notice
The contents of these pages are The International Association of Oil and Gas Producers. Permission
is given to reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii)
the source are acknowledged. All other rights are reserved. Any other use requires the prior written
permission of the OGP.
These Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales. Disputes arising here from shall be exclusively subject to the jurisdiction of the courts of
England and Wales.
Acknowledgements
This report was prepared by the OGP Human Factors Task Force with contribution from Prof. Patrick Hudson of Leiden
University.
OGP
Management summary
This document provides information about tools which can be used to improve Health, Safety &
Environmental (HSE) performance. It identifies circumstances where certain tools are unlikely to
be effective and may even be counter-productive within a given HSE culture. The identified tools
have been analysed relative to the organisational HSE cultures described in the OGP HSE culture
ladder (Figure 1). The HSE tools most applicable for an organisation at a particular cultural level are
identified and evaluated.
Culture can be simply defined as the attitudes, values and beliefs that underpin the way we do
things here. A positive HSE culture is largely sustained by trust, credibility and behaviour of senior
leaders. Trust is extremely fragile; once lost it can be hard to recover.
Achieving and sustaining a positive HSE culture is not a discreet event, but a journey. Organisations
should never let their guard down. Healthy safety cultures result in high reliability organisations
which are characterised by their chronic sense of unease. Organisations must ensure that senior
management are committed to a journey of continuous improvement.
ii
OGP
OGP
ated with incidents and related risks e.g. driving and vehicle safety campaign in response to vehicle
related injuries.
Proactive organisations consider HSE a fundamental (core) value and leaders at all levels genuinely care for the health and well-being of the staff and contractors. Such organisations understand
the role of management system failures as primary causes of incidents. Information, including data
related to potential consequences (near misses) as well as actual incidents, is used to identify suitable
performance targets. Tools that simplify work processes and support line management as well as the
workforce are used. Continuous improvement is a clear goal of proactive organisations.
Generative organisations have a high degree of self-sufficiency and strive to understand their entire
operating environment. Tools that are chosen and used by the whole organisation are preferred.
Mandatory tools may be counter-productive, suggesting lack of trust. Everyone feels free to highlight both real and potential issues. Workers feel empowered to resolve HSE issues, and leaders provide the support needed.
Description
Pathological
Mandatory reporting
1
Auditing
OGP
Reactive
Calculative
Proactive
Generative
Tool type
Description
Pathological
Reactive
Calculative
Proactive
Generative
HF design analysis
Operator design review
HF design validation
Mandatory standards
Decision-based practices
Process risk management
JSA led by supervisor
HSE appraisals
10
Situation awareness
11
Questionnaires and
surveys
12
Observation/intervention
13
Incentive schemes
14
HSE communications
HSE alerts
HSE newsletters
Handover information
15
OGP
HSE recordkeeping systems are generally electronic databases designed to collect data
from HSE incidents, near misses and associated investigations. Recording data in a database allows statistical analyses to identify frequency and trends of various types of
incidents. Such systems may also be used to assess the success or failure of improvement initiatives.
Incident reporting and recordkeeping efforts can be undermined or suppressed
by the following factors:
1.
2.
3.
4.
Lower culture levels may require a degree of anonymity or confidentiality to encourage reporting,
especially in pathological cultures where punishing the messenger is a common trait of the culture.
Effective HSE reporting is associated with more advanced HSE cultures.
Electronic databases are able to store, organise, and analyse vast amounts of data, but this does not
guarantee the information collected is accurate, complete or even useful. The result may be large volumes of low value data. Pathological and reactive organisations are likely to value data collection and
analysis only to the extent it is required by law or regulation. Calculative cultures typically collect
significant quantities of data without necessarily understanding which information is valuable in
preventing incidents. Proactive organisations mainly focus on the root causes of why events (including near misses) occurred, to improve HSE performance.
Most organisations share reported and recorded information with selected users. Proactive and generative cultures generally share HSE information more openly, subject to regulatory limitations.
Systems are also frequently used to capture and share the status of remedial actions.
Typically, more mature HSE cultures include proactive reporting and analysis of potential problem
areas (near misses, hazards, etc), before an incident occurs.
Examples of HSE reporting and recordkeeping systems include:
OGP
Incident investigation
The aim of incident investigation is to gather data to determine the immediate
causes of an incident and provide information for an analysis process that can uncover
the underlying causes of the incident. Pathological organisations are likely to believe
that individuals caused accidents and not investigate further once an individual has been
found to blame (legal systems, especially in criminal law cases, often support this rationale as the evidence at that level is seen as sufficient to prove a case).
Tools for systematic investigation of incidents are essential for the effective management of HSE.
Incidents are clear evidence for the need to improve, so anything learned from an incident should
be relevant for all organisations. Incident response procedures should include the preservation and
collection of potentially relevant information whenever possible. Beyond complying with local legal
requirements, effective incident investigation tools should provide information to the organisation
to ensure appropriate lessons are identified and shared.
Effective incident investigations gather information from all relevant sources, including:
From these sources the investigating team determines a sequence of events and a basic cause-andeffect relationship between various factors related to the incident.
There are a number of considerations when choosing an incident investigation tool:
comprehensiveness;
training and competence requirements; and
intended use of the investigation results.
OGP
In advanced HSE cultures incident investigation typically involves persons other than HSE professionals. Incident investigation training is required to produce reliable results. Investigation tools
may use predefined checklists for considerations or causes to assist the investigator and provide a
measure of consistency. Such checklists should be used as guidance only as these may miss unique or
other potentially vital information.
Proactive analysis
This is intended to uncover potential underlying causes of future incidents, mainly systemic problems. These techniques are not based on the occurrence of a specific incident, but rather rely on
the belief that the underlying causes of future incidents are already present in the organisation and
can be identified in advance. Pathological or reactive cultures are unlikely to use this technique, as
no incident has occurred to justify taking resources from other priorities. Conversely, generative
organisations might not need this tool, as they would use active and ongoing reporting and resolution of issues. Proactive analysis is best suited to proactive cultures and mature calculative cultures.
OGP
3 Auditing
Verifying that HSE processes are in place and functioning properly is an essential part of HSE
management. Auditing typically involves the comparison of actual performance relative to
an accepted standard. In most areas the standard is a documented public requirement or
company expectation. In less developed locations the expectations of the auditor may set
the standard.
Audits can range from a simple walk
around a facility looking for obvious
discrepancies, to a systematic review of
management systems, documentation, and
field practices relative to a published standard. In lower level HSE cultures, auditing
tends to be associated with negative results.
At higher cultural levels, audits may be welcomed by those involved in running an operation
to benchmark their current performance and reveal areas for
improvement.
OGP
HF design analysis
HF design analysis ensures human factors requirements are adequately identified and specified as an
input to procurement and detailed design decisions.
Various forms of design analysis can be required depending on the scope, complexity and novelty of
a project, and the demands on human performance to operate and maintain the facility. The type of
analysis involved, and the level of experience and skill needed to perform the analyses, depend on the
nature of the human issues of concern.
OGP
Types of analysis typically applied to support oil and gas projects include:
Analysis of valves to ensure valves are optimally located for ease and speed of access.
Task analysis to ensure requirements of the interface needed to ensure safe, effective and reliable human performance are identified and specified in advance of design or procurement. Task
analyses provide the basis for other, more specific types of analysis, including manual handling
assessments, workload estimation and development of procedures.
Human error analysis where a more detailed assessment of human reliability, or the potential
for human error is needed
HF analysis to support design of human machine interfaces to IT systems, particularly real-time
DCS systems, can be particularly specialist.
Mandatory standards
Typical in lower culture levels and largely focus on areas where
specific problems have arisen, and the resulting guidance leaves no
room for worker decision-making or deviation. Standards are often set
by external requirements (regulatory or industry) and generally address
the minimum acceptable level of performance. At lower culture levels the primary
focus is on what to do, with little discussion of underlying rationale. At higher culture levels, mandatory standards are limited to highly regulated or critical activities, and typically include information to aid in understanding the requirements.
OGP
Decision-based practices
More typical in higher level cultures, where workers are trained and trusted to apply best practices
to address unanticipated situations as well as routine activities. Work guidance at higher culture
levels typically includes information on underlying principles or objectives and the potential consequences of non-compliance. This level of worker independence is usually rejected by lower culture
levels, as workers would not be trusted to make competent decisions.
10
OGP
OGP
11
12
OGP
9 HSE appraisals
These tools provide individuals with information
about how others perceive their behaviours and attitudes related to HSE issues compared with established
expectations or with their self-evaluations. They include
traditional performance appraisals, 360-degree appraisals,
peer appraisals, and upwards appraisals.
It is important to remember that HSE appraisal systems are aimed at improving
HSE-relevant behaviours and attitudes, not as an assessment of general work performance. If the
appraisal results are used as a basis for personal consequences (promotion opportunities, salary or
bonuses, disciplinary action, etc) the appraisal tool must be validated for reliability.
At the pathological and reactive culture levels, HSE appraisals leading to personal consequences
may be used to enforce minimum requirements, although pathological organisations are unlikely to
place a high value on HSE skills relative to other measures. HSE appraisals are most useful in calculative and higher cultures. Workers in generative organisations typically seek frequent feedback
from others through appraisal-type systems.
Performance appraisals
should include characteristics of HSE leadership and should focus on activities under the control
of the individual being appraised, rather than on broad organisational indicators. These appraisals
are conducted by the group leader assessing worker performance relative to expectations to help
focus on useful activities and improvement opportunities. HSE leadership is typically one aspect of
a larger performance appraisal process. To the extent that HSE leadership is specifically identified
as an expectation, the performance appraisal process can contribute to long-term HSE performance
improvement, especially in lower culture levels.
HSE leadership assessments
typically describe critical HSE leadership behaviours against which individuals can be assessed.
These can serve to help individuals acquire new skills and improve behaviours by providing examples
that can be practiced and emulated. The descriptions need to be validated if used specifically for
assessments with consequences.
360-degree appraisals
Used to provide an individual with input from peers, subordinates and superiors within the organization. Such appraisals can highlight differences in perceptions or expectations from different
organizational levels. Proactive and Generative organizations are most likely to value the results of
360-degree input.
Upwards appraisal
is used by managers for appraisal input from lower organisational levels. It is often compared with
ones self-assessment to help recalibrate self-perceptions. Where possible, upwards appraisals should
include appraisal by individuals two or more levels removed from the appraised manager to capture
broader organisational perspective.
OGP
13
10 Situation Awareness
One of the frequent findings in incident investigations is
a lack of situation awareness. This is normally used to
describe a loss of understanding of the current situation
or failure to predict future situations by members of
the workforce. The term can also be applied to supervisory and managerial positions. Generalised awareness programs are most appropriate for reactive and
calculative organisations, but situation awareness tools
can help combat complacency, making them appropriate
for proactive and generative organisations. Situation awareness tools typically take one of two forms either small group
discussions of the work situation, or individual evaluations of the work.
OGP
12 Observation/intervention
Observation of work activities as a tool for improving HSE performance
is well-established. There are, however, a variety of tools for conducting
work activity observations. These range from observation and intervention by supervisors to identify and remedy unsafe acts and conditions,
to more advanced tools where workers reinforce and train one another.
Observation and intervention techniques can vary considerably based
on the HSE culture level of the organisation.
Fundamentally, observations involve an observer recording the
activities of a worker or work team as they perform a task. Actions
are compared to accepted standards and where deviations occur
there is a discussion between the observer and worker(s) identifying the
deviation and suggesting an improved technique. At lower culture levels,
a supervisor is more likely to be the observer, while at higher levels peers are responsible for observing, discussing issues, making improvements, and recognising positive performance.
Observations by supervisor
is used to address an obvious breach of an accepted or regulated standard, direct corrective action
(often a penalty) is supported. Pathological cultures tend not to go looking for trouble and observations are usually non-existent.
Observation by peer
is conducted by peers and results are usually shared beyond the peers involved. Observations also
include analysis of the causes of observed at-risk actions. Peer observations are usually found in
higher HSE cultures. Workforce acceptance of peer observations can also be influenced by national
or local culture, especially in hierarchically societies.
OGP
15
13 Incentive schemes
Using incentive schemes to improve HSE performance appeals to management who believe that the
cause of unsafe behaviours is a lack of motivation on the part of the workforce. At more senior levels,
bonuses may be contingent on the organisations HSE performance.
Workforce rewards may be financial or non-financial, such as BBQ cook-outs, thank you letters
from senior management, etc. Financial rewards can quickly become seen as a right, regardless of
performance, so should be used with care. In more advanced HSE cultures workers are rewarded for
activities rather than non-activities (lack of incidents). For example, trying to achieve 1,000,000
man-hours without an incident can result in behaviour that has little relationship to safe work practices, but much to do with accumulating low-risk/low productivity work hours that hasten achievement of the reward.
Incentive programs must consider whether to recognise behaviours (leading) or outcomes (lagging).
OGP
14 HSE communications
Communication of key HSE policies, expectations, results, and
incidents is an essential way of supporting the development of
general HSE awareness and specific situation awareness. It is also
effective in supplementing training efforts. Communications are
often a component of other HSE processes, but can exist as an HSE tool in its own right.
Pathological organisations find it hard to justify the time and resources for such non-productive
activities. Reactive organisations may provide limited communications, largely linked to events that
have occurred. Calculative organisations will use all media, but may leave the impression that they
are meeting set targets. Proactive and generative organisations use communication media extensively and encourage open communication of potential issues and suggestions.
Tool-box talks
are discussions held by individual work groups, usually in a field setting to raise HSE awareness
for the day, or to specifically discuss potential hazards associated with an upcoming task.
HSE meetings
are sessions held regularly to discuss HSE related issues among multiple work teams. These meetings may include sharing lessons from past events, new work practices or expectations from management, or increased awareness of HSE issues of general interest. Advanced cultures include their
contractors in the meetings, and in the most advanced cultures the HSE meeting is run by the workers or contractors directly.
HSE alerts
are communications specifically for informing workers of incidents or problems identified at other
locations.
HSE newsletters
are periodic communications to inform workers of issues, policies, and recent performance. Newsletters often cover topics similar to those discussed in HSE meetings, but may go into more detail
or provide additional references to further support desired objectives. Newsletters are common in
calculative and higher HSE cultures. In more advanced cultures, the content of the newsletters is
determined to a greater extent by the workers themselves.
Handover information
are processes for transitioning work from one group to another. These could include shift handovers, handover from the control centre to the field team, or bridging documents between operators
and contractors. These protocols assist the applicable groups in sharing critical operating considerations or potential hazards associated with the tasks being passed to the next group.
Issue-specific tools
such as the Hearts and Minds Managing Rule Breaking are generally appropriate for proactive
and generative organisations and may be used to help calculative organisations take the next step
up the culture ladder. Pathological or reactive cultures will not likely use issue-based tools, as the
organisational vision is limited to addressing each incident independently.
OGP
17
18
OGP
www.ogp.org.uk
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
,
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Trouble L i g h t Explosion
An operator died as the result of a dust explosion
that occurred when he inserted a portable trouble
light inside a plastic dust bin. He was cleaning the
inside of the bin with a water hose to remove the
dust. A dust cloud was produced, and at the same
time, water contacted the light causing it to spark
and ignite the dust cloud.
Electrical wiring and equipment are identified
as ignition sources in other dust explosion studies.
Dust Fxplosion
Fundamentals
I
I
I
I
RichurdJ. Buschart, P. E., is with PC C E, Inc., ofSt. Louis,Missouri.He isu Life Fellow ofthe I E E E anda Fellow
in the I S A . Thisurticle uppeured in its oi.iginulform ut the 1997 PCIC Confeyence in B a n g Canada.
January/Februury I 999
Authorized licensed use limited to: David Wechsler. Downloaded on January 15, 2010 at 12:33 from IEEE Xplore. Restrictions apply.
077-2618/99/$10.000
1999 IEEE
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Characterizationof Dusts
As with Class I vapors and gases, it is first necessary
to determine if the material requires classification,
and if so, to what degree. This can be done by testing the individual dust or by referring to test data
on similar dusts and assuming your dust will act in
a similar way. This assumption may not be correct.
Testing is always better because the actual dust
may have different pzrticle size distribution than
the tested value. Testing usually follows the practices established by tEe United States Department
of Interior, Bureau of Mines. In the early sixties, the
Bureau of Mines issue'rl a number of reports on the
explosibility of dusts i.1various industries. RI 5624
E91 describes the laborxory equipment and test procedures for evaluating; explosibility of dusts. The
dust explosion parameters considered are:
w Minimum dust cloud explosiveconcentration
w Ignition temperiture of a dust cloud
w Ignition temper.iture of a dust layer
w Electrical energy for ignition o f a dust cloud
w Electrical energy for ignition of a dust layer
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Authorized licensed use limited to: David Wechsler. Downloaded on January 15, 2010 at 12:33 from IEEE Xplore. Restrictions apply.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
1
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
tal ignition temperatures. The layer ignition temperature is usually lower than the cloud ignition
temperature. An example of a classification of a
dust plastics facility where the dust has an ignition
temperature of 115OC (239F) is:
Class I I (dusts),Division 2, Group G (plastic dusts),
T5 Ignition Temperature 115C (219F)
Junuury/Februury 1999
Authorized licensed use limited to: David Wechsler. Downloaded on January 15, 2010 at 12:33 from IEEE Xplore. Restrictions apply.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Dust Condmivity
Metal dusts, Group E, are classified as conductive. If
these dusts enter an electrical enclosure and bridge
between energized terminals, a leakage current
might subsequently produce dust ignition. For this
reason there is only Division 1 in Group E dust classified locations. Coal dusts are generally not considered conductive. However, in high voltage electrical
equipment the possibility of voltage breakdown exists especially in wet or humid environments.
Chemical, plastic, or agricultural dusts are insulators, and, therefore, conductivity for these
dusts is not a dust explosion issue.
Authorized licensed use limited to: David Wechsler. Downloaded on January 15, 2010 at 12:33 from IEEE Xplore. Restrictions apply.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Elimination or Reduction
of Classified Locutions
It should be the safety goal of any facility to eliminate classified locations by equipment design that
will minimize dust leaks and structures where dust
cannot accumulate.
The importance of these factors is indicated in
the following fine print notes in NEC Section
500-6-(b) Class II, Division 2 definitions:
(FPN No. 1):The quantity of combustible dust
that may be present and the adequacy of dust removal systems are factors which merit consideration in determining the classification and may
result in an unclassified area.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
Classification Technique
The visibility of dust accumulation provides the
opportunity for determining electrical area classification by inspection of process facilities. The factors to consider in surveying existing facilities and
in comparing them to processes that require classification are:
1. Housekeeping
2. Leak points-their
location, especially
height.
3. Horizontal dust collection areas-solid
floors, the tops of tanks, and duct work.
4. Confining walls and barriers.
The classification of a location by a survey is
done by observing dust accumulations for typical
operations. Instrument Society of America, ANSI
Standard S12.10, Area Classification in Hazardous
(Classified) Dust Locations and NFPA 497B 133
provide the following general rules for dust classification:
1. In dusty areas where the layer is just thick
enough to obscure the floor or surface color, the location should be classified Division 2.
2. In dusty areas where larger dust accumulations are present and the dust layer thickness exceeds one-eighth of an inch, the location should be
classified Division 1.
These criteria should be used to classify dust locations for existing facilities and for new facilities
where a similar unit exists.
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
In Division I locations:
1.Type MC cable can be used in cable tray, otherwise, conduit and MI cable are permitted.
2. Fittings and boxes can be dust tight unless
taps, joints, or terminals are present, or conductive
dusts are involved, in which case, the enclosure
must be DIP.
3. Liquid tight flexible conduit and cords can be
used for flexible connections.
4. Explosion seals are not required. Sealing is
only needed to keep the dust out of DIP enclosures.
Lengths of raceway can provide sealing requirements (See Figs. 1, 2, and 3).
5 . Most other enclosures are DIP with some exceptions and special requirements for metallic dusts.
6. Motors can be DIP or totally enclosed, pipeventilated.
In Division 2 Locations:
1. Dry-type transformers operating at over 600
volts cannot be used
Sealing Fitting
Dust-lgnitionProof Enclosure
Authorized licensed use limited to: David Wechsler. Downloaded on January 15, 2010 at 12:33 from IEEE Xplore. Restrictions apply.
I
I
I
I
I
I
I
I
I
I
I
I
Fig. 3. Preventing dust from entering the dustignition-proof enclosure by vertical distance (no seal).
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
References
Cl] ANSUNFPA 70,1996 NationalElectrzcalCode, Quincy MA.
121 ANSIIISA, S12.10-1988 Area Classi$catzon In Hazardous
[Classified) Dust Locations.
131NFPA 497B-1991, RecommendedPracticefir the Classification
of Class [ I Hazardous (Classzfied)Locationsfor ElectrzcallnstalIations in Chemzcal Process Areas.
141 NFPA 497M-1991, Manualfor Classificatzon of Gases, Vapors, and Dwts for Elei%rzcdlEquspment In Hazardous (Cla$szfied) Locations.
151 K.J.
Buschart, Electrzcalandlnstriimentatzon SaJety For Chemical Processei Chapman and Hall, NY and London 1991
[b] R.J. Buschart, "Monsanto Standards - Area Classification
For Electrical Ignition Hazards-Combustible Dust-Air
Mixtures Design Guide E2.2 Std 3, 12/28/92."
[7]NFPA 654-1994, Standard for the Preventzon of Fire and Durt
Explosions in the Chcriai~al,Dye. Phmrmaceaticaland P b t i r ~Industries
181 IEC - 314147iCDV - Part 3, Classification ofArem-Where
comhnitible d7~stare or may be present.
[9] U.S. Bureau of Mines, Washington DC, "Laboratory Equipment and Test Procedurei for Evaluation of Explosihility of
Dusts," RI No. 5624, 1960.
[lo] U.S. Bureau of Mines, Washington DC, "Exploszbzlzty of
Dusts Usedin the Plastics Industry," RI No. 5971, 1962.
1111 U S . Bureau of Mines, Washington DC, Dust Explosibilzty
of Chemicals, Drug, Dyes, and Pesticides RI No. 71 32.
1121 NFPA 69, Explosion Prevention Systems, 1997.
Junoury/Februory I 999
Authorized licensed use limited to: David Wechsler. Downloaded on January 15, 2010 at 12:33 from IEEE Xplore. Restrictions apply.
I
I
I
I
I
I
I
I
I
I
I
I
I
HSE Books
Page 1 of 34
Page 2 of 34
Contents
Introduction 4
Who is this booklet for? 4
Legal framework 5
Why does dust explode? 5
What are the effects of a dust explosion? 6
Page 3 of 34
Introduction
1 This guidance document provides advice on the prevention and mitigation of
dust explosions and fires. Many materials we use everyday produce dusts that are
flammable and in the form of a cloud can explode, if ignited. Examples are:
n
n
n
n
n
n
sugar;
coal;
wood;
grain;
certain metals; and
many synthetic organic chemicals.
Quite generally, the advice applies to anything which can burn, and which exists in
a fine powdered form, unless tests show that particular hazards are not present. In
some cases, a very simple knowledge of chemistry can rule out the explosion risk,
eg in the case of sand, cement and sodium carbonate (soda ash).
2 Dust explosions are not new and records from over 100 years ago exist of
incidents that have resulted in large loss of life and considerable and costly damage
to plant and buildings.
3 The objectives of this book are to:
n
n
n
n
n
outline legislation;
illustrate the effects of dust explosions;
show how to prevent dust explosions;
explain how to protect plant and equipment if an explosion occurs; and
give advice on the particular hazards of fires within dust handling plants.
Page 4 of 34
Legal framework
7 The Health and Safety at Work etc Act 1974 (HSW Act)2 places a general duty
on employers to ensure the safety of both employees and other people from the
risks arising from work activity, so far as is reasonably practicable.
8 The Dangerous Substances and Explosive Atmospheres Regulations3 require
employers to make an assessment of the health and safety risks arising from
dangerous substances, and this specifically includes dusts which can explode.
Where the employer has more than five employees, the significant findings of the
risk assessment must be written down. Precautions to control any risks associated
with dust fires and explosions are then needed (see below.) Specific requirements
relating to classification of hazardous areas within a plant, and marking of points of
entry into such areas are covered in paragraphs 32-34 and 98. These regulations
also require that information about the risks and emergency procedures is made
available for the fire authorities. It is not necessary to send the written risk assessment
to the fire authority in every case, but where contact is made, the particular risks and
precautions associated with dust explosions should be identified.
9 In addition to this a number of regulations are relevant where flammable dusts
may occur. These are:
n
n
n
n
n
Page 5 of 34
13 Measurements of the lower explosive limits of many materials are available, and
for many organic materials the limit is in the range 10 - 50g/m3. A dust cloud of
this concentration resembles a very dense fog. Upper explosive limits are difficult to
measure accurately, and have little practical importance.
14 The most violent explosions usually result from dust/air mixtures that are fuel
rich. This means that the oxygen available in the air cannot burn all the dust, and
partly burnt, glowing material often remains after the explosion. This can reignite
if more air becomes available. The shape and size of the dust particles, and other
factors, strongly affects the force of the explosion and the explosive limits. Only weak
explosions are likely where the mean particle size of the dust exceeds 200 microns,
or the moisture content exceeds 16%. Appendix A contains information about
methods of testing dusts.
ignition source
heat / spark
dust sufficiently
fine
movement to
create a cloud
confinement
hopper / silo
filter / blender
When a dust cloud ignites in an enclosed volume it results in a very rapid rise in
pressure within the container. The container may be an item of plant or a room of a
building. Typical peak pressures in laboratory apparatus are in the range 8 - 10 bar.
In normal circumstances the plant or building will not be strong enough to withstand
the pressure from the explosion and it will fail in a sudden and uncontrolled manner.
Anyone close to exploding plant, or inside a room where an explosion occurs is likely to
be killed or seriously injured. The plant or building will only survive if the design or other
protective measures deliberately allows for the high pressures.
16 Where an item of plant fails, or an explosion vent opens as a result of a dust
explosion, a fireball and shockwave will emerge. The fireball is usually much larger
than the vessel from which it came, and is likely to spread burning particles a
substantial distance. A person engulfed in such a fireball is likely to receive serious
burn injuries.
Page 6 of 34
17 An explosion within a piece of plant may also stir up dust deposits within the
building. The failed plant may also release as a cloud a large quantity of unburnt
material. Burning particles from the primary explosion can then ignite the dust cloud
within the building causing a secondary explosion that is generally more destructive
than the primary explosion.
An explosion initiated in the dust collector of a grain storage facility at Blaye
in France. The towers contained elevators and the gallery over the 44 silos
contained belt conveyors. All the areas were open allowing the spread of dust
clouds and flames. Both towers, the gallery and 28 silos were completely
wrecked with the loss of 11 lives.
Page 7 of 34
Page 8 of 34
Page 9 of 34
Page 10 of 34
40 Dusty areas may extend well away from sources of release of dust unless you
install local dust extraction to prevent this. Air currents will carry the finest dust
particles a considerable distance and allow them to settle at high levels within a
building. Dust deposits on beams and ledges at high level create a secondary
explosion risk, but you should also be aware that surface deposits of dust might
ignite on equipment that is designed to run hot, or may block ventilation holes or
otherwise interfere with the cooling of electrical equipment.
41 To prevent fires, you should ensure that the maximum surface temperature
produced by an item of electrical equipment exposed to dust is below the
temperature required to ignite the dust either as a layer or as a cloud. BS EN
50281-1-2 contains a formula for maximum temperatures, which includes a
safety margin. You can find tables of measured values of ignition temperatures in
reference 12, and as a rough indication the layer ignition temperatures of many
natural products exceed 300 deg C and cloud ignition temperatures are usually
higher. Thicker dust layers can ignite at much lower temperatures.
42 Where the interior of a plant item requires regular illumination, you can almost
always do this with the light source outside the plant. Mains powered portable
lights should not be lowered into storage bins. Even if the light unit is designed for
an explosive atmosphere, the cable might be easily damaged, and the risk is high.
If illumination from the inside is needed, and a dust certified lamp is not available,
battery-powered lamps certified for use in gaseous flammable atmospheres are
unlikely to cause ignition. If, however, they are dropped and buried in a heap of
dust some high powered types could overheat and start a fire.
43 Frictional heating of moving parts of process plant may raise the temperature
locally to the point where ignition of a dust occurs without any spark or flame. Bucket
elevators have proved vulnerable to this problem, as have hammer mills and rotary
atomisers on milk spray driers. Modern plant may have features designed to prevent
or detect such problems eg ammeters on motors to indicate overloading. Inadequate
maintenance can negate the effectiveness of these features.
44 Impact sparks are likely to arise where tramp metal or stones enter process
plant. A magnetic separator to catch ferrous tramp metal is a very widely
used precaution that helps minimise this problem. For the separator to remain
effective, you need to remove the caught fragments on a regular basis. If you find
fragments regularly, it is better to identify the source and then take steps to reduce
contamination rather than depend on the magnet. Sieves, pneumatic separators
and other methods allow you to remove stones and other extraneous matter from a
lighter feedstock. Where you are handling loose materials eg open floor storage of
grain, bulk handling in ships holds etc, such separators are particularly useful.
45 Electrostatic charging of plant items or process materials is likely when moving
dusty materials in quantity. It is necessary to take precautions to prevent discharges
that are powerful enough to cause ignition of a dust cloud. A conducting (metal)
item isolated from earth produces the most energetic discharges when it becomes
charged by contact with a stream of charged dust particles. You should prevent this
by earthing all metalwork that may be in contact with the dust. The least electrically
conducting dusts, such as polyethylene, cause the most problems as the charge is
retained within the bulk and additional precautions may be needed.
Page 11 of 34
46 Experience from the chemical industry suggests that explosions are most likely
with dusts that have a low minimum ignition energy (MIE). Certainly electrostatic
hazards need more careful control with the most easily ignited dusts. For example
the use of highly insulating parts may need to be avoided. The test methods used
strongly influence measured values of minimum ignition energy, and care should
be taken in interpreting data from old sources. Usually the test houses that can
measure MIE will be able to advise on the significance of the results.
47 Typical precautions required are earthing of delivery tankers, electrical bonding
across sight glasses in transfer lines, earthing of plant items that stand on nonconducting floors and avoiding the use of non-conducting fastenings to join metal
components together. Checking the earthing arrangements before the plant is first
brought into use might form part of the verifications required by the Dangerous
Substances and Explosive Atmosphere Regulations3. BS PD CLC/TR5040419 also
recommends the checking of earthing arrangements at scheduled maintenance
and after other maintenance or modification.
Common ignition sources include:
n
n
n
n
n
n
n
n
hot surfaces;
naked flames;
faulty or unsuitable equipment;
overheating of moving mechanical plant eg by friction;
impact sparks;
electrostatic discharges;
spontaneous heating; and
smoking materials.
48 You may require additional precautions where combustible dusts and flammable
solvent vapours are present together, eg in some drying or mixing processes in the
chemical industry. Reference 20 includes discussion of precautions required in this
situation and other circumstances where dust and vapour are present together.
49 Exothermic decomposition, air oxidation or biological action may cause
spontaneous heating in many materials. Careful control of maximum temperatures
is necessary when you handle such materials in a hot process, such as drying. You
may use small-scale tests to identify unstable materials, but large-scale processes
should usually operate at temperatures well below the onset temperatures shown in
these tests. See reference 20 for information on suitable small-scale tests.
50 When storing such materials for long periods in large bulk containers, periodic
temperature checks within the interior of the pile may help you to detect the onset
of overheating; alternatively regular transfer of the powder from one silo to another
will help dissipate localised build up of heat. Materials known to be prone to
spontaneous heating include fishmeal, corn meal, dried sewage sludge and milk
powder.
51 Combined gas/dust explosions have also occurred where dust smouldering in
a restricted air supply has given off carbon monoxide. In an essentially closed plant,
the carbon monoxide can build up to the point where introduction of a fresh air
supply causes an explosion.
Page 12 of 34
Page 13 of 34
Page 14 of 34
61 Extensive research over the last 20 years has provided soundly based calculation
methods to determine the vent area required. To design an explosion vent you require:
n
n
n
n
The plant user supplies information about the properties of the dust whilst the
equipment manufacturer or installer supplies the calculation of relief areas. Some
manufacturers test a complete assembly of, for example, a filter, with its vent
panels. Others may calculate the equipment strength and fit vent panels from a
specialist supplier that have been separately tested.
62 Different design equations are used for different circumstances. For example a
tall thin silo may need more vents than a short squat vessel with the same volume.
Full details are given in reference 1.
63 When an explosion vent opens as a result of a dust explosion, a fireball
or jet of flame must be expected. This can carry out a mass of burning and
unburnt dust. In addition there will be a pressure wave associated with the
explosion. If the vent opens inside the building the burning dust may start
further fires, and the blast may damage nearby plant. Anyone inside the room
or building may be at serious risk. For these reasons explosion vents which
discharge inside a building will give people inside the building little protection
from the explosion. The usual solution is to fit a duct to lead the explosion
products to a safe place in the open air. You may need to keep personnel
away from an area around the end of a vent duct. Proprietary flameless venting
devices, which quench flames and catch burning dust are also available. The
suppliers advice concerning installation must be followed carefully. See also
paragraphs 68 and 69.
64 Bucket elevators may have an explosible cloud of dust within both legs
during normal operation. Frictional heating within the elevator has caused a
number of explosions. Explosion relief vents at the top and as close to the
boot as is practicable (this generally means within 6m of the boot) will usually
provide adequate protection for dusts with a KSt of 150 or less although long
elevators may require additional vents. See appendix A for an explanation of
KSt
This assumes the vent panels have an area equal to the cross-section of the leg,
or for any panel at the top, both legs. Reference 1 contains additional guidance for
dusts with a KSt of more than 150.
Note: It is often difficult to locate relief panels at the elevator boot where they can
open safely.
65 Because of the difficulty of ducting vents from bucket elevators sited in
buildings to the open air, it is preferable to locate such elevators outside buildings.
66 Screw conveyors do not generate large dust clouds within the casing, and
experience has shown that explosion relief on such items is not normally necessary.
Drag link (en masse) conveyors may contain a substantial void above the powder level
in horizontal sections, and can be damaged by, or transmit explosions. Malfunction of
either type of conveyor may cause frictional heating and ignition of the dust.
Page 15 of 34
67 The dangers of a dust explosion will depend, among other factors, on the size
of the ignited cloud. There is no simple answer to the common question: My plant
has a size of only x do I still need an explosion vent? It will depend on the risks to
people for any given plant. Factors you should consider are: the explosibility of the
dust, whether existing openings will provide adequate protection, the cleanliness of
the building, the likelihood of an ignition source being present, and the number of
people who would be at risk.
68 To operate successfully an explosion vent must open reliably at a pressure
well below that which the plant it is protecting can withstand, and must open
fully almost instantaneously. Vents normally take the form of bursting panels or
explosion doors. From 30 June 2003 newly supplied vent covers should conform to
the EPS Regulations8, be tested by one of the recognised independent test houses
(notified bodies) and CE marked.
69 Where you site explosion vents is important because, if they are close to a
wall or other obstruction, it can inhibit the release of combustion products and
make the vent ineffective. Normally you should leave a minimum space of 1 panel
diameter or diagonal between a vent panel and an obstruction. A larger distance
will be needed to prevent damage to masonry walls from the pressure wave.
70 Where panels could become dangerous missiles in the event of an explosion,
you should attach them to the plant by a strong chain, cable, or other restraint.
The chain/cable must be long enough to allow the panel to open fully. Normally
explosion vent doors and panels are not strong enough to stand on, and where
necessary you should provide a suitable barrier to prevent access. A less
satisfactory alternative is a widely spaced wire grill on the inner side.
71 Explosion doors are heavier than panels and will take longer to open than the
lightest vents available. For this reason doors are likely to need to be bigger than
the area calculated for panels. New doors made and tested to the EPS Regulations
will come with a quoted figure of effective vent area. All types of explosion vent
need occasional maintenance, to ensure that seals remain in good condition, there
is no accumulation of dirt or corrosion products and hinges operate easily etc.
Explosion suppression and containment
72 Although the provision of explosion relief vents is the most widely used
technique for protecting process plant from dust explosions, suppression and
containment are equally valid alternatives. The choice of technique will depend
not only on safety considerations, but also issues like cost, reliability, continuity of
operation and keeping a plant free from contamination. Explosion venting will be
inappropriate if the material is too toxic or environmentally harmful to release to
atmosphere, or if there is no safe place to locate the vent outlet.
73 Dust explosions typically produce maximum overpressures in the range 8 to
10 bar. It is not generally practicable to produce plant capable of withstanding
such pressures unless it is of small volume and simple circular or spherical shape.
Hammer mills and certain other grinding equipment are however, often strong
enough to contain an explosion; you will need to consider protection of the
ductwork leading to and from them unless it is of similar strength. Plant operating
under a vacuum, eg some types of drier, may also be strong enough to withstand
the low explosion pressures that would result.
74 Explosion suppression systems allow the control of a developing explosion
by the rapid injection of a suitable suppressing medium into the flame front. They
have been developed into reliable systems over years of testing and operating
experience. They are classed as autonomous protective systems and need
certification and appropriate marking under the EPS regulations.
Safe handling of combustible dusts: Precautions against explosions
Page 16 of 34
Page 17 of 34
81 Methods to separate items of plant and so restrict this possibility include the use
of:
n
n
n
n
n
rotary valves;
a choke of material in an intermediate hopper;
screw conveyors with a missing flight and baffle plate;
explosion suppression barriers; and
explosion isolation valves.
The aim is to prevent both the spread of burning particles, and the pressure wave
associated with the initial explosion. Equipment newly installed after June 2003,
intended specifically to act as an explosion barrier device needs to be tested and
certified under the EPS Regulations8. Detailed standardised test arrangements are
not available for any types of barrier device at the time of going to print.
82 The transfer system of the plant will continue to spread burning material with
potentially serious consequences unless it shuts down immediately in the event
of a fire or explosion. You can achieve this by providing trip switches activated by
explosion relief panels to cut the power to elevators, conveyors, rotary valves etc.
83 Rotary valves are commonly provided to control powder flow, or to act as an
air lock. If they are also intended to act as explosion chokes, they need rigid blades
eg of metal, that will not deform under a pressure wave, and which have as small a
clearance as practicable from the casing. Both the gap width and gap length affect
the ability of the valve to extinguish a flame front. See figure 3 rotary valve diagram
explosion
explosion
gapwidth
width W
W
gap
rotor
rotor
gap
gap length
length lg=
lg=
thickness of
of the
thickness
the
rotor-vanes
rotor-vanes
housing
rotor
vane
rotor vane
Page 18 of 34
84 If you omit one turn of the flight, a screw conveyor will act as a choke to a dust
explosion. On an inclined conveyor the screw will not normally empty itself below
the missing flight even when the supply of feed to the lower end stops.
A horizontal conveyor with a trough casing needs an adjustable baffle plate to
complete the seal of dust with the upper side of the casing. See figure 4
baffle
plate
baffle
plate
choke
choke
control
control
unit
unit
detector
detector
ignition
ignition
source
source
flame
front
flame
front
dispersion
of
dispersion
of
extinguishing medium
extinguishing
medium
Page 19 of 34
gas
gascylinder
cylinder
slide valve
slide
valve
piston
piston
Page 20 of 34
91 If you try to extinguish a fire using water, it is important that you apply it as a
fine spray or fog. Using high-pressure water jets on a smouldering fire is dangerous,
as you can raise dust clouds. Attempts to restrict the spread of fire by removing
dust from adjacent plant have also resulted in the unintentional formation of dust
clouds with disastrous consequences.
92 When tackling fires involving powdered metals or coal you should not use water
as it may cause a violent reaction or the formation of flammable gases. Dry sand
applied cautiously to a small burning heap on the floor from long-handled shovels
may be effective, but special proprietary powder fire extinguishers are better. If a fire
certificate is in force for the premises it will specify the types and numbers of fire
extinguishers required.
93 You may tackle deep-seated fires inside a dust handling plant by applying an
inert atmosphere. It is likely to take a considerable time for displacement of all
the air from the centre of a large volume of powder and it may take days or even
weeks to dissipate the residual heat from a fire in a large silo.
Examples of protection in two plants
94 To illustrate the application of the precautions already described, paragraphs 95
and 96 describe the safety features of two simple plants.
95 The first plant is a grinding operation that involves the tipping of granular
material from intermediate bulk containers (IBCs) into a feed hopper. This leads to
a small hammer mill and from this a blower transfers the ground material to one of
two product bins. See Figure 7.
n The IBC tipping point has local exhaust ventilation. This draws escaping dust to
a filter located outside the building. The filter has explosion relief.
n The feedstock flows from the hopper through a rotary valve to the mill. The
rotary valve serves not only to control the flow of product, but also prevents an
explosion in the mill venting out through the hopper.
n A magnetic separator before the mill catches tramp metal.
n The mill itself can withstand an explosion and needs no explosion relief. The
inlet and outlet ductwork and associated joints are capable of withstanding
over pressures of up to 9 barg without distorting enough to allow flames to
emerge.
n A pressure sensor on the conveying system detects blockages. This allows the
mill to be turned off before material in the mill overheats and catches fire
n Slide valves control what bins the product will enter. Interlocking ensures that
only one valve is open at any time. This will prevent an explosion propagating
from one bin to another.
n The bins are outside the building and have explosion relief.
n The bins have integral filter socks to permit the escape of air displaced during
filling. The dusty side of the filter is effectively part of the bin; the calculation of
the explosion relief area required depends on the bin volume alone.
Page 21 of 34
intermediate
intermediate
bulk
container
bulk
container
filter sock
sock
filter
slide valve
slide
valve
FEED
HOPPER
explosion
explosion
relief panel
relief panel
local
local exhaust
exhaust
ventilation
ventilation
system
system
leading
leading to
to filter
filter
outside
outside
building with
building
with
explosion
explosion
relief
relief on top
on top
PRODUCT
BIN
PRODUCT
BIN
magnetic
magnetic
trap
trap
conveying
conveying
system
system
rotary
rotaryvalve
valve
grinder
grinder
Page 22 of 34
98 You may need to restrict access to some areas while the plant is operating.
This is easier to achieve where there is clear marking of the areas concerned. This
type of arrangement is sometimes used for areas at the top of storage bins, where
it has not proved possible to duct explosion vents to the outside. DSEAR3 also
requires the access points to zoned areas to be marked with a yellow and black
triangular Ex sign (see below), where the risk assessment shows it will have some
benefit. Signs might help remind employees where special rules apply, for example
on the use of portable electrical equipment, or define parts of the premises where
office staff are not intended to have access because they have not been trained.
Page 23 of 34
cyclone
outside building
building
cyclone outside
with
explosion
relief
with explosion relief on
on top
top
silo
silo inside
inside
building
building
highlevel
level
high
alarm
alarm
discharge
dischargehose
hose
earthing
earthing
strip
striptoto
framework
of building
building
of
explosion
relief
explosion relief
ducting
to
outside
wall
ducting to outside wall
powdertanker
tanker
powder
Page 24 of 34
Question 2
Question 3
Question 1
Test
Main Purpose
Hot surface
Self heating
Various
Electrostatic
Minimum ignition energy
spark
Question 2
Test
Main Purpose
Limited application
Question 3
Test
Main Purpose
Minimum explosible
concentrate
Page 25 of 34
A3 The vertical tube apparatus is a small-scale method, which gives a visual result
only. It is used as a quick screening test to determine whether a particular dust has
any potential for exploding. Dusts that do not explode on initial testing may be dried
and/or sieved, then retested. See figure 9
perspex tube
tube
perspex
ignition
ignition
electrodes
electrodes
non-return
non-return
valve
valve
deflector
deflector
solenoid
solenoid
valve
valve
steelblock
block
steel
ball
ballvalve
valve
air reservoir
air
air
1/3.
dP
dt
= KSt
max
where KSt is a constant with units of bar. m. sec-1, and V is the volume in m3 of the
vessel. The meaning of (dP/dt) max is indicated (figure 11) by a graph of a typical
pressure-time trace from an explosion. The test is run at a range of concentrations,
and the KSt value calculated from the most vigorous explosion.
Page 26 of 34
ignition
ignition
leads
leads
water
water inlet
inlet
perforated
perforated
dispersion
dispersion
ringring
pressure
pressure
transducer
transducer
exhaust
exhaust
valve
valve
pressure
pressure
gauge
gauge
ignition
ignition
pellet
pellet
water
water
outlet
outlet
dust
dust
chamber
chamber
support
support
(dt) max
(bar)
(bar)
Pressure
Pressure
(dP)
PP
( dPdt )
max
P
t
P
t
tt
dust injection
dust
injection
Time
Time
(sec)
(sec)
Page 27 of 34
Explosion class
KSt bar.m.sec-1
St 0
St 1
> 0 200
St 2
St 3
No explosion
Increasing severity of
explosion
A7 A range of wheat dust and wheat flour samples have been tested with moisture
contents in the range 4-14% and median particle sizes in the range 21-72 microns.
The range of KSt values were from 53-137 bar.m/sec, with a value of 146 for a
sample of wheat gluten at 7% moisture, ie all were St1 class. See reference 22
A8 The results of tests on a large number of samples of different materials are
given in reference 13. For some natural products, where a scatter of results is to
be expected, this reference gives records of substantial numbers of earlier tests. In
this case, cautious assumptions about the properties of a particular product based
on the set of tests, may be as reliable as testing a further single sample. In other
cases, however, it is strongly recommended that process equipment is designed
using test results on samples representative of the finest and driest material likely to
be found in the process, and not just data drawn from other sources.
Table 1 Dust groups and examples of measurements
Dust tested
Median particle
size m
Minimum explosible
concentration g/m3
Maximum explosion
overpressure bar
KSt valve
bar.m/s
St class
Paper tissue
54
30
8.6
52
Glucose
30
60
9.2
123
Wheat
80
60
9.3
112
Polyethylene
low density
62
15
8.5
131
Polymethyl
methacrylate
21
30
9.4
269
Calcium
stearate
12
30
9.1
132
Wood flour-
65
various samples
60
7.7-10.5
83-192
Magnesium
30
17.5
508
28
Warning: these results are not intended to be used directly for plant design
Page 28 of 34
Appendix B: Legal
B1 The Health and Safety at Work etc Act 1974 (HSW Act)2 places a general
duty on employers to ensure the safety of both employees and other people from the
risks arising from the work activity, so far as is reasonably practicable. Suppliers or
manufacturers of flammable dusts that can explode, particularly where these are new
substances, have a duty under section 6 to inform anyone to whom the substance is
supplied about its properties. This may include the results of tests for explosibility.
B2 The Dangerous Substances and Explosive Atmosphere Regulations
20023 requires that risk should be eliminated or reduced as far as is reasonably
practicable and that substitution of the dangerous substance should be considered
as the first option. The requirements are set out in more detail in supporting
approved codes of practice.14-18
B3 The Provision and Use of Work Equipment Regulations 19985 requires
every employer to take measures to prevent work equipment catching fire or
exploding. Where it is not reasonably practicable to prevent all fires and explosions,
measures to reduce the likelihood and minimise the consequences of a fire or
explosion are required. Any new equipment provided at a workplace must comply
with relevant European product safety legislation.
B4 The Workplace (Health, Safety and Welfare) Regulations 19926 and the
associated Approved Code of Practice sets out the requirement to maintain plant in
a clean condition. The importance of cleanliness in plants handling flammable dusts
is highlighted elsewhere in this guidance.
B5 The Control of Substances Hazardous to Health Regulations 19997 will
usually apply where fine dusts are present as many cause health risks where they
can be breathed in. Precautions taken to reduce the dust levels in the workroom
for health reasons will help reduce the need for regular cleaning of the room.
Knowledge of the particle size of the dust will be useful in assessing both the health
and potential explosion risks.
B6 The Equipment and Protective Systems for Use in Potentially Explosive
Atmospheres Regulations 19968 (EPS) introduce requirements relating to
equipment placed on the market that are intended for use in potentially explosive
atmospheres. Any equipment, protective system or device within the scope
of the regulations is required to satisfy the relevant essential health and safety
requirements, and have undergone an appropriate conformity assessment
procedure. It will carry the CE mark and symbol of explosion protection, Ex in a
hexagon. Such equipment may be described as ATEX equipment. A substantial
guide to these regulations is published on the EU website. The regulations describe
3 categories of equipment, with the different categories intended for use in the
different zones. In addition equipment classed as an autonomous protective system
must comply with detailed essential health and safety requirements.
B7 The Fire Precautions (Workplace) Regulations 1997 as amended by
SI 1999/1877 apply very widely, and require employers to take precautions to
safeguard employees in case of fire. These include adequate emergency escape
routes from buildings, fire alarm systems and fire extinguishers. The precautions
selected will need to take account of any explosible dust that is present.
Page 29 of 34
Appendix C: Laboratories
undertaking testing of flammable
dusts
C1 FRS, Building Research Establishment Ltd, Garston, Watford, WD2 7JR
C2 Chilworth Technology Ltd, Beta House, Chilworth Science Park, Southampton,
SO16 7NS
C3 Syngenta Technology, Process Hazards Section, South Bank, Huddersfield
Manufacturing Centre, PO Box A38, Huddersfield, HD2 1FF
C4 Hazard Evaluation Laboratory, 50 Moxon Street, Barnet, Hertfordshire,
EN5 5TS
C5 Burgoyne Consultants Ltd, Burgoyne House, Chantry Drive, Ilkley, West
Yorkshire, LS29 9HU
C6 Health and Safety Laboratory, Harpur Hill, Buxton, Derbyshire, SK17 9JN
Page 30 of 34
Page 31 of 34
References
1 Dust explosion prevention and protection: A practical guide Institution of
Chemical Engineers 2002 ISBN 0 85295 410 7
2 Health and Safety at Work etc Act 1974 chapter 37 The Stationery Office
ISBN 0 10 543774 3
3 Dangerous Substances and Explosive Atmospheres Regulations 2002
SI 2002/2776 The Stationery Office ISBN 0 11042957 5
4 Fire Precautions (Workplace) Regulations 1997 SI 1997/1840 as amended by
SI 1999/1877 The Stationery Office ISBN 0 11 082882 8
5 Provision and Use of Work Equipment Regulations 1998 SI 1998/2306
The Stationery Office ISBN 0 11 079599 7
6 Workplace (Health, Safety and Welfare) Regulations 1992 SI 1992/ 3004
The Stationery Office ISBN 0 11 025804 5
7 Control of Substances Hazardous to Health Regulations 1999 SI 1999/437
The Stationery Office ISBN 0 11 082087 8
8 The Equipment and Protective Systems for Use in Potentially Explosive
Atmospheres Regulations 1996, implementing the ATEX 95 directive SI 1996/192
as amended by SI 2001/3766 The Stationery Office ISBN 0 11 038961 1
9 Corn starch dust explosion at General Foods Ltd, Banbury Oxfordshire, 1981
The Stationery Office ISBN 0 11 8836730
10 BS EN 50281-1-2 1999 Electrical apparatus for use in the presence of
combustible dust; selection installation and maintenance British Standards
Institution
11 BS EN 50281 -3 2002 Electrical apparatus for use in the presence of
combustible dust. Classification of areas where combustible dusts are or may be
present British Standards Institution
12 Combustion and Explosion Parameters of Dusts (Brenn- und
Explosionskenngroessen von Stauben), published in English by the HVBG (statutory
accident insurance organisation) Sankt Augustin, Germany ISBN 3 88383 468 8
13 BSEN 60529 1992 Specification for classification of degrees of protection
provided by enclosures British Standards Institution
14 Dangerous Substances and Explosive Atmospheres. Dangerous Substances
and Explosive Atmospheres Regulations. Approved Code of Practice and guidance
L138 HSE Books 2003 ISBN 0 7176 2203 7
15 Design of plant, equipment and workplaces. Dangerous Substances and
Explosive Atmoshperes Regulations 2002. Approved Code of Practice and
guidance L134 HSE Books 2003 ISBN 0 7176 2199 5
Page 32 of 34
Page 33 of 34
Further information
For information about health and safety ring HSEs Infoline Tel: 0845 345 0055
Fax: 0845 408 9566 Textphone: 0845 408 9577 e-mail: hse.infoline@natbrit.com or
write to HSE Information Services, Caerphilly Business Park, Caerphilly CF83 3GG.
HSE priced and free publications can be viewed online or ordered from
www.hse.gov.uk or contact HSE Books, PO Box 1999, Sudbury, Suffolk
CO10 2WA Tel: 01787 881165 Fax: 01787 313995. HSE priced publications
are also available from bookshops.
British Standards can be obtained in PDF or hard copy formats from the BSI online
shop: www.bsigroup.com/Shop or by contacting BSI Customer Services for hard
copies only Tel: 020 8996 9001 e-mail: cservices@bsigroup.com.
The Stationery Office publications are available from The Stationery Office,
PO Box 29, Norwich NR3 1GN Tel: 0870 600 5522 Fax: 0870 600 5533
e-mail: customer.services@tso.co.uk Website: www.tso.co.uk (They are also
available from bookshops.) Statutory Instruments can be viewed free of charge
at www.opsi.gov.uk.
Page 34 of 34
Abstract
In this paper a semi-quantitative short-cut risk analysis method (SCRAM) is presented, allowing
for the assessment of dust explosion hazards. The method is first described and two application
examples are presented.
SCRAM is based on semi-quantitative descriptions of both the likelihood of dust explosions
occurring and the consequences of such explosions. The likelihood of dust explosions occurring
is based on the ignition probability and the probability of flammable dust clouds arising. While
all possible ignition sources are reviewed, the most important ones include open flames,
mechanical sparks, hot surfaces, electric equipment, smoldering combustion (self-ignition) and
electrostatic sparks and discharges. Apart from the machinery, the ignitibility and explosibility of
the dust will also play an important role.
The consequences of dust explosions are described as consequences for personnel and
consequences for equipment. The method reviews the consequences of both primary and
secondary events. Factors determining the consequences of dust explosions include the how
frequently personnel are present, the equipment strength, housekeeping and implemented
consequence-reducing measures. Both the likelihood of dust explosions and consequences are
described by classes ranging from low probabilities and limited local damage, to high probability
of occurrence and catastrophic damage. Acceptance criteria are based on the likelihood and
consequence of the events.
The method allows for optimal choice of adequate preventive and protective measures.
To demonstrate the method an application of the method is presented: a milk powder production
facility.
Note: Do not add page numbers. Do not refer to page numbers when referencing different portions of the
paper
1. Introduction
Dust explosions are a continuous threat in companies producing flammable powders and dust as
final and intermediate products. Sad recent examples include the serious accidents in Kinston,
North Carolina in 2003 (killing 6), Savannah, Georgia in 2008 (killing 14), and one year later the
explosion in a coal silo injuring 7 in Oak Creek, Wisconsin (2009). These serious accidents are
accompanied by many smaller dust explosion accidents in industry causing limited damage and
minor or no injuries. Some of them could however have led to more serious consequences.
Dust explosion risks prevailing in industrial facilities are dependent on a large variety of factors
that include process parameters, such as pressure and temperature, as well as equipment
properties, such as the presence of moving elements, the mechanical strength of such dust
handling equipment, dust explosion characteristics, and mitigating measures taken including
housekeeping and protective measures such as explosion venting.
In this document a semi-quantitative short-cut risk analysis method (SCRAM) is presented,
allowing for the assessment of dust explosion risks and choosing adequate preventive and
protective measures. The performance of an analysis as described here would make industry
aware of the most hazardous areas in their facilities and associated consequences in case of an
explosion.
The method is described and an application example presented. The example demonstrates the
strength of the method and the support it offers to industry for choosing appropriate risk
mitigating measures.
For a dust explosion to occur a flammable atmosphere must be present and simultaneously a
sufficiently strong ignition source. The dust concentration in this atmosphere must exceed a
certain limits, typically 30 g/m3, and the particle size distribution must be sufficiently small. Dust
with particle size distribution from 10 to 40 micron and dust concentration range from 250 to
1500 g/m3 have shown to ignite easiest and produce the most severe explosions. Finer dust
might produce more severe explosions if the dispersion process has enough force to break up the
agglomerates and produce a dust cloud consisting of primary particles.
To be able to quantify the probability for the occurrence of an explosive atmosphere, properties
of the combustible material should be considered, together with how likely it is that the
combustible material will be mixed with air.
The probability of a specific ignition source being able to ignite the explosive atmosphere is
considered based on different criteria, such as the energy released by the ignition source, the
period in which this energy is supplied, the surface temperature of the ignition source and its
size. For mechanically generated sparks, collision speed, friction, contact time and physical
properties of the colliding materials are included.
Whether an ignition source is capable of igniting an explosive atmosphere depends on several
properties of the atmosphere, for instance the fuel concentration and the turbulence level and the
ignition properties of the explosive atmosphere (normally described by the minimum ignition
energy and minimum ignition temperature).
The factors mentioned above are considered individually and form the basis for estimating how
often an explosion can occur. It is not possible to give the exact frequencies for an explosion. In
a risk analysis the probability for an explosive atmosphere and the probability for an ignition
source are ranged from I to V, where I has the lowest probability and V has the highest
probability. Each range (I, II, III, IV and V) describes a range in probability or frequency.
The probability of an explosion occurring depends on the probability of the presence of an
effective ignition source and the probability of having an explosive atmosphere. The probability
of an explosion will be the product of these two probabilities (as long as the two are generated
independent from each other). Definitions and explanations of the values used are described
below.
The probability for a secondary event depends on the probability for the primary event and is
normally lower than that of the primary event.
2.2
The consequence for personnel (Dp) and equipment (De) is estimated based on the expected
effect of the explosion. This is estimated based on expected damage caused by the heat, pressure
or loose items after the definitions given below. The consequence for personnel and equipment
from an explosion depends on the explosion pressure and the heat intensity from the explosion.
Pressure build-up in enclosed units might cause the units to rupture resulting in heat radiation
from flames, dispersion of pressure waves and flying objects.
The strength of an explosion depends on several factors, for example the initial conditions of the
dust cloud, including the fuel concentration, initial turbulence and the position of the ignition
source. The properties of the combustible material are also important, including chemical
composition. The properties of the explosive atmosphere will change over time hence, the time
of the explosion is important for the explosion propagation.
Flames propagating out from a ruptured vessel release heat that might injure personnel or cause
damage to equipment. The convective heat transfer during an explosion causes the most severe
burns. Burns/damage might be the result if personnel or equipment are in direct contact with the
explosion flame.
2.3 Definitions
The probability or the frequency of an explosion occurring and the potential consequences is
estimated from I to V, as described previously. The definition and description of the different
values are given below.
Table 1
Description
Very unlikely
Unlikely
Somewhat likely
Likely
Very likely
Description
Very unlikely
Unlikely
Somewhat likely
Likely
Very likely
Description
Very unlikely
Unlikely
III
Somewhat
likely
Likely
Very likely
IV
V
Definition
< 1/ 10000 per year
> 1/10000 per year < 1/100
year
> 1/100 < 1/10 per year
> 1/10 year < 1 per year
> 1 per year
IV
V
Description
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
Definition
No injury.
Marginal damage to process units. Process shut down.
Limited injury.
Damage to process unit (<$ 20, 000).
Personnel injury.
Process unit collapse and possible damage to corresponding units (> $ 20, 000; <
$ 200, 000).
Serious personnel injury, possible loss of life.
Significant damage to several process units (> $200, 000; < $2, 000 000).
Loss of one or several lives.
Plant fully damaged (> $2, 000 000).
2.4
Consequence
The explosion risk is the product of the probability of an explosion occurring and its
consequences. In the present risk analysis a qualitative risk evaluation is completed for each
process unit. The risk level for explosions can be estimated from the matrix given in Figure 1
below, based on the probability and consequence, as described in the above section, and after the
definitions in Table 1 also above. The risk level increases from E to A.
V
IV
III
II
II
III
IV
Probability
Figure 1
2.5
Risk matrix
Acceptance criteria
The risk level and the recommended acceptance criteria are selected and based on the
probability for human and economical loss according to Table 1 above. The selected criteria are
given in Table 2 below. It should be emphasized that these acceptance criteria are a proposal
only and may be chosen differently.
Table 2
Risk level
Acceptance criteria
Recommended action
Very high
Unacceptable
High
Unacceptable
Medium
Medium
Low
Acceptable
Very low
Acceptable
In the application example given in this document, the estimations of probabilities and
consequences are summarized in tables. These tables also include estimations of ignition source
probability and an estimate of the risk of secondary incidents/events.
Below, explanations to the different parts of the tables are given.
Table 3
Process
unit
Example
Probability
of
flammable
atmosphere
IV
Probability of ignition
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
II
Mechanical
sparks
Flames
and
smoldering
combustion
Probability
of
explosion
II
EXPOSURE TO EXPLOSION
PRIMARY EXPLOSION
Probability (injury/damage)
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
III
III
Equipment
Personnel
Equipment
Personnel
Equipment
Comments:
EXAMPLE
Process unit:
Probability:
Consequence:
Risk:
The product of probability and consequence. Both the risk of primary and
secondary events is estimated. See Table 2 for acceptance criteria.
Ignition source:
Probability for occurrence of the five most common ignition sources are
given.
Analysis
there is a rather big number of well-described data available which are not varying much. The
data found for milk powder are presented in Table 4 (from Beck et al, 1997).
Table 4 Explosion properties of milk powder (Beck et al., 1997)
Explosion property
Maximum explosion pressure Pmax (bar)
Dust explosion constant KSt (bar.m/s)
Minimum ignition energy (MIE) (mJ)
Minimum ignition temperature (MIT) (C)
Lower explosion limit (LEL) (g/m3)
Value
6-7
80-130
> 50
450-600
60-150
wheel in the top of the dryer coming loose and hitting the wall of the dryer (In the light of the
minimum ignition temperature and minimum ignition energy of milk powder this ignition source
is most likely not able to cause ignition) and self-heating of layers of milk powder. The latter
would especially be possible if the rotating spraying wheel, in case of an anomaly, is distributing
the milk slurry against the walls of the cylindrical part of the dryer. The hot drying air could
cause the resulting milk powder cake to self-ignite. The smoldering material could come loose
and fall into the cone of the dryer, causing either ignition of a flammable dust cloud there or
whirl up dust and causing this to ignite.
The probability of the latter is relatively high and based on historical evidence an explosion
should be expected with a frequency of between 10-1 and 10-2 per year (probability class III).
Here it is assumed that the ignition source also causes the dust cloud (a smoldering cake of milk
powder falling into the cone of the dryer).
A final ignition source could be an explosion occurring in other parts of the drying installation
running back into the dryer. This ignition source, although very realistic, is not considered here
since in a full risk analysis of the spray dryer installation it has to be considered in the analysis of
the other pieces of equipment of the installation. In this document it is assumed that sufficient
preventive and protective measures are taken to prevent this from happening, i.e. the likelihood
of this ignition source occurring is assumed to be sufficiently low.
The consequence of the explosion is most likely the failure of the dryer (explosion tests reported
by Siwek et al. (2004) show that pressure up to 1 bar are possible; it should be mentioned
however that these tests were performed under conservative conditions) potentially injuring
personnel or even causing fatalities if in the vicinity of the dryer at that very moment
(consequence classes III and IV respectively). Moreover there is a possibility that the explosion
propagates into the fluid bed or the cyclones and into the bag filter (secondary incident). This
probability is however lower than the probability of an explosion (probability class II). The
consequences are however more severe: loss of the plant (consequence class IV) and most likely
loss of one or several lives (consequence class V).
The analysis is summarized in Table 5. The table also determines the risk based on the various
probabilities and associated consequences.
Risk evaluation
The results of the analysis of the spray dryer as summarized in Table 5. The Table shows that the
risks are either medium (implying that risk reducing measures should be implemented) or high
(implying risk reducing measures must be implemented). Hence two alternatives are
investigated: one where a single preventive measure is introduced reducing the probability of
explosions and a second one where this preventive measure is combined with protective
measures.
3.2
smoldering before a hazardous situation arises (Steenbergen et al, 2007). Including this
preventive measure a new analysis has been performed of the explosion risks of the spray dryer.
Table 5
Summarizing the probabilities and consequences of primary and secondary
events in the spray dryer and the associated risks for personnel and equipment.
Process
unit
Spray
dryer
Probability
of
flammable
atmosphere
V
Probability of ignition
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
Mechanical
sparks
Flame and
smoldering
combustion
III
Probability
of
explosion
III
EXPOSURE TO EXPLOSION
PRIMARY EXPLOSION
Probability (injury/damage)
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
III
IV
III
Equipment
Personnel
Equipment
Personnel
Equipment
II
II
IV
Comments:
Hazard identification
The introduction of a CO-detection system will reduce the probability of an explosion. An early
detection of smoldering combustion is assumed to reduce the probability of explosions by at least
a factor of 10 implying a probability of explosions of class II. The probability of equipment be
damaged and personnel being affected will be reduced accordingly both for primary and
secondary incidents. The consequences are however still similar. This results in risks as
summarized in Table 6.
Risk evaluation
Table 6 shows that risks have been reduced by introducing a CO-detection system compared to
Table 5 presenting the original risks without any preventive or protective measure. The
Table 6
Summarizing the probabilities and consequences of primary and secondary
events in the spray dryer and the associated risks for personnel and equipment after
implementation of a CO-detection system.
Process
unit
Spray
dryer
Probability
of
flammable
atmosphere
V
Probability of ignition
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
Mechanical
sparks
Flame and
smoldering
combustion
II
Probability
of
explosion
II
EXPOSURE TO EXPLOSION
PRIMARY EXPLOSION
Probability (injury/damage)
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
II
IV
III
Equipment
Personnel
Equipment
Personnel
Equipment
IV
remaining risks for personnel which are described as medium according to the acceptance
criteria proposed in Table 2 should be addressed by introducing further risk reducing measures.
A described in section 3.1 an additional analysis is presented where the preventive measure of
CO-detection is combined with protective measures. A combination of explosion venting and
explosion isolation by extinguishing barriers between the dryer and fluidized bed and the dryer
and the cyclones is investigated.
3.3 New analysis investigating the introduction of preventive measures in combination with
protective measures
Reducing the probability of an explosion by introducing CO-detection still leaves personnel
exposed to a medium risk. Hence additional protective measures are proposed. The effects of
introducing a combination of explosion venting and explosion isolation (extinguishing barriers)
have been investigated.
Hazard identification
The probability of explosions assuming an early detection of smoldering combustion is still as
described in section 3.2 equivalent to a probability class II. The consequences of possible
explosions are however reduced considerably. Assuming use of appropriate venting devices,
sufficient venting surface and taking into account the effect of vent ducts (which are necessary
since the spray dryer is installed inside a building) and adequate installation distances for the
extinguishing barriers (containing sufficient extinguishing powder to extinguish flames) the risk
of explosion in the spray dryer can be reduced considerably. The consequences of an explosion
are now reduced to limited or no damage both for the primary and secondary events
(consequence class I).
Risk evaluation
Introducing explosion protective measures as described reduces the risks both for the equipment
and personnel to acceptable levels. The reduction of consequences to consequence class I
(replacement of vent panels and refilling of extinguishing barriers (neglecting the costs of loss of
some produced milk powder)) results in risk levels E implying that no further measures would be
necessary. Results of the analysis have been presented in Table 7.
4. Conclusions
A semi-quantitative short-cut risk analysis method (SCRAM) has been presented, allowing for
the assessment of dust explosion risks and choosing adequate preventive and protective
measures. The performance of such an analysis makes industry aware of the most hazardous
areas in their facilities and associated consequences in case of an explosion.
The application example demonstrates the strength of the method and the support it offers to
industry for choosing appropriate risk mitigating measures.
Table 7
Summarizing the probabilities and consequences of primary and secondary
events in the spray dryer and the associated risks for personnel and equipment after
implementation of a CO-detection system in combination with explosion venting and
explosion isolation towards fluidized bed and cyclones.
Process
unit
Spray
dryer
Probability
of
flammable
atmosphere
V
Probability of ignition
Equipment
(electric and
mechanical)
Hot
surfaces
Electric and
electrostatic
sparks and
discharges
Mechanical
sparks
Flame and
smoldering
combustion
II
Probability
of
explosion
II
EXPOSURE TO EXPLOSION
PRIMARY EXPLOSION
Probability (injury/damage)
Consequence
Risk
Personnel
Equipment
Personnel
Equipment
Personnel
Equipment
II
II
Equipment
Personnel
Equipment
Personnel
Equipment
Comments: A CO-detection system has been included combined with explosion venting
and isolation.
5. References
Beck H., Glinke N.and Mohlman C., BIA-Report: Combustion and explosion characteristics of
dust, HVBG, Berufsgenossenschaftliches Institut fr Arbeitssicherheit BIA 13/97, 1997.
Siwek, R., van Wingerden, K., Hansen, O.R., Sutter, G., Schwartzbach, Chr., Ginger, G., &
Meili, R., Dust explosion venting and suppression of conventional spray driers. Eleventh
International Symposium on Loss Prevention, Prague, May 31 June 3, 2004.
Steenbergen, A.E., Van Houwelingen, G. and Straatsma, J., System for early detection of fire in
a spray drier, International Journal of Dairy Technology, 44, no. 3, pp. 76-79, 2007.
Abstract
Dust is created from solids handling in many industries. Every company that has a process that
handles dust must fully understand all of the associated hazards. A hazard analysis performed by
competent technical specialist using fully developed process safety information is the most
effective method of hazard evaluation. Process Hazards Analysis (PHA) methodology developed
and matured in the refining and chemical industries is proving very successful in evaluating
combustible dust handling processes.
This paper will present a methodology for conducting combustible dust PHAs. Once hazards
have been identified and the consequences associated with improper handling are fully
understood, safety systems can be evaluated for adequacy and gaps identified. This paper will
discuss available recognized and generally accepted good engineering practice, as well as
industry best practices. Combustible dust control philosophies will be reviewed and discussed.
Management systems, dust handling equipment, safety systems, and mitigation systems will also
be a focus of this paper.
1.
Introduction
Most organic dusts and some metallic dusts are combustible under the following conditions:
Particles are ignitable and small enough to propagate a flame front (< approximately
420 m (microns))
Proper management of processes handling solid particulates with the possibility of producing
dust is basic to reducing risk to a Companys acceptable level. A proper management system
should consist of at least the following eleven elements:
1. Identification of dust hazards
2. Proper area classification
3. Process Hazards Analysis (PHA)
4. Management of Change (MOC)
5. Engineering controls
6. Housekeeping
7. Process separation/segregation
8. Fire protection
9. Grounding/bonding
10. Mechanical integrity
11. Hazard communication training
2.
Definitions
Explosive atmosphere
Kst
Limiting Oxygen Concentration (LOC)
Particulate solids
Minimum explosive concentration (MEC)
Minimum ignition energy (MIE)
Maximum pressure (Pmax)
Minimum autoignition temperature
(MAIT)
Definition
A combustible particulate solid that presents a fire or deflagration
hazard when suspended in air or some other oxidizing medium over a
range of concentrations, regardless of particle size and shape. (NFPA
654)[1]
For the purpose of this requirements document, an explosive
atmosphere means a mixture of air, under atmospheric conditions, and
a combustible dust in which, after ignition has occurred, combustion
spreads to the entire unburned mixture.
Maximum rate of pressure rise expressed in bar-meters/second
normalized to a volume of 1 cubic meter (m3) to distinguish from
(dP/dt)max. Referred to as the deflagration index of a dust cloud.
The concentration of oxidant below which a deflagration cannot occur
in a specified mixture.
Granules, pellets, dusts and powders.
The minimum concentration of a combustible dust suspended in air,
measured in mass per unit volume, which will support a deflagration.
Minimum spark energy needed to ignite an optimum concentration of
a material using a capacitive spark under ideal conditions.
The maximum pressure occurrence as a result of a dust explosion or
deflagration.
The lowest temperature at which a material will ignite without an
external ignition source.
3.
Facilities with processes that manufacture, handle, and/or store particulate solids should evaluate
the potential for those processes to produce a combustible dust. The process may be the
production of a product, handling of a raw material, or the processing of an intermediate
particulate solid. Almost all solids can produce dust during handling processes. If the dust
produced from the handling process is not directly known to be combustible, through industry
consensus or published data, the material must be tested by a competent laboratory to determine
if the dust produced is combustible. Most organic dusts and many metallic dusts are
combustible.
When combustible dust is handled in a facility, testing to determine the potential hazard rating
should be performed by a competent laboratory or a competent source should be used to provide
documentation of the hazards of the dust. The following information should be obtained either
by testing the particulate using applicable testing protocols or obtaining the data from existing
technical resources and published test data:
Particle size (worst case scenario: the smallest particles that may be found under
normal or abnormal operating conditions)
Conductivity
The combustible dust should be classified, in accordance with the table below, and the
classification rating retained as process safety information. [2]
Dust explosion class
Kst (bar.m/s)
Characteristic
St 0
No explosion
St 1
Weak explosion
St 2
Strong explosion
St 3
> 300
4.
That explosion risks have been determined and assessed (typically through a process
hazard analysis (PHA))
That adequate measures will be taken to attain the aims of the EU 1999/92/EC
directive
That areas containing combustible dust have been properly classified into explosion
zones
That the workplace and work equipment, including warning devices, are designed,
operated and maintained with due regard for safety (see Section 6 on engineering
controls)
That arrangements have been made for the safe use of work equipment
(89/655/EEC)[6]
That the area is properly fenced and signage indicates proper warnings (where
required by local regulations)
A Process Hazard Analysis (PHA) should be performed to analyze each process handling
combustible dust. Each PHA should be revalidated every 5 years or as required by local
regulation. A targeted What-if/Checklist method of PHA is very effective in evaluating the
hazards and process controls. The PHA team should always have present a subject matter
expert, someone familiar with the technical aspects of dust explosions and fires and the systems
required to manage the hazards. The PHA should:
Should consider the physical and chemical properties that establish the hazardous
characteristics of the combustible dust being handled
Evaluate the need for safety systems to prevent or mitigate combustible dust fires and
explosions
The design of new processes that will handle combustible particulates should be analyzed
through PHA. The design and design basis should be documented and retained for the life of the
process.
The PHA should assess the specific risks arising from explosive atmospheres, taking into
account at least:
The likelihood that explosive atmospheres will occur and their persistence
The likelihood that ignition sources, including electrostatic discharges, will be present
and become active and effective
The consequences of an explosion and the overall risks of an explosion occurrence should be
assessed.
Places connected to equipment or places where an explosion could occur should be taken into
account when evaluating the explosion risks.
The PHA should evaluate the inherent safety of a system handling combustible dusts.
Replacement of chemicals or substitution of a different formulation (liquid versus powder, pellet
versus powder, etc.) should be considered by the PHA team when making recommendations.
Design considerations should analyze equipment design options that include designing
equipment capable of containing an internal dust deflagration.
The PHA team should have at least one person familiar with combustible dust hazards and
protective systems. A team member may be considered as familiar with the hazards and
protective systems associated with combustible dust if they have a background in identification
of combustible dust hazards and engineering and administrative controls. A PHA team member
may also be considered as familiar with combustible dust hazards and protective systems through
training.
5.
Management of Change
Processes handling combustible particulate solids should have a written management of change
(MOC) procedure to safely manage changes to the process, technology, equipment and facilities,
except for replacements-in-kind. This program should address the following:
The documentation of the technical basis for a change and the expected result
When a Process Hazards Analysis and/or other EHS Reviews should be conducted
The identification of temporary changes, necessary time period for these changes and
measures that should be taken to assure a safe operation
Training of employees (operators, mechanics, and technical personnel) who have job
responsibilities affected by the change prior to its implementation or performing work
associated with the change
Examples of a change that would require a MOC may include the following (this is not intended
to be a complete list of items requiring MOC for dust concerns but only to serve as examples):
6.
Adding new equipment, such as a mixer, dryer, bag house, conveyor, dust collector,
cyclone, separator, blower, sifter, or classifiers
Increasing the temperature in the process that could result in drier material
Reduction or change in the inerting gas flow or volume or a change in the type of
inert gas such as nitrogen to carbon dioxide
Making a process change that reduces the particle size of the combustible particulate
solid being handled
Engineering Controls
Engineering controls should address the hazards of handling combustible particulate solids.
Controls should be designed and installed in accordance with recognized and generally accepted
good engineering practices (RAGAGEP). Engineering controls should require:
Prevention of the potential for a dust explosion through inherently safer technology
(e.g., designing equipment to contain a deflagration, etc.)
Design and installation of deflagration containment system
Inerting of the process to prevent a dust deflagration and fire
Emergency venting of the process
Suppression equipment per applicable RAGAGEP
(An example of RAGAGEP includes, but is not limited to, NFPA 654.)
6.1
Inerting
Gas inerting of a process handling combustible particulates should be designed to maintain the
oxygen concentration at a level that is too low to support a dust deflagration or fire. Adequate
instrumentation and instrumented protective systems should be installed to ensure that oxygen
concentrations are always in a safe range whenever there exists the possibility of an ignition
occurring.
6.2
Emergency Venting
Equipment Specifications
Equipment specifications should follow RAGAGEP for control of the hazards of handling
combustible particulates. Equipment should be designed to be inherently safe, (able to contain
an internal dust deflagration) or adequate protective systems should be installed to protect the
equipment from internal deflagration. Emergency venting or high integrity instrumented
protective systems (interlocks) should be installed to reduce the risk of an internal deflagration to
an acceptable level. Equipment that should be considered as potentially handling combustible
dust includes the following:
Silos
Conveyors (solid particulate handling)
Product elevators
Classifiers and sorters
Cyclones
Ducting
Cleaning vacuum systems
Loading/unloading systems
Dryers
Mixers
Dust collection systems
(This list is not intended as all inclusive. Other equipment, as noted by intended service, should
be included in this list.)
Equipment should be classified as suitable for the area in which it will be installed and follow
applicable area classification standards. Examples of applicable standards include but are not
limited to:
NFPA 70, Chapter 5, Article 500
Directive 99/92/EC of the European Parliament - ATEX 137
Directive 89/655/E EC of the European Parliament
Directive 94/9/EC of the European Parliament - ATEX 95
Safety instrumented systems and alarms should be designed, installed and maintained per
industry RAGAGEP.
Equipment interconnectivity should be considered and evaluated during the PHA of processes
that manufacture, handle, and/or store combustible dusts. Protective systems should be installed
to prevent the propagation of a fire or deflagration flame front from the original equipment to
other connected equipment in the process. NFPA 654 provides examples of engineering
corrective measures that may be used to prevent the spread of a dust fire or deflagration.
Applicable RAGAGEP should be used as reference for proper design of segregation equipment.
Explosion suppression equipment should be designed and installed per guidelines of applicable
RAGAGEP such as NFPA 69.
Equipment handling combustible particulates should be grounded and bonded to prevent the
accumulation of static electricity that can discharge and ignite combustible dust. Grounding and
bonding should be verified by a qualified person prior to start-up of any newly added equipment
or existing equipment that has been modified in such a manner to affect its electrical bonding or
grounding. A maintenance program should be in place to periodically confirm the continuity of
equipment bonding and path to ground. Electrical resistance should be measured and verified as
being less than 1 x 106 ohms to ground. [1]
Buildings housing equipment handling combustible particulates should be constructed per
applicable RAGAGEP. One example of RAGAGEP is the NFPA 654 Standard. NFPA 654
requires buildings to be constructed in such a way that the support structure will remain standing
after a dust explosion to prevent full collapse of the building on the occupants and equipment and
to also allow for emergency exit of occupants[1]. Another example of RAGAGEP is the Uniform
Fire Code, which states that buildings where flammable or explosive dusts are manufactured,
processed, or generated shall be provided with explosion control.
7.
Housekeeping Controls
Facilities should have a program in place to control fugitive emissions of combustible dust into
work areas. This program should include recognition and prompt repair of dust leaks. Where
fugitive dust is released the facility should have controls in place, which may include continuous
ventilation to minimize the build-up of dust in normal operations. Facilities handling
combustible dust should have a housekeeping program. The housekeeping program should, at a
minimum, contain the following elements:
For combustible dusts having a bulk density of 75 lbs/ft3 (kg/m3) or more: Dust
accumulations in a 100 ft2 (9 m2) floor area that are in excess of 1/32nd inch (0.8
mm) and cover more than 5% of the surface area would provide a dust cloud with
sufficient concentration for a dust deflagration.
For combustible dusts with a bulk density less than 75 lbs/ft3 (kg/m3): The
following formula may be used to adjust the allowable thickness:
Allowable
thickness (in.) = (1/32)(75) / bulk density (lb/ft3))(kg/m3).
Example: If a 1/32nd inch dust layer of material having a bulk density of 75
lbs/ft3 covered more than 5 feet in a 10x10 room there is a sufficient quantity
of dust, if suspended in air, to produces a deflagration.
Example: If the dust layer has a bulk density of 35 lbs/ft3 it would take a dust
layer 0.067 thick to exceed the hazardous dust thickness:
(75)(1/32)/35=0.067 thick
3. The thickness of dust accumulation that could create a combustible dust cloud for
buildings with room heights in excess of 10 ft (3.05 m) can be calculated using the
following formula:
Tex = HAtot/87.5pAdust
where:
Tex = thickness of dust layer required to create a room explosion hazard
(inches)(cm)
H = height of the room or building (ft)( m)
Atot = total floor area of room or building (ft2)(m2) [use 20,000(ft2) as an upper
limit regardless of the actual room or building area (exception: if dust is evenly
deposited over the entire area, you can use the actual floor area without maximum
limitation)]
p = bulk density of deposited dust (lb/ft3)(kg/m3)
Adust = total area (ft2)( m2) of suspensible dust deposits within the room or
building volume.
Overhead beam and ledges should be considered in the total area of dust deposits.
The available surface area for dust deposits on joists, girders, beams, and other
overhead structures can be roughly estimated to be 5% of floor area.
4. Surfaces should be cleaned in a manner that minimizes the generation of dust clouds.
Vigorous sweeping or blowing down with steam or compressed air should not be
permitted when such activities can produce a dust cloud. (Use of compressed air for
cleaning is not allowed by OSHA regulations unless the pressure is regulated to less
than 30 psig(2.07 bar)). The use of a central vacuum cleaner system is recommended.
The vacuum cleaner system must be rated for use in Class II areas or for use in the
designated zones as noted:
Zone 20 category 1 equipment
Zone 21 category 1 or 2 equipment
Zone 22 category 1 or 2 or 3 equipment
If the vacuum cleaner system will be used to clean up hybrid dust mixtures that may contain
flammable hydrocarbons, the vacuum system must also be rated for use in Class I areas or
suitable for Zones 0, 1, or 2.
Facilities should ensure that clean up activities do not create additional hazards. Facilities
should evaluate the use of water to wash down chemicals that may form a corrosive solution in
water. If a corrosive solution is generated by washing down activities equipment may be
damaged.
Facilities should ensure proper handling and disposal of waste material that may be created
during cleaning activities.
8.
Process Siting
Processes handling combustible particulate solids should be designed, constructed, equipped, and
maintained to protect occupants not in the immediate proximity of a fire or deflagration.
Buildings and process areas should also be designed to allow time for those in near proximity to
evacuate, relocate, or take refuge in the event of a fire or explosion. This may include building
design that includes weak panels to vent an explosion and adequate structural integrity to
withstand the explosion or fire thus allowing personnel time to evacuate.
A siting study should be performed to evaluate the effects associated with a combustible dust
explosion. The process should be located, designed, constructed, and maintained to minimize
the propagation of fire or explosion to or from adjacent properties and to avoid injury to the
public.
When a process handling combustible particulates is located within a structure the structure
should be designed, constructed, and equipped to maintain its structural integrity in spite of fire
or explosion for the time necessary to evacuate, relocate, or shelter in place occupants not in the
immediate proximity of the ignition.
Emergency relief vents or panels should relieve to a safe location. Emergency vents should not
relieve inside the building where a secondary explosion may occur from the released dust cloud
or where personnel may be present. Emergency vents should not relieve outside the building to
an area where a secondary dust deflagration may occur or where the pressure wave and burning
material may adversely affect an area where workers may be present or where the pressure wave
may affect process equipment containing hazardous materials.
Where combustible atmospheres can occur, workers should be given visual and/or audible
warnings that conditions exist which could reasonably result in a fire and/or explosion so that
they may evacuate prior to the fire or explosion. This may include optical detectors with alarms
to alert personnel of a significant dust cloud or other appropriate detectors with alarms.
Examples of adequate warnings devices may include such things as alarms that alert personnel
on loss of inerting atmosphere, where inerting is used to prevent a dust deflagration, or an optical
light detector that would alert personnel of the presence of a dust cloud with a concentration
sufficient to have a deflagration.
Exits from the process area should exist and be located and maintained to allow for safe
evacuation.
9.
Fire Protection
Fire protection should be provided for process areas handling combustible particulates. Fire
protection systems should be designed using good engineering practices such as National Fire
Protection Association (NFPA) and applicable Insurance agency requirements.
Where process areas are connected to or are part of warehouse operations, the warehouse should
be provided with adequate fire protection systems or a properly designed firewall with adequate
fire rating is recommended.
Equipment and protective systems designed for use in EU member countries should be compliant
with 94/9/EC.
10.
Mechanical Integrity
Identification and control of potential ignition sources inspection for hot bearings,
missing insulation on hot piping, maintenance of trash metal detectors, periodic
alignment checks for rotating equipment, lubrication of bearings, etc.
Process changes new equipment should be added to the MI program and inspected
and tested to ensure that the equipment is installed and is working as designed
Inspections, testing and preventive maintenance records should be documented and retained for
the life of the equipment.
Material feeding devices should be maintained to ensure safe operations. Bearings should be
lubricated, as applicable (sealed bearings do not require lubrication but should be inspected and
tested to ensure proper operation. Thermographic imaging can be used to locate a hot bearing.).
Air-moving devices should be inspected to ensure safe operations. The inspection plan for airmoving devices should include the following activities, at a minimum:
Fans, blowers, and compressors are checked for excessive heat and vibration
Lubrication of external bearings should be performed during equipment down time
Bearings should be inspected and tested for excessive wear
Fan housings should be inspected for corrosion/erosion wear
Air-material separators should be inspected to ensure safe operation. The inspection plan for
material separators should include:
The separators should be inspected for erosion/corrosion.
Devices should be adjusted and lubricated per manufacturers recommendations.
The filter media should be replaced as recommended by the manufacturer and based
on plant experience.
Fire and explosion protection systems should be inspected and tested per regulatory and the
insurance agencys recommendations. Testing of fire and explosion protection systems should
always comply with local regulations.
Emergency vents, explosion panels, isolation valves, flame arrestors, and relief valves should be
inspected and tested in compliance with regulatory requirements, manufacturers
recommendations, or they should be inspected on a frequency based on plant practice and
experience.
All explosion prevention systems and inerting systems should be maintained pursuant to the
requirements of NFPA 69, Standard on Explosion Prevention Systems unless said
requirements conflict with local regulatory requirements.[3]
Grounding and bonding systems should be periodically inspected and tested. Metal components
should have a resistance of less than 1 x106 ohms to ground.
11.
Procedures
12.
12.1
Company MSDS for a material that can produce a combustible dust should be produced and the
MSDS made available to affected personnel.
12.2
Warning Signs
If required by regulatory bodies in EU countries, warning signs should be located at the entrance
to locations where explosive atmospheres may occur in compliance with 1999/92/EC.[5]
12.2
Training
Operators, maintenance and technical personnel should all be trained on combustible dust
hazards, preventing dust explosion and fires and the safety systems in place to prevent or
mitigate dust explosions. All personnel involved in operating and maintaining the process
should receive initial and refresher training on the process and the plant safe work practices
applicable to their duties. Training should include the following elements, as applicable:
Hazards of their workplace
General orientation, including plant safety rules
Process description
Equipment operation, safe startup and shutdown, and response to upset conditions
The necessity for proper functioning of related fire and explosion protection system
Equipment maintenance requirements and practices
Housekeeping requirements
Emergency response plans
Workers should be trained on emergency procedures and actions to be taken in the event of a fire
or explosion involving combustible dust.
13.
Conclusions
Recent events such as the Imperial Sugar combustible dust explosion in 2008 continue to identify
the hazards of handling combustible dusts. A company that handles solid particulates must
indentify if there is a hazard present from a combustible dust and if so that company must have a
program to safely manage the hazard. A facility should be designed and maintained for the safe
operation of those processes that handle combustible dust.
Industries that handle materials that can produce combustible dust include food processors,
agricultural product handling, pet food manufactures, sugar manufacturing, chemical plants, and
many more. OSHA continues its national emphasis program (NEP) for the inspection of targeted
industries handling combustible dusts. OSHA has stated that is has plans to promulgate a new
combustible dust standard in 2011.
References
[1]
NFPA 654 Standard for the Prevention of Fires and Dust Explosions from the
Manufacturing, Processing and Handling of Combustible Particulate Solids
[2]
[3]
[4]
[5]
Directive 89/655/EEC concerning the minimum safety and health requirements for
the use of work equipment by workers at work
[7]
[8]
Index:
The Risk Assessment process
Description of LOPA
Scenario definitions, Target Factors, severity, frequency
LOPA Onion
Concept of Protection Layers
The Bow Tie
LOPA as a as simplified tool to reduce complexity
Conditional Modifiers
Independent Protection Layers (IPLs)
Structuring LOPA
Acronyms and Definitions (BPCS etc)
The LOPA Process
The LOPA Process Hazard Identification
The LOPA Process Scenarios
The LOPA Process Consequence Estimation and quantification
The LOPA Process Initiating Events
The LOPA Process Conditional Modifiers
The LOPA Process Independent Protection Layers
The LOPA Process Other Safety Related Protection Systems
discussion and resolution
Limitations state of the art what decisions can we support?, What
questions remain?
Appendix
How to decide if enough is enough? Intro to ALARP.
Uncertainty and Sensitivity
Definitions
LOPA spreadsheet tool instructions
References
3
4
4
7
8
9
11
11
11
12
14
17
18
18
20
20
23
25
32
32
34
35
37
39
41
This course covers the analysis method Layer of Protection Analysis to design and manage layers of
protection. It is a tool to be used in processes like
S IM P L IF IE D R IS K
M A N A G E M E N T P R O C E S S
P R O C E S S
D E T E R M IN E
R IS K R E V IE W
R E Q U IR E M E N T S
W HE N
&
W HO
ID E N T IF Y
H AZAR D S
R ED U C E
R IS K
A n a l y z e /A s s e s s
R IS K
W HAT
&
Y E S
HO W
C A N
R IS K B E
R E D UC E D
?
NO
D I S C O N T IN U E
A C T IV IT Y
NO
IS
R IS K
TO LE R AB LE
?
Y E S
M AN AG E
R E S ID U A L R I S K
The course refers to but does not address detail validation, registration and testing requirements
What are we interested in?
A means of analysing and managing risk, reducing it when we believe that it is intolerable.
A very important step must be
Have I defined my risk tolerance criteria or target?
What does this mean?
It is important for the user to have a clear idea of what his targets are. It is recommended that a company sets
its own criteria where there are none set by the governing authorities. Typically, the target is a frequency. In the
LOPA study, the target frequency (the LOPA Target) is the frequency which the user considers to be entering
3
the tolerable region. In Europe several countries have published targets for off site effects such as serious injury
or fatality. (e.g. Netherlands ALARA) . Others do not have specific targets. In U.K. the Health and Safety
Executive suggests some numbers in terms of frequencies but they have the concept of ALARP. ALARA and
ALARP be discussed later. In principle, you need to show that you have considered lowering the risk further
but that it cannot be justified (for example it might involve unreasonable cost) This course suggests some
tolerated frequencies which have been used in Quantitative Risk Assessment. A fundamental step is for targets
to be set. Targets should vary according to an estimate of the severity of an unwanted event. There are several
ways of doing this. In any event, it has to be conceded that the tolerable frequency for a cut finger will be
greater than (more frequent than) a fatality.
The difference between TOLERABLE and ACCEPTABLE?
A personal approach . If a situation is acceptable I have little motivation to improve it. I have accepted it and
am unlikely to seek opportunities to improve it. If a situation is tolerable, I am tolerating it, but am actively
seeking ways to improve it.
The following is an example (but you need to derive your own or use data from the Competent Authorities).
Target
Frequency/yr
Target
Factor
Impact on People
On-site
Off-site
1.00E-02
Nuisance complaint
1.00E-03
1.00E-04
Single fatality
1.00E-05
5 fatalities
1.00E-06
1.00E-07
100 fatalities
Fatality
1.00E-08
1.00E-09
2nd example:
Target
Frequency/yr
Target
Factor
Impact on People
On-site
Off-site
1.00E-02
Discomfort
1.00E-03
Nuisance complaint.
1.00E-04
1.00E-05
Single fatality
1.00E-06
5 fatalities
1.00E-07
1.00E-08
100 fatalities
Fatality
1.00E-09
Have we accounted for all the serious scenarios? Need to consider on site and off site effects. There needs to be
a robust Hazard Identification process. The most obvious are processes such as HAZOP. This is a structured
type of brainstorming. In my experience, it has helped to provide users with a standard list to start them out.
One of the greatest challenges on risk analysis is to make sure that all possible scenarios are accounted for.
Does my analysis system indicate if my criteria are met?
The criteria of interest are generally severity and frequency based and have been derived i.e. risk based.
Can we devise a simple method to determine if we have met our risk criteria.? This is what Layer of Protection
Analysis (LOPA) attempts to do. Essentially it is based on a simplified fault tree methodology. The
methodology is fully explained in the course. There are 2 common approaches. The first is the order of
magnitude approach used in U.S. the second attempts more accuracy and is described in the PSLG Final report.
If we know our target frequency how is the final event frequency affected by safety barriers or Protection
Layers?
Once a train of events has been initiated, unless something intervenes the frequency of the final event will be
the same as the frequency of the initiating event. For example, if we know that the tide comes in twice a day and
our piece of beach lies below the high water line, it will go under water twice a day. Nothing has been provided
to intervene so the answer is very obvious. If we believe that it is important to prevent this happening, we can
add a layer of protection to intervene and reduce the frequency of the flooding. If this is a lock gate at the
opening of the bay, we could make a dramatic difference to the frequency of the flooding. This is what has
been done in the Netherlands where much of the land lies below high water and has been reclaimed from the
sea. They wanted a good assurance that the land would not be inundated frequently. At the same time they
5
recognise that such protection is not 100% reliable. It has a probability that it will fail. This is called
Probability of Failure on Demand. In a chemical plant, if the undesired final event is a vessel rupturing as a
result of a gassy decomposition during an uncontrolled runaway reaction we would add layers of protection to
prevent the frequency being as high as an initiating event such as a temperature control loop failure. In such an
example, we would consider
If these measures are effective and independent of each other, they can be considered effectively in a fault tree or in
LOPA. If they are deficient in either effectiveness or independence, further steps are needed. It seems obvious to
state that we should not tolerate major events which are caused by a single failure. However, history reveals that it
does sometimes happen.. There are also some cases where apparent single failures can lead to major events. An
obvious example is the failure of a chlorine sphere pressure tank. These are frequently installed on plants without
any secondary containment. Reliance is placed on:
Sound engineering design practices developed and improved over many years
Inspection systems
Emergency response
Careful Land Use Planning
None of these can be described as layers of protection which prevent the final outcome i.e. release of all or most
of the contained chlorine. The first two are designed to make sure that the frequency of catastrophic failure is
extremely low (< 1e-06) and the latter two are designed to either mitigate the effect or reduce the exposed
population. In cases like these, LOPA may be interesting but may not be the best approach. So do not expect it to
answer every question you can imagine about risk. You may finish up a study with protection gaps which
apparently cannot be closed in cases like this.
And which Protection Layers are applicable? Here is a consideration of the LOPA
Onion
This is a neat depiction of the concept, but there are some items which overlap into more than one layer e.g.
Operator Intervention and BPCS capability.
In the LOPA study we will spend most time looking at the process itself, the control systems, including any
safety functions built in, safety instrumentation and SOME of the others such as relief systems, dikes etc.
This diagram illustrates how independent Protection Layers (IPLs) are credited.
The system is designed to respond in a safe way to an initiating event or demand.
If an event occurs, there are 2 possibilities when the first IPL senses the event, It can fail (hopefully with a low
probability of failure on demand (PFD)) or it can work successfully. The frequency of resulting dangerous
failure is the product of the frequency of the event (the demand) multiplied by the PFD of the first layer.
If it fails, the next layer of protection is required to work, again there are 2 possibilities, failure or success. The
cumulative failure frequency is the product of the original event frequency and the PFDs of the 3 layers of
protection. As each layer is called upon to function, the failure frequency of the entire system becomes
progressively smaller.
Hopefully we can achieve the Risk Tolerance Criteria. This is what it looks like in fault tree format:
P ro te c tio n L a y e r C o n c e p t
IPL1
IPL2
IPL3
Impact Event
Occurs
PFD3 = y3
PFD2 = y2
Impact Event
Frequency,
f3 = x * y 1 * y 2 * y3
f2=x * y1 * y2
PFD1 = y1
success
f 1= x * y 1
Initiating Event
Estimated
Frequency
fi = x
Safe Outcome
success
Safe Outcome
success
Key:
Arrow represents
severity and frequency of
the Impact Event if later
IPLs are not successful
Safe Outcome
Impact
Event
Frequency
Severity
IPL
- Independent Protection Layer
PFD - Probability of Failure on Demand
f
- frequency, /yr
Mitigation
LOPs / LODs
Initiating Event 1
LOPs / LODs
M1
M2
1a 1b
1c
No consequence
Initiating Event 2
1a 2a
Release
Initiating Event 3
3c
3a 3b
Consequence A
Consequence B
Consequence C
4a
Initiating Event 4
LOPA deals with the ANDs in the fault tree. Perhaps we need to examine the cumulative issues presented by
the ORS later.
Layer of Protection Analysis simplifies the fault tree and event tree from the bow tie for each scenario/initiating
event case by assigning conservative generic values for the frequencies of initiating events (in the fault tree
side) and Probability of Failure on Demand (on the event tree side) for each aspect of the Independent Layers of
Protection. Then running the simple mathematics to arrive at a final unwanted event frequency which can be
compared with the target (tolerable) frequency.
Use of LOPA will indicate if a SIS is needed and if it is, what Safety Instrumented Function and Safety
Integrity Level it needs to achieve.
Reliability Levels required by plant operations and the achievable test intervals for various design
configurations will enable you to choose the architecture for the hardware whilst satisfying the SIL needs:
degrees of redundancy
redundancy arbitration logic (related to shut down function)
Example: a system with dual sensors may have:
9
a) 1 out of 2 logic (system trips if either sensor gives a signal at the trip set point), or
b) 2 out of 2 (system trips after both sensors give a signal at their trip set point)
Note: a) generally will give more false trips than b)
The subject is complex and we need to simplify it.
Complex Mathematical
terms & Systems
Simple
Tools
1 + 1 + 2 = 4 or
0.1 x 0.07 x 0.01 = 0.00007
T1
1e-01
1e-01
1e-01
1e-01
1e-02
1e-06
This can be compared with the target (tolerable) frequency selected to see if the target is met or exceeded or a
protection gap exists.
This is a simpler approach than fault tree, bow tie and the application of complex calculations for every control
loop involved in a safety scenario.
The whole subject is complex.
Some important definitions:
10
These factors should be allowable since they do affect the frequency of the final outcome in the sense that the
hazard is there for less than 12 months a year or that the probability of ignition for fire and explosion cases may not
always be 100%. If the latter two examples are considered, it is important to remind users that the patterns of use
and exposure may change with time. This is just one reason for periodic review.
Allowance for Conditional Modifiers suggested in the course is based on a 10% or 1% probability. Any factor
lying between is always conservatively rounded up. In the case of the probability of ignition, quantities are
suggested. Essentially, if the leak is large enough it is assumed that it will ignite.
It is important to recognize that the subject of conditional modifiers can be a source of much study. This cannot
always be conclusive because they are difficult to simulate and test. However, it should be possible to get expert
advice or to model discharge of flammable liquids to see if the vapour emitted can reach the flammable range and
be above flashpoint. Additionally, it is worth considering the beneficial contribution made by the so called
explosion proof electrical equipment which may be required for the area. Some effort is being made to quantify
this in the U.K. (HSE)
The Independent Protection Layers illustrated above could be:
If the frequency of the final event appears to be greater than the target, a Protection Gap exists. It will need to
be closed. We shall discuss how this might be achieved.
11
Whatever is decided upon, a basic rule of thumb is that the system chosen needs to be effective, independent
and testable. This may be more difficult than it appears.
Testing Intervals
Testing methods and protocols
Independence and common cause failure
The effect of Redundancy
Reliability / False Shutdowns
Software programming
Global Consistency & Industry Standards
Internal Requirements
Regulator Requirements
12
Layer of Protection Analysis using standard initiating event frequencies and Failure
rates for Independent Layers of Protection
Scenari
o No.
Reasoning
Consequence
Description/Category:
Initiating Event
Frequency
Probabili
ty
Factor
Probabili
ty
Factor
Probability of Ignition
Conditional Modifiers
The basic Process Control System can be a conventional instrumented control system, usually electronic which uses
field analysers connected to controllers or switches designed to keep the process within normal operating
parameters. BPCS features often include alarms and trips which act when the process deviates beyond design
allowances. We would normally allow these to be credited as Layers of Protection. It is important to remember that
in a study, the BPCS loop can only appear once as an independent layer of protection, since it may not share any
element with another IPL. In practice this means that an alarm and a trip working within a single loop cannot be
credited twice. When redundancy is considered, the practice of putting more than one sensing element into a single
loop or in separate loops which share the same controller or logic solver or final element does not achieve a
significant increase in safety and certainly does not produce 2 IPLs.
14
35%
15%
50%
SIP: Safety Instrumented Programming: The section of any logic solver software devoted to Safety
Instrumented System control. There are special considerations for this. If the SIF is programmed through a PLC or
Process Control system, it needs to have the software program separate from the process control program. It needs
to be locked so that inadvertent or unauthorized change is not possible. It must also be tested and validated.
15
False Trip: Erroneous trip of process due to a failure of a control loop capable of shutting down the process. This
is particularly important for large continuous plants. Unfortunate examples of systems where any one of three
independent loops can trip a plant exist. These give three times as many false trips as single systems do. So the
pursuit of enhanced safety can introduce unexpected frustrations and even new hazards.
Other Safety Related Protection Systems: These are systems which have been installed by the user to act as layers
of protection which do not fit into the category of BPCS or SIS. Since these may not always stop the scenario
developing (they often mitigate it or reduce its impact) they can be credited only if there is good evidence to show
that they are effective. Debate is ongoing about the effect of Emergency Response, Shelter in Place, Fire
Protection, Water Sprays. If you include these, you need a good case and should be able to demonstrate that the
system is most likely to work. From the experience of many studies the author has discovered that there may be
deficiencies.
Independent Protection Layer: A layer of protection that will prevent an unsafe scenario from progressing
regardless of the initiating event or the performance of another layer of protection. This is one of the most
important considerations of the LOPA methodology. LOPA assumes that all allowed IPLs are independent of each
other. So:
A BPCS trip may be independent of a hard wired trip if there are no common elements. Often, the power supply
may appear to be common. There are cases where the loss of the power supply may impair both layers of
protection and leave the process in an unsafe mode, because of the failure of the common element (power). This is
not always the case and needs to be clarified.
A second process sensor attached to a single control loop may appear to give added protection, but in many cases
does not because the governing failure may turn out to be the logic solver or the final element.
A BPCS trip which has an alarm attached makes a lot of sense for the operator to understand what is happening.
However, the operator response cannot be taken as independent from the control loop trip because he needs the
same sensor and logic solver as the BPCS trip action..
Finding Scenarios and cases:
16
STEP 7:
MAKE RISK
DECISIONS
STEP 1:
IDENTIFY
SCENARIO OF
INTEREST
STE
SELECT
THE NEXT
INITIATING
EVENT
IDENTIFY
CONSEQUENCES
STEP3
IDENTIFY
INITIATING
EVENTS
STEP6:
ADD NEW
IPLS IF
NEEDED
STEP 4
STE
IDENTIFY
EXISTING
IPLS
IDENTIFY
CONDITIONAL
MODIFIERS
What-if
FMEA
Checklist
Experience
Past incidents
17
18
FT
PDT
VENT HEADER
B01-053
V-212
B01-037
C
T
PT
BARR. FLUID
B01-058
A
N2
VENT HEADER
B01-053
AT
E-206
AREA MIC
DET.
FT
BLOWDOWN HDR
B01-053
BARR. FLUID
B01-058
BARR. FLUID
B01-058
BARR. FLUID
B01-058
E-205
PSH
T
E-204
C-202
DMS
V-204
B01-025
705
R-203
B01-028
749
N2
A
T
TCB PREMIX
BARR. FLUID
B01-058
BLOWDOWN HDR
B01-053
FT
AREA MIC
DET.
PSH
AT
JT
COLD OIL
B01-037
HOT OIL
B01-037
LSH
A-202AG
R-202 PT
HOT OIL
B01-037
LSH
B
V-206
LIT
LIT
T
COLD OIL
B01-037
PT
PT
N2
760
V-208
DISCHARGE
R-201
763
B01-031
19
20
1.E-01
1.E-01
1.E-01
1.E-01
Initiating
Event
Factor
1
1
1
1
1.E-01
1.E-02
1.E-01
1.E-01
1.E-01
1.E-01
1.E-01
1
1
1
1
1
Initiating Event
Hardware failure:
Pump problems
Pump leaks
Mechanical Seal leaks
Hose or fragile equipment failure
Piping and equipment failure
Systems failures:
Human Failures:
Infrequent operation
21
Frequent operation
Operation under stress (remember Longford incident in Australia)
The workbook on LOPA has embedded in it a list of initiating events and scenarios used in authors work.
It covers
Pumps
Piping and Hoses
Vessels and Tanks
Reactors
Scrubbers and absorbers
Miscellaneous equipment
And addresses Fire, Explosion and Toxic release and attempts to quantify their effects by reference to an injury
matrix. Matrixes based on chemical quantity and properties are sometimes available, but regulators usually base
their evaluations on potential injuries.
7
8
9
If BPCS and Alarm IPLs use the same sensor, you can take credit
for one IPL only
The Alarm IPL requires an operator action to prevent the scenario.
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are
not valid credits if they require the failed sensor to function.
If a final element failure is the Initiating Event, BPCS and Operator
action on Alarm IPL are not valid credits if they require the failed
final element to function.
If a BPCS logic solver is an Initiating Event, no credit is taken for
the BPCS or Alarm IPL, unless the Alarm IPL is a completely
separate system.
If an Alarm is an IPL, the operator must have time to prevent the
scenario. No credit should be taken if the operator has less than 15
minutes to respond.
Only one (1) BPCS and one (1) Alarm IPL credit are allowed for a
case.
Sharing of BPCS and SIS elements may be allowed when there is
evidence of adequate independence.
Mechanical safety devices such as over-speed trips are not
Instrumented IPLs. However the may qualify as an Independent
Safety Related Protection System under the Other Safety Related
Protection System column.
22
Infrequent operations:
What do we think about an operation which apparently poses a high risk during the operation?
Are there other mechanisms to protect the exposed person(s)?
Normally handled with an auditable procedure, Task Safety Analysis or a permit to work system. (proper approval
of method, isolation and protective equipment etc.)
The probability that someone will be exposed if the scenario develops fully.
Take the case of a sensitive exothermic batch process is operating for most of the year. The plant produces 7
batches a day. The exothermic reaction step of the process has a duration of 75 minutes. (dictated by chemistry,
heat exchange capability, batch size and demand). The process is benign for the rest of the time. The scenario of
concern is a reactive chemicals runaway which could rupture the reactor. The risk is thus present for a proportion
of the year approximately.
75x7/60x24 = 36% of the time. This is more than 10% of the time so LOPA assumes that the hazard is always
present. Therefore no Conditional Modifier applies. However, if this operation is run for only 3 months a year, a
different approach might be appropriate for the long term operation.
23
Another example is the case where someone is unloading a raw material into a tank from an unloading station. The
scenario of concern is: The storage tank overflows because there is insufficient space to accommodate the added
material. If this happens very frequently it is in the same category as the first example above. If the loading
operation happens once per week and takes 1 hour the proportion of time when the hazard is present is 1/7x24.
This would obviously affect the final event frequency simply because the opportunities for overflowing the tank via
operator error or instrument loop (level transmitter) failure are limited to a small proportion of the year. In this case
LOPA would allow a Conditional Modifier of 1E-02. The infrequent operation does not relieve the operator from a
proper management of the activity in order the protect people during the operation. In any case the operator who
has such a brief exposure may be exposed to similar hazards during the rest of his work day and we should not
forget the cumulative risk aspects. It would not make any sense to say that all our high severity activities occupy a
small proportion of the day, so we can ignore them! Add them together and see what happens.
Probability of Exposure
Frequency
Range from
Literature
(/yr.)
Enabling
Factor
Probability
Enabling
Factor
1x10-1
1x10-2
Probability of Exposure
The probability that someone will be exposed if the scenario develops fully
Can also be addressed for cases as illustrated by the following example:
A pump is attached to a tank which contains an unstable material. Tests reveal that if the temperature goes higher
than 90oC, a runaway is likely. This will generate high pressure from gas evolution. So the scenario is that the
pump may rupture and the initiating event is that it runs with suction and delivery valves closed. This may sound
an extreme case but there is a history of this. If the pump runs most of the time but is in a remote area of the plant
which is seldom visited except for patrols it should have a Conditional modifier applied. If it is close the plant
Control Room, logically it should not.
Fire and Explosion Events: The probability of ignition:
If a flammable material leaks, there is a probability that it will find a source of ignition. The ATEX regulations in
Europe list the sources to consider. If the material is below its flashpoint, it is a case which may be interesting to
study, but the fire or explosion may not be credible. This conclusion could appear in just this form in a HAZOP
study report and no further action may be taken. Care should be taken to check all possible sources since a hot
surface may contribute to raising the temperature of the material.
If the material leaks at a temperature above its flashpoint, fire or explosion are real possibilities. Advice in LOPA
proposes that the probability of ignition becomes greater with the quantity of the leak. Indeed the advice says that
above a certain quantity, the probability of ignition is 100%. Furthermore, easily ignited material (Minimum
Ignition Energy < 0.3 mJ) has more restricted quantities.
24
Return to Analysis W
Probability of
Ignition
Enabling
Factor
Probability
of Ignition
Enabling
Factor
5 - 50
51 - 501
1.0E-02
1.0E-02
2
2
1.0E-02
1.0E-01
2
1
501 - 5000
1.0E-01
After you have accounted for the initiating event frequency and the Conditional Modifiers you have a frequency
which is the frequency of the undesired event if there are no layers of protection to intervene. You have arrived at
the centre of the bow tie.
25
In d e p e n d e n t P r o te c tio n L a y e r s C r e d it F a c to r T a b le
In d e p e n d e n t P r o te c tio n L a ye r
P r e s s u r e R e lie f D e v ic e
PFD s
1 .E -0 2
C r e d it F a c to r
2
S IS - S IL 1
1 .E -0 1
S IS - S IL 2
S IS - S IL 3
1 .E -0 2
1 .E -0 3
2
3
B P C S , w h e n in d e p e n d e n t o f
in itia tin g e v e n t
1 .E -0 1
In te r n a l m e c h a n ic a l s a fe ty tr ip s th a t
a r e in d e p e n d e n t o f th e S IS o r B P C S
1 E -1 to 1 E -2
1 to 2
O p e r a to r r e s p o n s e u n d e r h ig h
s tr e s s , a v e r a g e tr a in in g
5 .E -0 1
O p e r a to r r e s p o n s e to A la r m s a n d
p r o c e d u r e s , lo w s tr e s s , r e c o g n iz e d
event
1 .E -0 1
1 .E -0 2
1 .E -0 1
1 .E -0 2
1 .E -0 3
1 .E -0 1
1 .E -0 2
O p e r a to r r e s p o n s e to
A la r m s a n d p r o c e d u r e s , lo w
s tr e s s , r e c o g n iz e d e v e n t
w ith m o r e th a n 2 4 h o u r s to
r e s o lv e p r o b le m
E n c lo s u r e w ith a n e le v a te d
s ta c k .
E n c lo s u r e w ith a tta c h e d
m itig a tio n d e v ic e s u c h a s a
s c r u b b e r o r o x id is e r .
C o n ta in m e n t B u ild in g
c a p a b le o f w ith s ta n d in g a n y
c r e d ib le r e le a s e .
R e s tr ic te d A c c e s s w h e r e
c o n s e q u e n c e is lim ite d to
D ik e s w h e n c a p a b le o f
m itig a tin g th e in itia tin g
e v e n t. T h is is a n IP L o n ly
fo r e n v ir o n m e n ta l e v e n ts .
N o te s
(0 ) if o n lin e c h a n g e s a llo w e d
(0 ) if o n lin e c h a n g e s a llo w e d
V a lu e c h o s e n d e p e n d s o n
v e r ific a tio n b y v e n d o r a n d te s tin g
fr e q u e n c y.
Details:
The first system to consider is the Basic Process Control System. For many cases the BPCS is a valuable
protection layer. It may have a trip or alarm function built into its loops. When the BPCS is considered it can be
26
credited with a PFD of 1E-01. The guidance in IEC 61511 does not allow a lower (better) PFD unless the system
complies with SIL2 or higher requirements. This is true even if there is a redundant set of sensors in the loop.
Basic Process Control System: These should be used wherever possible, but it is important to remember that if the
initiating event is a failure of a control loop, it is not possible to count any element of that loop as an IPL. It is also
important to make sure that the loop receives the same registration and testing attention as a SIL 1 system.
Basic Process Control System trips:
This is a trip to interrupt the progress of a scenario and put the process into a safe state. A loop can be made up of a
process sensor, logic solver and final element such as a motor starter or isolation switch, an automated block valve.
If the BPCS is used as an IPL it can only be used once. This means that if it is used in a trip function, it cannot be
used as an alarm IPL. In most cases, it makes sense to have the trip function also drive an alarm, simply to make
sure that the operator is aware that a trip has taken place.
Basic Process Control System Alarms:
This is an alarm which instructs an operator to take a preplanned and rehearsed action which will put the process in
a safe condition. If this is allowed as an IPL it needs to:
Be effective
Be feasible
Be independent e.g. not use any element of another IPL
Allow enough time for response
Have a written procedure which is periodically tested
Be effective: It is necessary to make sure that the action will actually interrupt the scenario. In practice there is
nothing special about this type of IPL compared with any other.
Be feasible: It is important to make sure that the operator is able to carry out the required action. This includes
training, access to the final element etc. For example, if the operator has to put himself at risk to carry out the
required intervention it should not be allowed. A dead headed pump is a good case which deals with this.
Be Independent: The alarm and final element should not be part of any other IPL for the same scenario. It is also
important to ask the question If the initiating event is operator error, can the same operator be credible in an IPL
role?
Allow enough time: Some scenarios can be interrupted successfully if the response to an alarm is not immediate.
In practice a good test is to say that 15 minutes will be the minimum reliable time for a 90% reliable response. Be
wary of allowing an operator response if he needs to do so in less than 15 minutes. Good examples of impossible
operator IPLs are vapour cloud explosions and dust explosions. There is no time for effective operator intervention.
Have a written and rehearsed procedure: This must describe the alarm, what it means, what the response must be.
It will need to be tested periodically.
Special care is needed to ensure that if the initiating event the failure of a control system, the alarm function which
might use different process sensors and final elements may be sharing the logic solver of the BPCS. You cannot
assume that this arrangement is satisfactory since there is a potential common cause failure in the shared logic
solver.
27
8
9
10
If a BPCS (whole loop) is an Initiating Event, no credit is taken for the BPCS
or Alarm IPL unless they are completely separate systems.
If BPCS and Alarm IPLs use the same sensor, you can take credit for one IPL
only.
The Alarm IPL requires a formally recorded and auditable operator action to
prevent the scenario.
If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid
credits if they require the failed sensor to function.
If a final element failure is the Initiating Event, BPCS and Operator action on
Alarm IPL are not valid credits if they require the failed final element to
function. (most common could be a control valve.)
If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS or
Alarm IPL, unless the Alarm IPL is a completely separate system.
If an Alarm is an IPL, the operator must have time to prevent the scenario.
No credit shall be taken if the operator has less than 15 minutes to respond.
May be able to take credit if this is a recognized case in the Emergency
Response plan.
Maximum of only one (1) BPCS and one (1) Alarm IPL credit are allowed for a
case.
Sharing of BPCS and SIS elements may be allowed when there is evidence of
adequate independence. (see rules for sharing SIS elements by the BPCS)
Mechanical safety devices such as over-speed trips are not Instrumented IPLs.
However, they may qualify as an Independent Safety Related Protection
System under the Other Safety Related Protection System column.
28
Relief Systems:
If a relief system meets the requirements for effectiveness and is properly maintained etc. it can be credited with a
PFD of 1E-02.
Important aspects to remember are:
Care is needed with systems which involve a Rupture Disk and Pressure Safety Valve in series. Reasons for such a
set up include:
Service conditions (corrosion, polymerization)
Fugitive Emissions
It is possible for the disk to develop a pinhole which allows the space between the disk and valve to reach the same
pressure as the process protected. This pressure may interfere with the differential pressure required for the disk to
rupture when it needs to. It is common practice to place a low pressure switch, transmitter, relief valve or tell tale
to deal with this. The PFD of this system is likely to need to be the same as claimed for the relief system.
When there are concerns about downstream discharge hazards a treatment or containment process is needed. These
are briefly described in the example scenarios in the workbook.
We should not allow a LOPA process to eliminate the need for a conventional relief system. There are legal and
industry standards which may require a relief system.
29
30
When entering the information into a LOPA study and its results:
SIS entries are considered last and then only if necessary to close the protection gap
A non-zero, positive value in the Protection Gap column indicates a SIS is needed.
The required SIL of the SIS is the value which closes the Protection Gap
A SIL value greater than 3 should not be allowed. Additional non-SIS IPLs are required. - or there is
something wrong with the process
A zero or negative value in the Protection Gap column indicates a SIS is not needed.
A SIS with a SIL of 2 or 3 can be replaced with a combination ofSISs with lower SIL provided they are
independent from each other.
SIL 1 + SIL 1 = SIL 2 ; SIL 1 + SIL 2 = SIL 3
Two (2) SIS IPLs used in the same case require separate sensors, logic solver and final element.
Independent paths through the same SIS logic solver must be used.
31
Systems that are not Pressure Relief Devices and are not
considered as SRPS.
o Dikes and Bunds are not always IPLs for safety cases - no credit allowed since they may only
reduce the consequences (and are thus may be accounted for in the scenario). For a business
case involving an environmental scenario, dikes and bunds may reduce the frequency of
environmental damage - credit allowed.
o Includes containment buildings or enclosures, if present.
o Unlisted systems need a lot of care and approvals.
o Emergency Response can be considered for Off site scenarios
o How to treat Shelter in place?
o Enhanced inspection or replacement processes
Dikes and Bunds need to be discussed question do they reduce the scale of the scenario?
If they do have the designed and desired effect can we adopt a higher tolerated frequency.
Release and other events which cannot be interrupted by SISs e.g. generic vessel failures
What may be a suitable approach?
Recognise that some initiating events may cause scenarios where there are no conventional true IPLs available; e.g.
vessel rupture for no anticipated reason. If events like this occur, there is no instrumented or any other system
which can stop the event once it has occurred. In a sense, this type of event can be predicted, simply because they
have happened. It would be wrong to eliminate the possibility. All that you can do is to MITIGATE it.
The problem with assessing mitigation systems is that they are difficult to test in a real sense.
The LOPA ONION mentions physical barriers such as dikes or bunds. There are other effective means such as
water sprays, fire protection, containment buildings. It also mentions Emergency Response. This is very difficult
to assess, but should not be ignored.
These do not fit well into the definition of an IPL. Is there another approach?
If we consider the target for the scenario. This is essentially used in LOPA as a frequency, but is based on a
severity. Reminder: The severity of a scenario is used to set its tolerated frequency so in most senses the severity
and frequency are the same integer.
If we address the severity for the assumed scenario, the mitigating system is designed to reduce the severity.
So a suitable approach is to carry out 2 cases for this type of scenario/cause.
a) ignoring the MITIGATION system
To derive the protection gap
b) accounting for the MITIGATION by reducing the target severity (and thus the tolerated frequency) to
see if the protection gap remains.
Credible Versus Non Credible events:
For example:
Is a fire a credible event if a flammable material is released below its flashpoint temperature?
Is it credible for a dike to fail?
We all have an opinion perhaps, but in many cases the Competent Authority may dictate what we consider.
33
Supposing the cost of the added layer of protection was 2,700 over the life of the plant.
It would seem that the cost does not grossly outweigh the benefit. This is how it might look in a spreadsheet.
200
50
1.00E+01
50
1000
2700
9.00E-06
450.00
6.00
It is suggested that each study case includes statements about both the Uncertainty and Sensitivity:
UNCERTAINTY
Case
Scenario Initiating Event
1.0
R 101
rupture
due to
runaway
reaction
Conditional
Modifier
Failure rate data Capacity of
of Temperature facility will
Control loop
always dictate
well known and that the
documented
hazard is
present <10%
of the time
IPL
Action
Recent
history of
fouling on
Relief Valve
places a
doubt on
PFD
Modify
entry to
relief
section to
ensure
incoming
solvent
cleans
35
nozzle every
batch. Add
quarterly
inspection.
HOWEVER: The biggest UNCERTAINTY is: Have we accounted for all hazardous events?
SENSITIVITY
Case
Scenario Initiating Event
1.0
R 101
rupture
due to
runaway
reaction
Conditional
Modifier
Failure rate data Capacity of
of Temperature facility will
Control loop
always dictate
well known and that the
documented
hazard is
present <10%
of the time
IPL
Action
Relief Valve
action PFD
is 1e-02
indicates
that there is
a heavy
reliance on
this IPL.
Failure to
function on
demand has
a major
effect on
frequency of
top event
Modify
entry to
relief
section to
ensure
incoming
solvent
cleans
nozzle every
batch. Add
quarterly
inspection.
36
Definitions:
Aggregation: Using the study to calculate a scenario frequency when there is more than one initiating event
BPCS: The Basic Process Control System
Frequency: The number of times in a given period an event occurs.
PFD: Probability of Failure on Demand. The probability that a system or element of a system will fail to act as
required when a demand is made of it.
SIS: Safety Instrumented System. A specially designed validated and tested system made up of certified or proven
in service elements. This comprises process deviation sensing element, logic solver and final element which places
the process in a safe sstate.
SIF: Safety Instrumented Function: The designed function of the SIS. (e.g. senses high temperature and isolates
energy supply)
SIL: Safety Integrity Level. A standardized PFD for certified SISs (usually having a PFD of 1e-01, 1e-02 or 1e-03)
SIP: Safety Instrumented Programming: The section of any logic solver software devoted to Safety Instrumented
System control.
False Trip: Erroneous trip of process due to a failure of a control loop capable of shutting down the process. This
is particularly important for large continuous plants.
Other Safety Related Protection Systems: These are systems which have been installed by the user to act as layers
of protection which do not fit into the category of BPCS or SIS.
Independent Protection Layer: A layer of protection that will prevent an unsafe scenario from progressing
regardless of the initiating event or the performance of another layer of protection.
Mitigation systems as layers of protection: Systems which do not prevent the scenario development but will reduce
its impact, severity and scale. See Other Safety Related Protection Systems.
Definitions:
Basic Process Control System (BPCS) A combination of Sensors, Logic Solvers and Final elements
which automatically regulate the process within normal production limits.
Independent Layer of Protection (IPL) - A layer of protection that will prevent an unsafe scenario from
progressing regardless of the initiating event or the performance of another layer of protection.
37
38
Tools:
An Excel worksheet with all required tables incorporated has been developed by course trainer and is made
available with the course materials.
Work procedure:
LOPA starts with the identification of a hazardous scenario and the potential amount of involved chemicals
or other risk resulting in the target factor (unwanted event severity/frequency if we imagine it does occur .
1. Enter the scenario identifier and description at the top of the worksheet.
2. Enter the Target Factor in the Risk Tolerance Criteria cell in the frequency column.
3. Enter a description of the initiating event and its frequency
4. Enter descriptions of any Conditional Modifiers and their probability in the appropriate row.
5. Now the Independent Protection Layers (IPLs) are entered
6. All applicable Independent Protection Layers need to be defined and their function described in the
appropriate column. Also the credit factor needs to be determined and inserted in the PFD cells
7. Consider the need to aggregate for the case that a single scenario may have more than one initiator
If you leave the SIS A and SIS B column empty for the first pass, you will find the resulting protection
Gap automatically calculated in its column.
If the protection gap is >zero you need to add protection, perhaps Safety Instrumented Systems.
When the Protection Gap is brought to zero, this may be as a result of the basic Process Control System
performance or by specifying one or more SISs or by adding an alternative IPL such as a PSV and containment
system or other safety related protection systems. When the Protection Gap is zero or less, the Risk Tolerance
Target you started with have been met/achieved.
The spreadsheet is:
not password protected
adaptable
freely shared with course participants
your responsibility in use
able to aggregate final event frequency allowing for the fact that most scenarios have more than
one initiating event. In other words it takes account of the whole of the left hand side of the bow
tie.
Most of this guide is written to support basic LOPA where orders of magnitude are proposed for initiating events,
independent layers of protection and other factors. This principle embodies the original aims of the originators of
LOPA. More complex forms of LOPA are explained in the I Chem E training course and in the Final report on the
39
Consequence
Description/Category:
40
Initiating Event
Frequency
Enabling Event or Condition
Probability of Ignition
1
Probability/LOPA
'credit'
Not needed
0
Conditional Modifiers
Operator always
present
Reaction is operating
less than 10% of year
0
1
2
PFD/LOPA
'credit'
1
0
2
YES
Alternative spreadsheets allowing several cases to be recorded on the same sheet are made available and
demonstrated in the course. In he tools illustrated the data entry is horizontal rather than vertical.
41
References:
Guidelines for Quantitative Risk Assessment CPR 18E (Purple Book) Published by the Netherlands
Committee for Prevention of Disasters.
Layer of Protection Analysis American Institute of Chemical Engineers Center for Chemical Process
Safety. (CCPS) ISBN 0-8169-0811-7
42