- Email: [email protected]
Computerized hazards analysis
Short Communications 0 Critical
l
temperatures are substantially higher for the propylene oxide mixtures (between 19 and 29°C higher over the range of NaOH concentrations investigated). Table 4 shows that, if the critical temperatures and storage conditions are the same. the level of contamination of propylene oxide must be at least 10 times that of ethylene oxide.
Conclusion Ethylene oxide is known to be more reactive than propylene oxide and this study has confirmed that, specifically in the case of alkali-catalysed polymerization, substantial differences in reaction rates can be expected. It has been demonstrated that the consequences of
rapid polymerization of propylene oxide are unlikely to be as severe as for ethylene oxide. Some tentative calculations have indicated margins of safety in terms of storage temperature and degree of contamination which would apply when ethylene oxide and propylene oxide are stored under similar conditions. An exhaustive study using other catalyst systems has not been undertaken. The results of the present Study suggest that the level of control measures recommended for the storage and handling of ethylene oxide’ is not justified for propylene oxide, although a similar design philosophy may be appropriate. More detailed knowledge of the likelihood of contamination or temperature excursions under industrial conditions is
Computerized
hazards
Drive,
References ‘Guidelines for the Bulk Handling of Ethylene Oxide’, Chemical Industries Association, 1983 Gupta, N. K., ‘The Explosive PolyCondensation of Ethylene Oxide’, J.S.C.1. 68, June 1949 Pogany, G. A., ‘On the Safe use of Alkylene Oxides in High-Pressure BenchScale Experiments’, Chem. Ind. (London) January 1979 Yaws, C. L. and Rackley, M. P., ‘Ethylene, Propylene and Butylene Oxides’ Chem. Eng., April 1976 Semenov, N. N., Z. Physik, 1928, Vol48, PP 571 0 British Crown Copyright
analysis
The backbone of a hazards analysis hazards information exchange C. Robert Nelms Failsafe Network, Inc., 4337 Roundhill
required before the relative hazards can be properly assessed.
effort/basis
Chesterfzeld,
for a corporate
VA 23832,
USA
Computerized hazards analysis has many obvious advantages. Criticality codes can be assigned, modified, sorted, grouped, and regrouped. Critical event assignments can be automatically tracked. Graphics capability can show the distribution of various types of hazards dramatically, and the risks involved with each. But, computerized hazards analyses can provide benefits orders of magnitudes beyond those mentioned above. Consider the following: as hazards analyses are performed, i.e., as hazard severity, critical events, and risks are defined for each component and each operator action in your facility, you are relying on the memories of many people for much of your input. The following text includes real life examples of such a situation (Keywords:
hazard analysis: risk; criterion)
For example, you might ask ‘Can this compressor cause downtime? If so. how, how often, and to what extent does it affect the rest of the plant?’ During this questioning, you will be relying on historical records, your own experience, and the experiences of operators and maintenance personnel. The capturing of this information in specifically structured computer form, along with the routine inputting of all unanticipated critical events, is actually the beginnings of an expert system relating to the operating hazards of a plant. If performed uniformly throughout a corporation, this type information could be shared for the benefit of all. Received
I9 May 1988
A crisis avoidance What is a hazards
machine, analysis?
It is the fuel that drives our crisis avoidance machine. Without the fuel, the machine stops, exposing us to unexpected catastrophe. Bhopal, Chernobyl, the Challenger, and Three Mile Island have helped highlight the absolute necessity for this machine. Industry can no longer afford to react to its crises. It is time for industry to proact. proactive machinery Fortunately, (approaches) have been successfully implemented in a variety of industries. A close scrutiny of these success stories reveals their dependence on a formal structured approach. Recognizing this, the U.S. government-as well as many
0960-4230/68/030168-OW3.00 0 1988 Butterworth & Co. (Publishers1 Ltd 166 J. Loss Prev. Process lnd., 7988,
Vol
1, July
defence and design contractorsrequire strict adherence to MIL-STD882B, ‘System Safety Program Requirements’ in many of their contracts. Paraphrased from MIL-STD-882B, a for specific structure is necessary developing and implementing a comprehensive system safety program’, ‘to help identify the huzurds of a system and to impose design requirements and management controls to prevent mishaps’, ‘by eliminating hazards or reducing the associated risk to a level acceptable to the managing activity’. (Although the standard is addressing safety, its emphasis can be applied to any proactive effort, i.e., avoiding any crisis large or small). A hazards analysis is nothing more
Short Communication
than a structured root cause crisis investigation-performed before the crisis occurs. It attempts to detail all potential causes of unexpected undesirable events. It assigns relative probabilities to each potential cause. It allows one to focus immediate attention on the largest risks. Most importantly, it helps to specify the means of avoiding the crisis-or at least managing the crisis if it does occur. It is the epitome of a proactive approach towards operating a plant. It helps to eliminate the reactive firefighting that personnel complain of most often. A hazards
analysis cookbook?
Hazards analyses must be practical. They must be consistent. They must be performed in a timely manner, by available resources, on a continuous basis. Above all, they focus most assiduously on that which is to be avoided. If they do not meet the above criteria, they cannot provide reliable information. The following approach provides a comprehensive, practical review of your operations for operating hazards. The approach was specifically developed for use by available resources, i.e., anyone with plant experience with an engineering background. Most importantly, the approach is structured for adaptability to computer input and manipulation. All knowledge acquired as a result of this approach is to be input to computer database for manipulation, retrieval, tracking, and updating. Although not a cookbook, the following steps can guide the analyst to consistent, practical results. l l 0 0
What can go wrong How can it happen Making sure it will not happen Putting it in writing
Step l-what
can go wrong
Because of its importance, this step will be discussed in considerable detail. Actually, this step is presented in seven substeps: 0
Specifically define the ‘mishaps’ to be avoided 0 Document your understanding of the physical system(s) 0 Comb through the physical system for potential causes of the mishaps 0 Document your understanding of human interactions affecting the physical system(s) 0 Comb the human interactions for potential causes of the mishaps 0 Identify ‘critical events’ l Make ‘critical event’ assignments Specifrcaliy deJsne the ‘mishaps’ to be avoided
The ‘safety’ orientated definition of mishap, from MIL-STD-882B, is ‘an
J. Loss
Prev. Process Ind.,
1988,
Vol i, July
169
Short
Communication
unplanned event, or series of events that result in either death, injury, occupational illness, or system damage’. However, the approach can be used to avoid i.e., any mishap. For event, any example, these approaches can be used to avoid:
from the flow diagrams. Note columns for system, subsystem, component, and function documenting our understanding of the system. The column headings should be identical for all analysed systems.
0 0
Comb through the physical system for potential causes of the mishaps. With
0 0
Lost production Deviations from product quality targets Deviations from theoretical maximum product yields Product recalls due to mislabelling
the schematic flow diagrams and master database as guides, ask yourself of each component: ‘How can this component cause a mishap?, (identify the event associated with the component which can cause the mishap). If this is a chronic problem, how often does this event presently occur? ‘What is the specific effect of the event?‘. As this questioning progresses, information is recorded in the database. Information should be obtained from acknowledged experts, historical records, and one’s own experience.
The approaches developed for avoiding saftey related problems can be used to avoid any specifically defined event. Whatever your definition, it is vital to specifically state it, make others aware of it, and focus relentlessly on it throughout the analysis.
Document your understanding physical system(s)
of the
Develop schematic flow diagrams, to the component level, for all processes under consideration. The schematics should be reviewed by appropriate personnel to assure accuracy. If drawings are not available, find the ‘experts’ in the plant. All plants have at least one expert per system. Have them draw you a schematic diagram, then walk through the plant with them to see the actual equipment. If at all possible, digitize the drawings of the schematics, i.e., either create the drawings on a computer, or pass conventional drawings through a digitizer. Digitized drawings can be modified and telecommunicated anywhere at will. Do not be surprised if your schematics become popular. They will be an invaluable aide for anyone wishing to understand the plant. Once the flow diagrams are complete and validated, they are used to form the master database. Tab/e I shows a completed master database after inputting the information
Table 2
Document your understanding of human interactions afleeting the physica/ system Similar to the dissection of the physical systems, discrete actions steps should be developed where human interaction exists. Two types of operations are usually encountered.
High risk events risk threshold = 1000
Assembly or batch type operations are usually labour intensive, requiring specific step by step instructions to achieve the desired result. Discrete operator action steps are a natural consequence of such an operation. If such actions steps are not available, you have uncovered a major deficiency. Continuous process operations are usually not labour intensive, are usually automatically controlled, and require little human interaction. Operating instructions for continuous process plants are usually more confusing compared with assembly
System
Subsystem
Component
1 2 3 4 5 6 7 6 9 10 11 12 13 14
Intake Intake State distr. Main drive Main drive Transmission Transmission Main Drive Transmission Main drive Main drive Main drive Main drive Exhaust
Unknown Transfer system Source Brake Brake Clutch Accelerating ring Brake Clutch Bearing No. 1 Bearing No.2 Bearing No.3 Bearing No.4 Camshaft
Running failures No transfer No power/power blip Will not disengage Will not engage Burned face Worn Will not lock Dimensionally incorrec :t Tolerances open Tolerances open Tolerances open Tolerances open Worn lobes
170
J. LOSS Prev. Process
lnd., 1988,
Whichever type operation, it is important to define discrete action steps for each human with the interaction process.
Comb the human interactions for potential causes of the mishaps With your discrete action steps in hand, observe the operation asking: ‘How can this action step cause a mishap?’ (identify the event associated with the action step which can cause the mishap). ‘If this is a chronic problem, how often does this event presently occur?’ ‘What is the specific effect of the event?’ As in the review of physical systems, all information gained as a result of this review should immediately be recorded in the database.
Identify ‘critical events’ As a result of these analyses, perhaps hundreds of events will have been identified. Some of these events will have occurred routinely for years (chronic events). Other events will have never occurred, and had better not ever occur (sporadic events). Also as part of these analyses, you have determined the effect of each event. Table 1 shows the effect of each hazardous event in our sample analyses. Some of these events have major conseand some consequences are quences,
Ibday-’
Hazard (failure mode resulting in loss)
Main machine Main machine Elec source Machine No.2 Machine No.2 Machine No.3 Machine No.3 Machine No.3 Machine No.3 Machine No.5 Machine No.5 Machine No.5 Machine No.5 Main machine
operations. Operator actions are usually responsive to process conditions. If process conditions deviate in one direction, required input is one thing. If in the other direction, input is another. Thus, decision-tree algorithms are usually available to aide in your dissection of these operating instructions. Most importantly, startup and shutdown procedures should be available for analysis. Most human error occurs during the startup or shutdown of a process.
Vol 1, July
Ballpark severity LBS Icalculated) 3.700 3,700 113,540 200 1,400 350 200 490 540 1,150 400 390 350 25
Ballpark risk LBS day (calculated1
Cumulative severity
Cumulative risk
23,350 22,000 2,500 2,130 2,120 2,120 1,150 1,140 1,100 1,090 1,050 1,020 1,015 1,000
3.700 7,406 120.940 121,140 122,540 122.890 123,090 123,580 124,120 125,270 125,670 126.060 126,410 126,435
22,350 44,350 46.850 48,980 51,100 53,220 54,370 55,510 56,610 57.700 58.750 59,770 60,785 61,785
Short Hazard/risk Risk - all
We have characterized a system both operationally and schematically. The characterization has been documented for review by others. We have systematically looked for actions and conditions which are prerequisite to our mishaps. We have quantified the effects of these actions and conditions, and established action thresholds. Any event rising above the threshold is identified as a ‘critical event’. We have made critical event assignments, and have begun tracking progress on each assignment.
analysis systems
100,000
I
6 m
10.000
$ ?I
1,000
Threshold
9 B
100
5 I?
10
All
Figure 1
Determination
of action
events
thresholds,
shaded
3
Critical
hazard
identification
area
= lb lost
per
day
Make ‘critical event’ assignments Critical event assignments can now be made, and tracking begins. Table3, a part of the critical event database file, contains all information important to hazard management. Reports are routinely generated to show status of ‘open’ assignments. we have concluded At this point, step 1. A review of progress is necessary at this point. 0
We have defined, precisely, haps to be avoided.
Current
11/29/87
Assigned
09/10/86
RSK LVL
status
3
RSKTHRSHLD
Engineer
Smith
ACCUM
ID No.
Critical
hazard
Sys/subsvs/comp Comp description
elect
Potential
Effect Events
Superheater fire Steam source/crimp SPPLS
leading
to critical hazard
superheat/superheater
heated
superheated
flow
through
Heater
activated
Safety
devices
Combustible
Flow
fail to cut power
valve
controller flow
to heaters
fails
set to ‘0’
controller
control:
closed
Combustible
manually
sends
‘CLOSE’
never
fail-opened
checked
steam
control:
valve
source 2 steam
agree Provide
100,000
J
EXTENT
A
DURATION
D
Type *
Adequacy I I
Step 4-document
I
cntrlrs-both
Type RD
must RD
routine
inspection
of safetv
devices
conclusions
Results of the hazards analyses can be documented automatically. If all suggested steps have been performed, the following information is stored in the database and ready for assembly in report form:
RD flow
sure it will not happen
All critical events have now been analysed to their root causes. The roots have been described and input to the master database. Many of these roots have probably been addressed sufficiently. To pass judgement on the adequacy of risk management, a set of rules must be established. The rules will be different for each facility. Referring to your rules, grade each root cause. Those causes passing the grade require no further action. But, those causes not passing the grade must be acted upon. All judgements are recorded in the database, as shown in Table 3.
I A
RD I
Recommended
Recommendations
Prvd
1.774.080
PRO0
f
insulation
devices
Steam
THRSH
l
signal
Install
LVL
SVRTY
superheater
material
control
Safety
SVRTY steam
Current
Steam
200 79,066
RSK
can it happen
Fault tree analysis is most commonly used to document the root causes of critical events. It is essential to note our analyses have been addressing both ‘chronic’ and ‘sporadic’ problems. Thus, our root cause analyses will be addressing current problems, i.e., problems occurring daily-as well as dreaded problems, i.e., problems which should be avoided at almost any cost. Using each critical event as the ‘top event’ of its own fault tree, the analyst defines the ‘causes of the cause of the cause’, etc., until its potential roots are defined. Many identified critical events will not require fault trees, i.e., their roots will be obvious. Others will require Whatever method elaborate trees. employed, it is imperative to define the potential root causes of each critical event.
Step S-make 177
loss of area for days/fire
No eteam
Steam
the mis-
and tracking
156.001
Hazad
Step 2-how
assessment matrix’ as described in MILSTD-882B. However defined, events exceeding the thresholds are called ‘critical events’.
negligible. By sorting these conseas in Table 2, it becomes quences, apparent that a few events are responsible for the majority of risks. thresholds How are action determined? In other words, which events are critical? This is dependent on many factors. Many facilities focus on events responsible for 80% of the loss associated with the mishaps. As seen in Table 2, 14 events cause 80% of the risk in one anlysis. In this case, a threshold of ‘1000 pounds per day’ was established ( Figure I ) Anything causing over 1000 pounds per day was attacked. Anything costing less than 1000 pounds per day was ignored. As the 14 items were addressed, the thresholds were lowered. Other facilities rely on a ‘hazard risk Table
Communications
PM
Risk Management Assessment Report CM, corn monitoring, PM, prdc Type: RD. redesign, assigned; 2, analyses in progress; 3, awaiting review: approved, awaiting implementation; 6, closed. Adequacy:
monitoring, 4, returned A, adequate;
*, none. Status: 1, to be for further evaluation; 5, M. marginal: I, inadequate
J. Loss
0 Schematic
Prev. Process
description
of
process
equipment
Ind.,
1988,
Vol 1, July
171
Book
0 0 0 0 0 0
Reviews
Conclusions
Equipment hazards database Human hazards database Critical event criteria Critical event summary Critical root causes Required actions
Such a report represents a comprehensive analysis of the operating hazards of a facility. As the facility is modified, the hazards analysis database should reflect the changes and address unacceptable risks.
Major chemical
Hazards analysis is the fuel that drives our crisis avoidance machines. Other, more reactive approaches can help determine why a catastrophe occursafter the fact. But a proactive approach towards crisis management insists on analysing the crisis before it occurs. The structure required by a computer database helps the analyst to be consistent from study to study. Computer structure can also help companies to be consistent from factory to factory. Although consistency does not ensure a
quality analysis, the structure can be modified, i.e., upgraded when deficiencies are found. The approach discussed herein is being pursued at a number of U.S. facilities. As mistakes are made, as shortcuts are discovered, and as the becomes more practical, process will generalized computer codes undoubtedly appear-codes with builtin probability tables and menu-driven analyses. These codes could break open analysisthe field of hazard/risk -minimizing the tragedy of catastrophe and the excuses of negligence.
hazards
V. C. Marshall
John Wiley d Sons Ltd, New York, USA, 1st Edition, 1987, ISBN 085312969X, f59.50 In the introductary chapter of this book, the author states that the aim of the book is ‘to identify those hazards which possess the potential for major harm; to examine the circumstances in which this potential may be realized; to identify the consequences which are likely to ensue if the potential be realized; to examine those methods of control which will minimize the probability of such events occurring; and to survey the measures which may be taken to mitigate the consequences in the event that there is a failure of the preventative measures’. After reviewing this very impressive book, 1 would say that the author has accomplished his objectives very successfully. The book contains 26 chapters with and four appendices many examples of actual incidents. The first four chapters are of an introductory nature outlining the historical origins of major chemical hazards, sources of information and reports of public inquiries, and the nature of hazards and risks. Chapter 5 discusses the handling and storage of liquids and gases, and the behaviour of various types of liquid spillages. Some common causes of the failure of pressurized systems that contain liquified gases are reviewed in Chapter 6, while Chapter 7 is a good summary of the formation and dispersal of vapour clouds. However, the author does not seem to have included any discussion of methods for calculating discharge rates of releases, which are required for quantifying the consequen-
172
J. Loss Prev.
Process
lnd.,
ties of accidental releases. Also, the reader should consult the recent publication of the AlChE Center for Chemical Process Safety (CCPS) entitled ‘Guidelines for Vapor Cloud Dispersion Models’ by S. R. Hanna and P. J. Drivas for a comprehensive review and critical evaluation of this field. Cataclysmic fires are reviewed in Chapters 8 and 9. Various types, such as pool fires, chemical conflagrations, fire balls, and anaerobic fires are discussed, as well as thermal radiation and its effect on people. Case histories of cataclysmic fires are presented in Chapter 9. In a simple manner. explosions’are covered in Chapters 10 and 11. Special oroblems of rarefied explosions (dust, ‘confined gas, and vapour cloud explosions) are the topic of Chapter 12 and a good number of case histories of rarefied explosions are described in Chapter 13. references in dust Two important explosions venting and prevention, namely, NFPA publications Nos. 68 and 69, are omitted by the author. Chapter 14 is concerned with the problems of containment of toxic substances and the consequences of toxic gas release. Case histories of toxic releases are given in Chapter 15. Chapter 16 concludes the review of major chemical hazards with a discussion of miscellaneous other major hazards. In Chapter 17. the general principles underlying the control of major chemical hazards are outlined, and then the quantification of hazards is
1988,
Vol
I, July
PP.
587,
reviewed in Chapter 18. with the emphasis on establishing the principles upon which threshold values for level of inventory which constitute a major hazard may be determined. The next six chapters cover legislative control, the role of management in the control of major chemical hazards, the siting and protection of buildings in hazardous areas (a particularly useful chapter), safety professionals and their training, the role of professional institutions in the control major hazards, and research and consultancy. The book concludes with four appendices: glossary of terms, abbreviations, access to data bases on chemical accidents, and notes on the TNT equivalence of organic properties. The index could be a bit more complete, in my opinion. Although this book is not as comprehensive as the monumental work by Professor F. P. Lees (which I was glad to learn is being revised), it contains a great deal of useful information, including much up-to-date data (many references are as recent as 1985 and 1986). The incorporation of many case histories are a valuable adjunct to the discussions of the different types of accidental events. This book will be a valuable addition to the library of the loss prevention engineer. S. S. Grossel Hoffmann-LaRoche Inc., Nuiley NJ 07110, USA
l
temperatures are substantially higher for the propylene oxide mixtures (between 19 and 29°C higher over the range of NaOH concentrations investigated). Table 4 shows that, if the critical temperatures and storage conditions are the same. the level of contamination of propylene oxide must be at least 10 times that of ethylene oxide.
Conclusion Ethylene oxide is known to be more reactive than propylene oxide and this study has confirmed that, specifically in the case of alkali-catalysed polymerization, substantial differences in reaction rates can be expected. It has been demonstrated that the consequences of
rapid polymerization of propylene oxide are unlikely to be as severe as for ethylene oxide. Some tentative calculations have indicated margins of safety in terms of storage temperature and degree of contamination which would apply when ethylene oxide and propylene oxide are stored under similar conditions. An exhaustive study using other catalyst systems has not been undertaken. The results of the present Study suggest that the level of control measures recommended for the storage and handling of ethylene oxide’ is not justified for propylene oxide, although a similar design philosophy may be appropriate. More detailed knowledge of the likelihood of contamination or temperature excursions under industrial conditions is
Computerized
hazards
Drive,
References ‘Guidelines for the Bulk Handling of Ethylene Oxide’, Chemical Industries Association, 1983 Gupta, N. K., ‘The Explosive PolyCondensation of Ethylene Oxide’, J.S.C.1. 68, June 1949 Pogany, G. A., ‘On the Safe use of Alkylene Oxides in High-Pressure BenchScale Experiments’, Chem. Ind. (London) January 1979 Yaws, C. L. and Rackley, M. P., ‘Ethylene, Propylene and Butylene Oxides’ Chem. Eng., April 1976 Semenov, N. N., Z. Physik, 1928, Vol48, PP 571 0 British Crown Copyright
analysis
The backbone of a hazards analysis hazards information exchange C. Robert Nelms Failsafe Network, Inc., 4337 Roundhill
required before the relative hazards can be properly assessed.
effort/basis
Chesterfzeld,
for a corporate
VA 23832,
USA
Computerized hazards analysis has many obvious advantages. Criticality codes can be assigned, modified, sorted, grouped, and regrouped. Critical event assignments can be automatically tracked. Graphics capability can show the distribution of various types of hazards dramatically, and the risks involved with each. But, computerized hazards analyses can provide benefits orders of magnitudes beyond those mentioned above. Consider the following: as hazards analyses are performed, i.e., as hazard severity, critical events, and risks are defined for each component and each operator action in your facility, you are relying on the memories of many people for much of your input. The following text includes real life examples of such a situation (Keywords:
hazard analysis: risk; criterion)
For example, you might ask ‘Can this compressor cause downtime? If so. how, how often, and to what extent does it affect the rest of the plant?’ During this questioning, you will be relying on historical records, your own experience, and the experiences of operators and maintenance personnel. The capturing of this information in specifically structured computer form, along with the routine inputting of all unanticipated critical events, is actually the beginnings of an expert system relating to the operating hazards of a plant. If performed uniformly throughout a corporation, this type information could be shared for the benefit of all. Received
I9 May 1988
A crisis avoidance What is a hazards
machine, analysis?
It is the fuel that drives our crisis avoidance machine. Without the fuel, the machine stops, exposing us to unexpected catastrophe. Bhopal, Chernobyl, the Challenger, and Three Mile Island have helped highlight the absolute necessity for this machine. Industry can no longer afford to react to its crises. It is time for industry to proact. proactive machinery Fortunately, (approaches) have been successfully implemented in a variety of industries. A close scrutiny of these success stories reveals their dependence on a formal structured approach. Recognizing this, the U.S. government-as well as many
0960-4230/68/030168-OW3.00 0 1988 Butterworth & Co. (Publishers1 Ltd 166 J. Loss Prev. Process lnd., 7988,
Vol
1, July
defence and design contractorsrequire strict adherence to MIL-STD882B, ‘System Safety Program Requirements’ in many of their contracts. Paraphrased from MIL-STD-882B, a for specific structure is necessary developing and implementing a comprehensive system safety program’, ‘to help identify the huzurds of a system and to impose design requirements and management controls to prevent mishaps’, ‘by eliminating hazards or reducing the associated risk to a level acceptable to the managing activity’. (Although the standard is addressing safety, its emphasis can be applied to any proactive effort, i.e., avoiding any crisis large or small). A hazards analysis is nothing more
Short Communication
than a structured root cause crisis investigation-performed before the crisis occurs. It attempts to detail all potential causes of unexpected undesirable events. It assigns relative probabilities to each potential cause. It allows one to focus immediate attention on the largest risks. Most importantly, it helps to specify the means of avoiding the crisis-or at least managing the crisis if it does occur. It is the epitome of a proactive approach towards operating a plant. It helps to eliminate the reactive firefighting that personnel complain of most often. A hazards
analysis cookbook?
Hazards analyses must be practical. They must be consistent. They must be performed in a timely manner, by available resources, on a continuous basis. Above all, they focus most assiduously on that which is to be avoided. If they do not meet the above criteria, they cannot provide reliable information. The following approach provides a comprehensive, practical review of your operations for operating hazards. The approach was specifically developed for use by available resources, i.e., anyone with plant experience with an engineering background. Most importantly, the approach is structured for adaptability to computer input and manipulation. All knowledge acquired as a result of this approach is to be input to computer database for manipulation, retrieval, tracking, and updating. Although not a cookbook, the following steps can guide the analyst to consistent, practical results. l l 0 0
What can go wrong How can it happen Making sure it will not happen Putting it in writing
Step l-what
can go wrong
Because of its importance, this step will be discussed in considerable detail. Actually, this step is presented in seven substeps: 0
Specifically define the ‘mishaps’ to be avoided 0 Document your understanding of the physical system(s) 0 Comb through the physical system for potential causes of the mishaps 0 Document your understanding of human interactions affecting the physical system(s) 0 Comb the human interactions for potential causes of the mishaps 0 Identify ‘critical events’ l Make ‘critical event’ assignments Specifrcaliy deJsne the ‘mishaps’ to be avoided
The ‘safety’ orientated definition of mishap, from MIL-STD-882B, is ‘an
J. Loss
Prev. Process Ind.,
1988,
Vol i, July
169
Short
Communication
unplanned event, or series of events that result in either death, injury, occupational illness, or system damage’. However, the approach can be used to avoid i.e., any mishap. For event, any example, these approaches can be used to avoid:
from the flow diagrams. Note columns for system, subsystem, component, and function documenting our understanding of the system. The column headings should be identical for all analysed systems.
0 0
Comb through the physical system for potential causes of the mishaps. With
0 0
Lost production Deviations from product quality targets Deviations from theoretical maximum product yields Product recalls due to mislabelling
the schematic flow diagrams and master database as guides, ask yourself of each component: ‘How can this component cause a mishap?, (identify the event associated with the component which can cause the mishap). If this is a chronic problem, how often does this event presently occur? ‘What is the specific effect of the event?‘. As this questioning progresses, information is recorded in the database. Information should be obtained from acknowledged experts, historical records, and one’s own experience.
The approaches developed for avoiding saftey related problems can be used to avoid any specifically defined event. Whatever your definition, it is vital to specifically state it, make others aware of it, and focus relentlessly on it throughout the analysis.
Document your understanding physical system(s)
of the
Develop schematic flow diagrams, to the component level, for all processes under consideration. The schematics should be reviewed by appropriate personnel to assure accuracy. If drawings are not available, find the ‘experts’ in the plant. All plants have at least one expert per system. Have them draw you a schematic diagram, then walk through the plant with them to see the actual equipment. If at all possible, digitize the drawings of the schematics, i.e., either create the drawings on a computer, or pass conventional drawings through a digitizer. Digitized drawings can be modified and telecommunicated anywhere at will. Do not be surprised if your schematics become popular. They will be an invaluable aide for anyone wishing to understand the plant. Once the flow diagrams are complete and validated, they are used to form the master database. Tab/e I shows a completed master database after inputting the information
Table 2
Document your understanding of human interactions afleeting the physica/ system Similar to the dissection of the physical systems, discrete actions steps should be developed where human interaction exists. Two types of operations are usually encountered.
High risk events risk threshold = 1000
Assembly or batch type operations are usually labour intensive, requiring specific step by step instructions to achieve the desired result. Discrete operator action steps are a natural consequence of such an operation. If such actions steps are not available, you have uncovered a major deficiency. Continuous process operations are usually not labour intensive, are usually automatically controlled, and require little human interaction. Operating instructions for continuous process plants are usually more confusing compared with assembly
System
Subsystem
Component
1 2 3 4 5 6 7 6 9 10 11 12 13 14
Intake Intake State distr. Main drive Main drive Transmission Transmission Main Drive Transmission Main drive Main drive Main drive Main drive Exhaust
Unknown Transfer system Source Brake Brake Clutch Accelerating ring Brake Clutch Bearing No. 1 Bearing No.2 Bearing No.3 Bearing No.4 Camshaft
Running failures No transfer No power/power blip Will not disengage Will not engage Burned face Worn Will not lock Dimensionally incorrec :t Tolerances open Tolerances open Tolerances open Tolerances open Worn lobes
170
J. LOSS Prev. Process
lnd., 1988,
Whichever type operation, it is important to define discrete action steps for each human with the interaction process.
Comb the human interactions for potential causes of the mishaps With your discrete action steps in hand, observe the operation asking: ‘How can this action step cause a mishap?’ (identify the event associated with the action step which can cause the mishap). ‘If this is a chronic problem, how often does this event presently occur?’ ‘What is the specific effect of the event?’ As in the review of physical systems, all information gained as a result of this review should immediately be recorded in the database.
Identify ‘critical events’ As a result of these analyses, perhaps hundreds of events will have been identified. Some of these events will have occurred routinely for years (chronic events). Other events will have never occurred, and had better not ever occur (sporadic events). Also as part of these analyses, you have determined the effect of each event. Table 1 shows the effect of each hazardous event in our sample analyses. Some of these events have major conseand some consequences are quences,
Ibday-’
Hazard (failure mode resulting in loss)
Main machine Main machine Elec source Machine No.2 Machine No.2 Machine No.3 Machine No.3 Machine No.3 Machine No.3 Machine No.5 Machine No.5 Machine No.5 Machine No.5 Main machine
operations. Operator actions are usually responsive to process conditions. If process conditions deviate in one direction, required input is one thing. If in the other direction, input is another. Thus, decision-tree algorithms are usually available to aide in your dissection of these operating instructions. Most importantly, startup and shutdown procedures should be available for analysis. Most human error occurs during the startup or shutdown of a process.
Vol 1, July
Ballpark severity LBS Icalculated) 3.700 3,700 113,540 200 1,400 350 200 490 540 1,150 400 390 350 25
Ballpark risk LBS day (calculated1
Cumulative severity
Cumulative risk
23,350 22,000 2,500 2,130 2,120 2,120 1,150 1,140 1,100 1,090 1,050 1,020 1,015 1,000
3.700 7,406 120.940 121,140 122,540 122.890 123,090 123,580 124,120 125,270 125,670 126.060 126,410 126,435
22,350 44,350 46.850 48,980 51,100 53,220 54,370 55,510 56,610 57.700 58.750 59,770 60,785 61,785
Short Hazard/risk Risk - all
We have characterized a system both operationally and schematically. The characterization has been documented for review by others. We have systematically looked for actions and conditions which are prerequisite to our mishaps. We have quantified the effects of these actions and conditions, and established action thresholds. Any event rising above the threshold is identified as a ‘critical event’. We have made critical event assignments, and have begun tracking progress on each assignment.
analysis systems
100,000
I
6 m
10.000
$ ?I
1,000
Threshold
9 B
100
5 I?
10
All
Figure 1
Determination
of action
events
thresholds,
shaded
3
Critical
hazard
identification
area
= lb lost
per
day
Make ‘critical event’ assignments Critical event assignments can now be made, and tracking begins. Table3, a part of the critical event database file, contains all information important to hazard management. Reports are routinely generated to show status of ‘open’ assignments. we have concluded At this point, step 1. A review of progress is necessary at this point. 0
We have defined, precisely, haps to be avoided.
Current
11/29/87
Assigned
09/10/86
RSK LVL
status
3
RSKTHRSHLD
Engineer
Smith
ACCUM
ID No.
Critical
hazard
Sys/subsvs/comp Comp description
elect
Potential
Effect Events
Superheater fire Steam source/crimp SPPLS
leading
to critical hazard
superheat/superheater
heated
superheated
flow
through
Heater
activated
Safety
devices
Combustible
Flow
fail to cut power
valve
controller flow
to heaters
fails
set to ‘0’
controller
control:
closed
Combustible
manually
sends
‘CLOSE’
never
fail-opened
checked
steam
control:
valve
source 2 steam
agree Provide
100,000
J
EXTENT
A
DURATION
D
Type *
Adequacy I I
Step 4-document
I
cntrlrs-both
Type RD
must RD
routine
inspection
of safetv
devices
conclusions
Results of the hazards analyses can be documented automatically. If all suggested steps have been performed, the following information is stored in the database and ready for assembly in report form:
RD flow
sure it will not happen
All critical events have now been analysed to their root causes. The roots have been described and input to the master database. Many of these roots have probably been addressed sufficiently. To pass judgement on the adequacy of risk management, a set of rules must be established. The rules will be different for each facility. Referring to your rules, grade each root cause. Those causes passing the grade require no further action. But, those causes not passing the grade must be acted upon. All judgements are recorded in the database, as shown in Table 3.
I A
RD I
Recommended
Recommendations
Prvd
1.774.080
PRO0
f
insulation
devices
Steam
THRSH
l
signal
Install
LVL
SVRTY
superheater
material
control
Safety
SVRTY steam
Current
Steam
200 79,066
RSK
can it happen
Fault tree analysis is most commonly used to document the root causes of critical events. It is essential to note our analyses have been addressing both ‘chronic’ and ‘sporadic’ problems. Thus, our root cause analyses will be addressing current problems, i.e., problems occurring daily-as well as dreaded problems, i.e., problems which should be avoided at almost any cost. Using each critical event as the ‘top event’ of its own fault tree, the analyst defines the ‘causes of the cause of the cause’, etc., until its potential roots are defined. Many identified critical events will not require fault trees, i.e., their roots will be obvious. Others will require Whatever method elaborate trees. employed, it is imperative to define the potential root causes of each critical event.
Step S-make 177
loss of area for days/fire
No eteam
Steam
the mis-
and tracking
156.001
Hazad
Step 2-how
assessment matrix’ as described in MILSTD-882B. However defined, events exceeding the thresholds are called ‘critical events’.
negligible. By sorting these conseas in Table 2, it becomes quences, apparent that a few events are responsible for the majority of risks. thresholds How are action determined? In other words, which events are critical? This is dependent on many factors. Many facilities focus on events responsible for 80% of the loss associated with the mishaps. As seen in Table 2, 14 events cause 80% of the risk in one anlysis. In this case, a threshold of ‘1000 pounds per day’ was established ( Figure I ) Anything causing over 1000 pounds per day was attacked. Anything costing less than 1000 pounds per day was ignored. As the 14 items were addressed, the thresholds were lowered. Other facilities rely on a ‘hazard risk Table
Communications
PM
Risk Management Assessment Report CM, corn monitoring, PM, prdc Type: RD. redesign, assigned; 2, analyses in progress; 3, awaiting review: approved, awaiting implementation; 6, closed. Adequacy:
monitoring, 4, returned A, adequate;
*, none. Status: 1, to be for further evaluation; 5, M. marginal: I, inadequate
J. Loss
0 Schematic
Prev. Process
description
of
process
equipment
Ind.,
1988,
Vol 1, July
171
Book
0 0 0 0 0 0
Reviews
Conclusions
Equipment hazards database Human hazards database Critical event criteria Critical event summary Critical root causes Required actions
Such a report represents a comprehensive analysis of the operating hazards of a facility. As the facility is modified, the hazards analysis database should reflect the changes and address unacceptable risks.
Major chemical
Hazards analysis is the fuel that drives our crisis avoidance machines. Other, more reactive approaches can help determine why a catastrophe occursafter the fact. But a proactive approach towards crisis management insists on analysing the crisis before it occurs. The structure required by a computer database helps the analyst to be consistent from study to study. Computer structure can also help companies to be consistent from factory to factory. Although consistency does not ensure a
quality analysis, the structure can be modified, i.e., upgraded when deficiencies are found. The approach discussed herein is being pursued at a number of U.S. facilities. As mistakes are made, as shortcuts are discovered, and as the becomes more practical, process will generalized computer codes undoubtedly appear-codes with builtin probability tables and menu-driven analyses. These codes could break open analysisthe field of hazard/risk -minimizing the tragedy of catastrophe and the excuses of negligence.
hazards
V. C. Marshall
John Wiley d Sons Ltd, New York, USA, 1st Edition, 1987, ISBN 085312969X, f59.50 In the introductary chapter of this book, the author states that the aim of the book is ‘to identify those hazards which possess the potential for major harm; to examine the circumstances in which this potential may be realized; to identify the consequences which are likely to ensue if the potential be realized; to examine those methods of control which will minimize the probability of such events occurring; and to survey the measures which may be taken to mitigate the consequences in the event that there is a failure of the preventative measures’. After reviewing this very impressive book, 1 would say that the author has accomplished his objectives very successfully. The book contains 26 chapters with and four appendices many examples of actual incidents. The first four chapters are of an introductory nature outlining the historical origins of major chemical hazards, sources of information and reports of public inquiries, and the nature of hazards and risks. Chapter 5 discusses the handling and storage of liquids and gases, and the behaviour of various types of liquid spillages. Some common causes of the failure of pressurized systems that contain liquified gases are reviewed in Chapter 6, while Chapter 7 is a good summary of the formation and dispersal of vapour clouds. However, the author does not seem to have included any discussion of methods for calculating discharge rates of releases, which are required for quantifying the consequen-
172
J. Loss Prev.
Process
lnd.,
ties of accidental releases. Also, the reader should consult the recent publication of the AlChE Center for Chemical Process Safety (CCPS) entitled ‘Guidelines for Vapor Cloud Dispersion Models’ by S. R. Hanna and P. J. Drivas for a comprehensive review and critical evaluation of this field. Cataclysmic fires are reviewed in Chapters 8 and 9. Various types, such as pool fires, chemical conflagrations, fire balls, and anaerobic fires are discussed, as well as thermal radiation and its effect on people. Case histories of cataclysmic fires are presented in Chapter 9. In a simple manner. explosions’are covered in Chapters 10 and 11. Special oroblems of rarefied explosions (dust, ‘confined gas, and vapour cloud explosions) are the topic of Chapter 12 and a good number of case histories of rarefied explosions are described in Chapter 13. references in dust Two important explosions venting and prevention, namely, NFPA publications Nos. 68 and 69, are omitted by the author. Chapter 14 is concerned with the problems of containment of toxic substances and the consequences of toxic gas release. Case histories of toxic releases are given in Chapter 15. Chapter 16 concludes the review of major chemical hazards with a discussion of miscellaneous other major hazards. In Chapter 17. the general principles underlying the control of major chemical hazards are outlined, and then the quantification of hazards is
1988,
Vol
I, July
PP.
587,
reviewed in Chapter 18. with the emphasis on establishing the principles upon which threshold values for level of inventory which constitute a major hazard may be determined. The next six chapters cover legislative control, the role of management in the control of major chemical hazards, the siting and protection of buildings in hazardous areas (a particularly useful chapter), safety professionals and their training, the role of professional institutions in the control major hazards, and research and consultancy. The book concludes with four appendices: glossary of terms, abbreviations, access to data bases on chemical accidents, and notes on the TNT equivalence of organic properties. The index could be a bit more complete, in my opinion. Although this book is not as comprehensive as the monumental work by Professor F. P. Lees (which I was glad to learn is being revised), it contains a great deal of useful information, including much up-to-date data (many references are as recent as 1985 and 1986). The incorporation of many case histories are a valuable adjunct to the discussions of the different types of accidental events. This book will be a valuable addition to the library of the loss prevention engineer. S. S. Grossel Hoffmann-LaRoche Inc., Nuiley NJ 07110, USA