- Email: [email protected]
Emergency Management
CHAPTER
EMERGENCY MANAGEMENT
12
CHAPTER OUTLINE Introduction ........................................................................................................................................ 519 Abnormal Situation Management.......................................................................................................... 520 Human Response ................................................................................................................................ 521 Troubleshooting .................................................................................................................................. 522 Levels of Emergency ........................................................................................................................... 523 Emergency Planning............................................................................................................................ 526 Emergency Shutdown .......................................................................................................................... 530 Fire and Gas Detection ........................................................................................................................ 532 Escape Routes .................................................................................................................................... 535 Firefighting......................................................................................................................................... 536
Some of the detailed information, such as fire water systems and Personal Protective Equipment that were in the first edition of this book have been moved to the new book, Design and Operation of Process Facilities.
INTRODUCTION The focus of this book is on helping companies meet their safety, environmental, and operational goals. Yet, no matter how well designed and operated a facility may be there are times when an emergency occurs and an immediate response is required. This chapter discusses the topics of emergency management and of emergency response systems in the context of a risk and reliability management program. Emergency response falls under the broader rubric of Abnormal Situation Management (ASM), in which a variable moves from the safe range, through the area of troubleshooting, and on to a true emergency as illustrated in Figure 12.1. Process Risk and Reliability Management. DOI: http://dx.doi.org/10.1016/B978-0-12-801653-4.00012-6 © 2015 Elsevier Inc. All rights reserved.
519
520
CHAPTER 12 EMERGENCY MANAGEMENT
Emergency limit—High
310 Troubleshooting ( )
Safe limit—High
Operating limit—High
275
245
Operating range
Operating limit—Low
Safe range
235 Optimum operation (239–240)
Safe limit—Low 210 Troubleshooting ( ) Emergency limit—Low
None
FIGURE 12.1 Operating, safe, and emergency limits.
Once a process variable moves outside its normal operating range it enters the region of “trouble” (245 275 in the upper range in Figure 12.1). When a facility is in its normal operating range the system is controlled by its instrumentation; the operator usually does not have a lot to do except keep an eye on things. It is when things start to go awry, i.e., when the system runs into trouble that the skills of the experienced operators and maintenance technicians are called upon. As the system moves out of the trouble range (275 in the example), the system becomes increasingly unsafe until eventually an emergency is declared (310 in the upper range of the example; there is no lower emergency limit in this case).
ABNORMAL SITUATION MANAGEMENT ASM has been defined as “undesired plant disturbances or incidents with which the control system is not able to cope, requiring a human to intervene to supplement the actions of the control system”
HUMAN RESPONSE
521
and “The objective of ASM is to bring the process back to normal before safety-shutdown systems or other safety-protection systems are engaged” (Carpenter, 2013). The consortium has identified three items as being particularly important: 1. Better shift handover communication 2. Better alarm flood management 3. Better situation awareness through the use of overview displays using qualitative gauges They have identified “Top 10 Failure Modes across all Incidents.” Of these the top three are: 1. Hazard analysis and communication 2. Establish effective first-line leadership roles to direct personnel, enforce organizational policies, and achieve business objectives 3. Establish an effective and comprehensive program to continuously improve the impact of people, equipment, and materials on plant productivity and reliability. Although the above topics are worthy to be emulated, they are very general in nature and provide little practical guidance to the managers who are actually running a facility.
HUMAN RESPONSE Emergency response always involves people. Therefore, it is important to understand how people respond during an emergency and how they should be trained, especially as the manner in which they behave during an emergency is likely to be quite different from their normal behavior.
HUMAN ERROR RATE When a situation is out of control and people are scared or panicky, their error rate is likely to be in the 10% 20% range, or higher. This means that, if an untrained person is asked to carry out five actions and a success rate of 80% for each action is assumed, then the probability of overall success is 0.85 or 33%. In other words, that person will most likely fail to execute the tasks properly. Instruments and mechanical equipment items, on the other hand, are not subject to emotional pressures, which is why it is usually best to rely on them during an emergency. The high error rate that most people exhibit during an emergency can be reduced by making sure that good emergency procedures are in place and by conducting as many drills as possible so that operating personnel have experience of what a real emergency may look like.
FIXATION During an emergency, people are often overloaded with urgent information. Consequently, they may tend to “fixate” on just one or two items, even if these items are only a minor part of the overall story. The situation will further deteriorate, if it turns out that an instrument signal on which the operator was fixated was wrong. Then, he or she will take actions that will exacerbate the situation. (Fixation on an incorrect signal was a factor in the accident at the Three-Mile Island nuclear power plant.)
522
CHAPTER 12 EMERGENCY MANAGEMENT
HEROISM AND BUDDY LOYALTY In many plants, there is a general rule that anyone who is not part of the emergency response team (ERT) should always move away from an emergency situation, not toward it. In practice, people sometimes feel compelled to take “heroic” action—thus violating this rule. One reason they do so is to protect or save a colleague who has been hurt. Such loyalty can lead to inappropriate action. For example, if someone is knocked down by fumes his buddy may go into the situation to rescue him without wearing the proper breathing gear. As a result there could be two people overcome by the fumes. The buddy should summon help as quickly as possible but not put himself in danger. A situation such as this occurred on a refinery. A supervisor had been over the isomerization unit for a few years, so he knew that unit very well indeed. However, some months prior to the incident he had been transferred to another department within that refinery. One morning he was walking past the isomerization unit on a routine task to collect environmental information. Suddenly, without any type of warning, a pump on the unit blew a seal and a large cloud of butane vapor was emitted. A fired heater was located nearby. If the butane cloud had lit off, a catastrophic explosion and fire would have occurred. The supervisor was faced with an immediate decision: (1) Should he run up to the pump, shut it down, and block it in and start the spare pump? Or (2) Should he move quickly to the control room, report the situation, and have them take the appropriate, formal action? In this case, the supervisor chose the first route, i.e., he decided to run to the pump and bring it to a safe condition and keep the facility running with the spare pump. Yet this was probably the wrong decision. After all, if the leak had lit off while he was taking those actions he would most likely have been killed or grievously injured. It is important to stress that the above comment is not a criticism of the person involved. After all, no one knows what they will do in an emergency. But the situation does stress the importance of going through drills and simulations so as to maximize the probabilities that correct actions will be taken.
TROUBLESHOOTING Troubleshooting has been defined as “the search for the hidden cause or causes that leads to inadequate performance.” A troubleshooting response is appropriate when there is no anticipated danger to personnel and when there is little chance of any significant equipment damage; usually the main concerns are about product quality, production rates, productivity, and equipment repair costs. Examples of “trouble” include: • • • • •
Product quality problems Erratic machinery performance Preparation for extreme weather conditions such as hurricanes or ice storms Minor environmental problems Reduced yields of raw materials and/or increased energy consumption
One of the most important decisions that an operator has to make when an abnormal operation occurs is to determine whether or not the situation with which he is faced represents “trouble” or an “emergency.” This decision often has to be made quickly and under considerable pressure. For this reason, knowledge of safe limits for all critical parameters (Figure 12.1) is vital.
LEVELS OF EMERGENCY
523
If the operator were to handle an emergency as if it were only an operational problem the consequences could, of course, be very serious. However, the opposite situation can be almost as bad. If he erroneously decides that trouble is an emergency not only will his subsequent actions lead to unnecessary production and productivity losses, but they may actually create an emergency. For example, tripping a motor-operated valve to its closed position in response to a misdiagnosis of an emergency can cause hydraulic and thermal shocks in other parts of the process that might cause an upstream flange to spread, leading to a release of toxic or flammable chemicals.
LEVELS OF EMERGENCY An emergency response can be divided into three phases: 1. The system is at or near the emergency limits, but the operators and supervisors believe that they are able to return the plant to normal conditions using normal operating procedures and techniques. It is critical that they understand the exact nature of the problem if they are to be successful in this. Many accidents would have been less severe had the operators not tried to “fight” the situation, but simply shut down the facility in an orderly manner. (On the other hand, a full facility shutdown is not always the best response to an incipient emergency because doing so increases the number of actions that the operator has to perform, and can stress many equipment items. The advantage of keeping the unit running is that the operators can concentrate on correcting the emergency situation. They do not have to simultaneously cope with bringing down all the other equipment in a safe manner. Moreover, the avoidance of a full shutdown means that the unit can be brought back online relatively quickly with minimal production loss). 2. The second phase of an emergency occurs when the safety instrumented system and other high reliability, automated devices (including relief valves) take over. At this point in time the role of the operator is simply to secure the unit as it shuts down. 3. In the third phase of an emergency, the situation is out of control. There may be a large fire or chemical release to contend with. The full emergency response system is needed to minimize injuries, environmental damage, and loss of equipment. Figure 12.2 provides more detail about what to do with the third phase. It shows the ways in which emergencies can be initiated, along with the appropriate levels of response.
CAUSE OF EMERGENCY At the top of Figure 12.2 are the possible causes of an emergency: either an internal event such as the failure of a pump seal leading to a major fire, or an external event such as a lightning strike or an explosion at an adjacent facility. These initiating events can be identified, listed, and analyzed when conducting hazards analyses and preparing a risk management plan. Factors to be considered when identifying potential accident scenarios include the location of a release, its magnitude, wind direction, and the number of people who may be in the area at the time of the release. It can be useful to model some of the scenarios, particularly the release of hazardous chemicals so that, if the accident actually does occur, the emergency responders will have some idea as to the size of the incident with which they may be expected to cope. Some companies even have online
524
CHAPTER 12 EMERGENCY MANAGEMENT
Internal initiating event
External event
Emergency operations Local emergency response General emergency response Recovery operations Investigation/ follow-up
FIGURE 12.2 Levels of emergency.
models that are available in real time. Then, if there is a release of that chemical, the response team can provide the modelers with current information so that a real-time prediction as to the magnitude of the incident can be developed. It is important to identify any chemicals that require special treatment during the course of an emergency. For example, the use of water on some chemicals may cause them to ignite. Chemicals such as these will need their own special means of response. A complicating factor is that most emergencies do not occur in isolation. Usually, there is a whole host of events going on at once. For example, the immediate emergency may be hydrocarbon overflowing from a tank. However, the cause of the overflow may have been the loss of electrical power to the site. That loss of power may also have compromised the firefighting capability of the ERT, or it may have led to a degradation of the internal communications channels. Moreover, if the spilled liquid were to ignite, the subsequent fire could burn through a critical utility header. Environmental events, such as earthquakes, are particularly prone to creating multiple, simultaneous emergency situations. For example, the earthquake that causes lines and vessels to rupture may also break the fire water header, thus placing the ERT in a less than enviable position.
EMERGENCY OPERATIONS The first level of response can be termed “emergency operations.” A line operator or maintenance technician notices that an emergency situation is developing and quickly responds to bring the
LEVELS OF EMERGENCY
525
system to a safe condition. For example, if a pump seal fails and flammable hydrocarbon liquids are being sprayed into the air, the operator will usually shut down and block in the pump, hose down the area, get the spare pump started, and call in maintenance to repair the failed seal. The emergency condition has been identified and corrected within just a few minutes. If immediate operating response is not sufficient, the operator can shut down sections of the unit so that the affected equipment can be repaired. Procedures to do with emergency operations and shutdown tell the operator how to do this without causing any further damage and without jeopardizing other units. Once more, the facility remains in operation. As a general rule, sources of heat such as fired heaters and steam reboilers should be shut down as an emergency develops. Cooling systems should continue to operate because they remove heat from the system. Utilities, such as the steam and air supplies, should remain in operation in order to retain control of the equipment that is still in operation. If there is a major accident, an accurate head count will determine if anyone needs rescuing. Therefore, the facility managers must always know how many people are on the site at any one time. For larger facilities, they should also know roughly where those people are within the facility. If key-swipe cards are used, barriers can be placed between major operating sections so that a person’s location is always roughly known. The persons responsible for running the unit should always know how many people are on the site at any one time. For larger facilities, they should also know roughly where those people are within the facility.
LOCAL EMERGENCY RESPONSE If an operator or maintenance technician recognizes that the situation is out of control and cannot be addressed through emergency operations, he or she can declare an emergency. With regard to the leaking pump seal the operator may not be able to get near the pump due to fumes in the area or because he feels that doing so would put him in danger. Therefore, he calls in the facility’s own ERT. The personnel on this team will be trained in the handling of emergencies, and they will be issued with the appropriate equipment and protective clothing.
GENERAL EMERGENCY RESPONSE If the situation becomes too large for the ERT to handle then they can call for help from outside organizations, including the local fire department, ambulance services, and other facilities in the area. The emergency plan must take into account the fact that these people are not familiar with the particular process where the emergency has occurred. Where possible, these outside agencies should have the opportunity of training with the plant ERT. In large industrial centers, such as the Texas Gulf Coast, the various plants coordinate their emergency response efforts in a mutual support system. So, if a facility has a fire and needs additional firefighting trucks, they will be supplied by neighboring units. If the incident is bad enough, there will be a ripple effect of emergency equipment moving toward the affected site from dozens of miles. It is important that the press and the public be informed of what is going on at the site, particularly if anyone is in any danger. Facility management should take the initiative when communicating with the public, and they should be open and as forthright as possible (given that there will be
526
CHAPTER 12 EMERGENCY MANAGEMENT
a good deal of uncertainty in the early stages of the response to an emergency). Telephone lines and other links for public communication must be available, and they must have sufficient capacity that they do not become jammed with unnecessary calls.
RECOVERY OPERATIONS As soon as the site is secure, and there is no danger to anyone, recovery of equipment and chemicals can start. At this time, the plant may contain many unexpected hazards, such as the danger of being struck by falling equipment that has had its foundations weakened by fire. Or there may be pockets of spilled chemicals in unexpected places. Some equipment may be contaminated with hazardous chemicals, and may need to be specially treated before it can be returned to service, or before the operators or maintenance personnel can use it.
INVESTIGATION AND FOLLOW-UP If the incident is serious, an investigation as to its cause will start as soon as everyone is out of danger. It is particularly important to find out what happened if there are reasons to believe that it could happen again, maybe at another site.
EMERGENCY PLANNING Once the nature of potential emergencies has been identified and analyzed, an emergency plan is needed.
ORGANIZATION AND PERSONNEL Each facility should have a special organizational structure for emergency response. There should be a single Incident Commander, who is in complete charge of the facility during the course of the emergency, and who directs an ERT; everyone else on the unit, including the normal management, report to the commander. The normal chain of command is bypassed until the emergency is over. The Incident Commander does not have to be a senior manager. The management skills required to run the plant on a day-to-day basis differ from those needed during an emergency. Therefore, line management may choose to assign this responsibility to someone else, probably a shift supervisor or a unit superintendent. An emergency command headquarters should be set up with communications equipment and bunker gear for the ERT members. The Emergency Plan must identify all the equipments that the emergency responders have and the equipments that they need to do their work properly. A map showing the location of fire hydrants, hose reels, safety showers, and other emergency equipment is needed.
EMERGENCY RESPONSE MANUAL Table 12.1 provides an example of a Table of Contents for an Emergency Response Manual.
EMERGENCY PLANNING
Table 12.1 Emergency Response Manual: Representative Table of Contents • • • •
• • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • • •
Introduction Emergency Operations Initiating an Alarm Response to Alarm in Other Areas • Use of Fire Monitors • Use of Fire Extinguishers Evacuation Procedures Adverse Weather Conditions High Water/Floods Command Headquarters Equipment and Clothing Equipment Failure Line Break Hose Break Excessive Flaring Loss of Utilities • Loss of Cooling Water • Loss of Steam • Loss of Control Central • Loss of Instrument Air • Loss of Plant Air • Loss of Nitrogen External Coordination Other Facilities in the Area Equipment Suppliers Fire Department Police Department Regulatory Agencies Emergency Shutdown When to Shutdown Sequence of Actions Responsibility for Emergency Shutdown Post-Emergency • Cleanup following a Spill • Decontamination Reference Material Alarm Codes Area Responsibilities Description of the Fire Water Header Telephone List Fire/Police/Ambulance Coordination Mutual Aid List Emergency Organization Emergency Control Center Emergency Drills System Test and Maintenance Terrorist/Security Threats
527
528
CHAPTER 12 EMERGENCY MANAGEMENT
EMERGENCY PROCEDURES Emergency procedures differ from normal operating and troubleshooting procedures in the following ways: • • •
They should be short and to the point. Ideally, the emergency procedures should be memorized—there is no time for reading books or manuals during an emergency. They should not require complex decision making. Because there is an almost infinitely wide range of accidents that might occur, the emergency procedures have to be flexible. Yet, because time is of the essence, the procedures also need to be rigid, short, and precise. In practice, a procedure will be written to address a general problem, such as a hydrocarbon fire. The operators and emergency responders then need to be trained to use that procedure as the basis of their specific response. Most facilities have three types of emergency procedures:
1. Emergency Operating Procedures that describe how to run the plant when an emergency situation has been declared (say on another unit). 2. Emergency Shutdown (ESD) Procedures that describe how to conduct a crash shutdown, usually as the consequence of a fire or explosion. 3. Emergency Response Procedures that describe a site-wide response to an emergency that is affecting more than one unit. When writing emergency procedures it is important to make sure that they focus on bringing the facility to a safe state, at which time management and the operators can decide on the next step. It is tempting to turn an emergency procedure into an “Emergency Response and Restart” procedure. The danger with such an approach is that the operators may be tempted to restart before the facility has been secured, and before everyone understands what caused the ESD in the first place. Emergency operating procedures can be written in the same manner as normal operating procedures. Figure 12.3 is an example of an emergency procedure module. It uses the same format as shown for normal operating procedures. However, the “Response/Discussion” column has been eliminated because action must be immediate and unambiguous.
EMERGENCY RESPONSE TRAINING Although emergency procedures have to be written, they differ from normal procedures in one major respect: they are not likely to be used at the time of the event that they cover because, as already pointed out, technicians are not likely to have time to read a manual during an emergency. With regard to normal operations, if an operator is starting a pump, say, and has some concerns as to what to do, he can stop the operation, go to the manual, and find out what he is meant to do before taking further action. In an emergency, the operators and emergency responders must know what to do right away. In other words, they need to be trained in the use of the manual, and to drill as wide a variety of scenarios as possible. Another reason for the importance of training for emergencies is that, during an emergency, operators are going to behave on instinct, and to make snap decisions. For example, on one facility
EMERGENCY PLANNING
Module Name Module Number Person
529
Emergency Shutdown of F-6301, Recycle Fired Heater U.200.5.63
March 3, 2011
Action
1
#1 Technician
Sound the emergency alarm
2
#2 Technician
Turn off the burners
3
#2 Technician
Block in the feed at FCV-6303 (see picture)
4
#2 Technician
Stop steam to: 100-EX-11 100-EX-12 100-EX-25
5
#2 Technician
Isolate the following tanks at the tank farm T-101 T-101A T-369
6
#1 / #2 Technician
Follow normal shutdown procedures for F-6303 (Module U200.2.12)
FIGURE 12.3 Emergency response module.
a pump seal started leaking a flammable hydrocarbon. A supervisor from another unit was walking by. He instantly decided to walk quickly up to the pump, shut it down, and block it. He then reported his actions to the control room (which was close by). They started the spare pump, and returned the plant to normal operations within a few minutes. The supervisor’s quick response prevented a potentially catastrophic fire from starting. Nevertheless, he probably made the wrong decision. If the pump had caught fire while he was near it, he could have been killed or seriously injured. Probably his best response would have been to report to the control room that a pump was leaking, and have the unit operators shut down the pump in an orderly manner. The essential point was that he had not been trained in how to handle this situation so he made a snap decision. It would have been much better if that facility had trained everyone on what to do in the event of an unexpected pump seal leak, and then held some drills on the topic.
COMMUNICATIONS Coordination of the numerous activities involved in controlling a large fire requires a reliable means of communication. This is best accomplished with a dedicated emergency radio channel that
530
CHAPTER 12 EMERGENCY MANAGEMENT
provides rapid communication. Messengers should also be available to maintain communications should the radio system go down. It is also necessary to develop a plan for communicating with the public and outside agencies, as discussed by Wilson (1992).
EMERGENCY SHUTDOWN If a facility does suffer from a loss of containment due to a large leak from a valve, the rupture of a vessel or pipe, or the overflow of a tank, then an ESD sequence should be initiated. An ESD may also be initiated if the process has deviated outside its safe range and it is not being brought back to a safe condition in a timely manner. The response to emergency situations is often controlled by the Safety Instrumentation System and its associated Safety Integrity Levels (SILs).
ESD HIERARCHY An ESD is generally a hierarchical system that can perform a range of shutdowns from local to global depending on the extent of the emergency encountered. Table 12.2 provides an example of the level of shutdown that can be followed, depending on the severity of the emergency. For each level it is assumed that the actions of the level before it has taken place. A printer should record all the actions taken during an emergency, including: • • •
The sequence of events both before and following a trip All the operator actions, systems alarms, system input, and output status Color prints of graphic screens.
SHUTDOWN ZONES The philosophy for determining the number and extent of shutdown zones should include an evaluation of the maximum permissible inventory of various fluids in any one zone. This will be an output from a risk assessment. The defined quantities are likely to be different for onshore and offshore facilities. The following should be considered for the analysis: • • •
Areas containing significant flammable gaseous inventory Areas containing significant toxic gaseous inventory Equipment items containing significant hydrocarbon inventory.
For vessels containing large inventories of liquid hydrocarbon or liquids above their autoignition temperatures (AIT), emergency isolation facilities should be provided. An emergency isolation valve should be provided on a vessel or column liquid outlet when inventories of flammable materials exceed values such as those shown in Table 12.3. More stringent inventory limits may apply offshore.
EMERGENCY SHUTDOWN
531
Table 12.2 ESD Hierarchy Level
Typical Causes
Suggested Actions to be Taken
1 Unit shutdown
• Deviation outside safe limits that cannot be brought under control • Automatic shutdown
• • • •
2 Process shutdown
• Loss of a utility such as instrument air, hydraulic pressure, electrical power • Hi-hi level in a flare knockout drum or scrubber
• Shutdown all process equipment • Shutdown all chemical injection • Offshore: shut subsea production valves
3 Emergency shutdown
• • • •
Manual ESD Automatic ESD Fire or explosion Confirmed toxic gas detection in a nonhazardous area
• Close all ESD valves • Open all blowdown valves • Shut down all electrical equipment apart from life-support systems • Start fire water pumps, emergency generators • A read-only communications link should exist between the ESD and plant control systems to allow the display of alarm and status information to the operator However: • Continue power generation but switch from fuel gas to diesel until the diesel day tanks are empty
4 Facility abandonment (offshore)
Can be initiated manually from the Central Control Room or from selected, strategically located manual stations such as the helideck or lifeboat stations Only authorized personnel should initiate this action
• Total shutdown However, the following will remain operational: • Emergency lights • Navigational lights (offshore) • Public address and alarm systems • Diesel fire water pumps
Production shutdown Localized equipment shutdown Shutdown of packaged equipment Depressurization/blowdown (with a 1 minute delay timer to allow for operator override) However: • Where possible, other units will be kept running • Utility systems may be kept running
SYSTEM RESET Once the emergency is over, and assuming that the facility is fit for operation, a restart sequence has to be initiated. Generally, this means that all individual field inputs will have to be reset before the overall field reset can be applied.
532
CHAPTER 12 EMERGENCY MANAGEMENT
Table 12.3 Vessel Content Limits (Typical) Vessel Content
Inventory at Normal Liquid Level
LPG
.4 tonnes
Hydrocarbons above AIT
.5 tonnes
General hydrocarbons
.30 tonnes
FIRE AND GAS DETECTION The best response to an emergency is to know about it as soon as possible, which means that instruments for detecting fire and/or gas releases should be provided in all sections of the facility. The signals will go to a central fire and gas detection system, which will call for the appropriate response to the alarm (either from the operators or the automatic instrumentation). Responses can include: • • • • • •
Providing warning to the operators so that can start manual firefighting immediately. Providing an alarm to workers in specific areas so that they can evacuate those areas. Starting fixed fire suppression systems and special systems such as CO2 deluge. Shutting down Heating, Ventilating and Air Conditioning System (HVAC) and electrical systems. Starting fire water pumps in standby mode. Initiating a partial or facility-wide shutdown.
A fire or gas alarm will be communicated through audible alarms, usually supplemented by a public address system. In high noise areas (80 dBA and greater) visible strobes can also be provided.
FIRE DETECTION Fire detection systems used in the process industries are listed in Table 12.4, along with a summary of the advantages and disadvantages of each.
FIRE EYES/FLAME DETECTORS A fire eye or flame detector detects the radiation from a flame. It requires line-of-sight capability— there must be no blockages between the instrument and the potential fire locations. A fire eye’s field of vision usually covers a larger area than that of a heat detector, but it will not detect a smoldering fire as quickly as some smoke detectors. Flame detectors are not affected by air flow characteristics. They are suitable for inside or outside use, but they must be shielded from external sources of ultraviolet or infrared radiation such as welding arcs, lightning, or radiating black bodies such as hot engines or manifolds. Ideally, the fire detection system should have more than one fire eye detecting a fire so that false alarms can be weeded out. Flame detectors can be installed inside the enclosures of all engine-driven equipment; including turbine-driven generators, compressors, and emergency and essential generators.
FIRE AND GAS DETECTION
533
Table 12.4 Fire Detection Systems Type
Advantages
Disadvantages
Applications
Fire eye (ultraviolet)
High speed High sensitivity Moderate cost
Potential for false alarms Blinded by thick smoke
Outdoors or indoors
Fire eye (infrared)
High speed Moderate sensitivity Easy to test manually Moderate cost
Affected by temperature Subject to false alarms from the many other sources of IR radiation
Outdoors or indoors
Smoke detectors (ionization)
Detects smoldering fires Low cost
Easily contaminated Affected by the weather
Indoor use
Smoke detectors (photoelectric)
Detects smoldering fires Low cost
Easily contaminated
Indoor use
Thermal/heat detectors
Reliable Low cost
Slow Affected by the wind
Indoor use
Rate of heat rise detectors
Self-adjust for temperature and ambient conditions Rapid detection of growing fire
Affected by the wind
Indoor use
Fusible links
Does not need electricity High reliability Low cost
Very slow Heat must impinge
Outdoors or indoors
Low oxygen detectors
Warn of accidental release of inert gas
Do not warn of fire directly
Indoors—especially in confined spaces
Combustible gas detectors
Warning occurs before the fire starts
Require more than one instrument to confirm a release
Outdoors or indoors. Can be portable
Manual call points
Does not rely on instrumentation
Likely to be slow False alarms possible
Outdoors and at key locations indoors
Older types of fire eye detector, which worked in the ultraviolet range, sometimes had difficulty distinguishing between the fire radiation and other sources of radiation, such as that from a lightning bolt. Modern detectors, many of which use infrared, generally do not suffer from this defect.
SMOKE DETECTORS Smoke detectors are particularly useful in those situations where the fire is likely to generate a substantial amount of smoke before temperature changes are sufficient to actuate a heat detection system and before a fire eye will detect a flame. Smoke detectors use a photoelectric beam between a receiving element and light source. If smoke obscures the beam an alarm is sounded. There are
534
CHAPTER 12 EMERGENCY MANAGEMENT
also refraction-type models that measure the light changes that occur within the instrument when smoke particles enter it. Area smoke detectors are generally installed in buildings and accommodation areas. Where this is not practical—say in the galley area—other types of fire detector should be used. Actuation of a single smoke detector will initiate a fire alarm. If additional detectors sound an alarm, the equipment in the area of the fire and HVAC systems will be shut down.
HEAT DETECTORS Heat detecting devices fall into two categories: those that respond when the detection element reaches a predetermined temperature (fixed-temperature types) and those that respond to an increase in temperature at a rate greater than some predetermined value (rate-of-rise types). The two types can be combined into a single instrument. They are generally installed when the use of smoke detectors is not practical, or as a backup to smoke detectors. They are used in the following locations: • • • • •
Engine-driven equipment enclosures Living spaces Maintenance workshops and laboratories Machinery and pump rooms Electrical rooms.
Actuation of a single thermal fire detector can be considered a confirmed fire condition, resulting in actuation of appropriate shutdown and fire protection actions.
FUSIBLE LINKS Fusible links are made of low melting point materials designed to vent pneumatic systems as the fire melts the link. The depressurization can open fire deluge valves. Fusible links are very reliable, but they do require that the fire be well under way before they work, whereas other detectors, such as fire eyes, act more quickly. Depressurization of a fusible loop is considered to be a confirmed detection of a fire, and will automatically initiate appropriate shutdowns and activate fire protection equipment.
LOW OXYGEN DETECTORS Areas that could be flooded with nitrogen, carbon dioxide, or halon-like materials should have oxygen detectors installed. Their use is particularly important in electrical switch gear rooms because inert gases are used to suppress fires. It is vital to know if the inert gas is accidentally leaking into the confined space.
COMBUSTIBLE GAS DETECTORS Combustible gas detectors are generally installed in buildings and in the intakes to the HVAC air ducts. They can also be installed in outdoor areas that could have hydrocarbon vapor present, particularly remote areas such as truck unloading stations that may not have personnel present all the
ESCAPE ROUTES
535
time. They should always be installed in living quarters, high-value computer facilities, and offices that store vital records. They will typically have two levels of alarm: 20% LFL and 60% lower flammable limit (LFL). If multiple detectors are installed in a single location then a voting system can be installed. For example, if just one 20% alarm sounds then all hot work must stop but other work can continue as normal. If three 20% alarms or one 60% alarm sounds, then an emergency response is called for. Special types of detector will warn of the presence of hydrogen, carbon monoxide, or hydrogen sulfide.
MANUAL CALL POINTS Sometimes an emergency will be detected by a person rather than by the instrumentation. In such situations, manually activated call points (MACs) are used to declare an emergency and to activate the emergency response system. MACs are generally located at entrances to buildings and at strategic positions throughout process units, including escape routes. Each call point should be accessible from at least two different locations. The typical MAC is of the open contact “Break Glass” type, suitable for Division 1 locations. MACs should be covered with a guard to prevent inadvertent alarm activation. Alternatively, the MAC can be actuated by a pulling action (to prevent spurious trips caused by someone pushing the button by mistake). The emergency response system should tell the operators and ERT which MAC was activated.
TOXIC GAS RELEASES If someone is working outdoors and they are exposed to a toxic gas, it is generally a good idea to get indoors. As a rule of thumb the concentration of toxic gas inside a building is around a tenth of the concentration outside. In principle, were the gas release continue for a long time, the concentration of the gas in the building would eventually increase to the level outside. However, most gas releases do not go on for a long time. After the initial puff release, the amount of gas reduces, either because the inventory is exhausted or because the affected unit is isolated by the operator or by the safety instrumentation.
ESCAPE ROUTES The following guidance regarding the design and use of escape routes, particularly offshore, should be considered. •
• •
The main escape route will normally be around the outside of the facility, and should be as straight and level as possible; on large platforms, there will be parallel routes at different elevations. The escape routes should direct personnel to the primary temporary refuge (TR), with alternate routes to the lifeboat embarkation points. Escape routes should be clearly marked. Usually this is done through the use of yellow paint on the deck, with arrows pointing in the direction of the TR.
536
• •
•
CHAPTER 12 EMERGENCY MANAGEMENT
The escape routes should be well illuminated at night. The escape routes should also be provided with plenty of signs at eye level. These signs should be designed and installed so that they can be seen when visibility is impaired. They also must be illuminated so that they are visible at night (and the lights should be provided with power from an uninterruptable power supply). Any tripping hazards, such as steps from one section of deck to another, must be clearly marked.
FIREFIGHTING The most effective way to extinguish a hydrocarbon fire is to stop feeding fuel to it. This is often done with isolation valves that are located at the perimeter of the facility. These valves either stop the flow of fuel to the fire, as with remotely operated fire-safe valves in pump suction lines, or they direct the inventory of hydrocarbon to a safe location, as with emergency depressuring valves. The valves must be able to withstand the largest plausible fire radiation (this is often done by placing the valves behind an earthen wall or bund). If operators need to reach these valves during an emergency they should be provided with protected access and egress routes.
SINGLE FIRE CONCEPT The fire water system and the firefighting equipment are generally designed to handle just one major fire at a time. In other words, the design capacity of major firefighting facilities is determined by the largest single fire contingency (this is analogous to the single event scenario concept used in relief valve design). Some firefighting systems are sized to handle less significant contingencies. For instance, foam concentrate requirements are usually determined by a tank fire rather than by the worst contingency, which may be a fire in the process area.
DELUGE SYSTEMS Deluge systems are used to extinguish fires, and to dissolve, disperse, or cool flammable liquids and gases so as to minimize gas expansion and/or liquid boil off. Deluge water also cools structures to prevent deformation or collapse due to heat and can help additional leakage from flanges or connections, as well as a vessel rupture. In general, nonfireproofed vessels with liquid holdup of 3,500 liters or more should be provided with water cooling. Remote locations where a fire does not pose a significant risk to people or equipment may be an exception.
FIRE ZONES For all but the smallest facilities fire zones are used. They ensure that firefighting systems are used only in those areas that actually have a problem. Offshore platforms, e.g., are typically divided into about seven zones.
FIREFIGHTING
537
Ring main (wet)
Zone 1 Dry headers to sprinklers Pressure control deluge valve
Zone 2 Dry headers to sprinklers
Fire water pump A
Jockey pump
Fire water pump B
FIGURE 12.4 Fire protection system.
Figure 12.4 shows the use of fire zones. A ring main goes around the entire facility. It is filled with water whose pressure is maintained with a jockey pump. Connected to the ring main are multiple zones. The fire water headers in each zone are normally dry. In this example, there are two fire water pumps, each of which has sufficient capacity on its own to handle the design fire case. These pumps are placed in different locations at the facility so that, if one is destroyed, the other will provide a full flow of fire water. It is common for them to have different power supplies—in particular, one of them will be driven by a stand-alone diesel motor that operates independently of the facility’s utility systems. If a fire occurs in one of the zones a fusible link will fail, causing the pressure control deluge valve (PCDV) to open and the main fire water pumps to start. Water will flow out of the sprinkler heads in that zone only. The PCDV can also be tripped manually. Once the fire has been brought under control the system is reset. If seawater is used as deluge water, then it is important to flush the zone headers and deluge nozzles with freshwater, otherwise corrosion products will build up.
EMERGENCY MANAGEMENT
12
CHAPTER OUTLINE Introduction ........................................................................................................................................ 519 Abnormal Situation Management.......................................................................................................... 520 Human Response ................................................................................................................................ 521 Troubleshooting .................................................................................................................................. 522 Levels of Emergency ........................................................................................................................... 523 Emergency Planning............................................................................................................................ 526 Emergency Shutdown .......................................................................................................................... 530 Fire and Gas Detection ........................................................................................................................ 532 Escape Routes .................................................................................................................................... 535 Firefighting......................................................................................................................................... 536
Some of the detailed information, such as fire water systems and Personal Protective Equipment that were in the first edition of this book have been moved to the new book, Design and Operation of Process Facilities.
INTRODUCTION The focus of this book is on helping companies meet their safety, environmental, and operational goals. Yet, no matter how well designed and operated a facility may be there are times when an emergency occurs and an immediate response is required. This chapter discusses the topics of emergency management and of emergency response systems in the context of a risk and reliability management program. Emergency response falls under the broader rubric of Abnormal Situation Management (ASM), in which a variable moves from the safe range, through the area of troubleshooting, and on to a true emergency as illustrated in Figure 12.1. Process Risk and Reliability Management. DOI: http://dx.doi.org/10.1016/B978-0-12-801653-4.00012-6 © 2015 Elsevier Inc. All rights reserved.
519
520
CHAPTER 12 EMERGENCY MANAGEMENT
Emergency limit—High
310 Troubleshooting ( )
Safe limit—High
Operating limit—High
275
245
Operating range
Operating limit—Low
Safe range
235 Optimum operation (239–240)
Safe limit—Low 210 Troubleshooting ( ) Emergency limit—Low
None
FIGURE 12.1 Operating, safe, and emergency limits.
Once a process variable moves outside its normal operating range it enters the region of “trouble” (245 275 in the upper range in Figure 12.1). When a facility is in its normal operating range the system is controlled by its instrumentation; the operator usually does not have a lot to do except keep an eye on things. It is when things start to go awry, i.e., when the system runs into trouble that the skills of the experienced operators and maintenance technicians are called upon. As the system moves out of the trouble range (275 in the example), the system becomes increasingly unsafe until eventually an emergency is declared (310 in the upper range of the example; there is no lower emergency limit in this case).
ABNORMAL SITUATION MANAGEMENT ASM has been defined as “undesired plant disturbances or incidents with which the control system is not able to cope, requiring a human to intervene to supplement the actions of the control system”
HUMAN RESPONSE
521
and “The objective of ASM is to bring the process back to normal before safety-shutdown systems or other safety-protection systems are engaged” (Carpenter, 2013). The consortium has identified three items as being particularly important: 1. Better shift handover communication 2. Better alarm flood management 3. Better situation awareness through the use of overview displays using qualitative gauges They have identified “Top 10 Failure Modes across all Incidents.” Of these the top three are: 1. Hazard analysis and communication 2. Establish effective first-line leadership roles to direct personnel, enforce organizational policies, and achieve business objectives 3. Establish an effective and comprehensive program to continuously improve the impact of people, equipment, and materials on plant productivity and reliability. Although the above topics are worthy to be emulated, they are very general in nature and provide little practical guidance to the managers who are actually running a facility.
HUMAN RESPONSE Emergency response always involves people. Therefore, it is important to understand how people respond during an emergency and how they should be trained, especially as the manner in which they behave during an emergency is likely to be quite different from their normal behavior.
HUMAN ERROR RATE When a situation is out of control and people are scared or panicky, their error rate is likely to be in the 10% 20% range, or higher. This means that, if an untrained person is asked to carry out five actions and a success rate of 80% for each action is assumed, then the probability of overall success is 0.85 or 33%. In other words, that person will most likely fail to execute the tasks properly. Instruments and mechanical equipment items, on the other hand, are not subject to emotional pressures, which is why it is usually best to rely on them during an emergency. The high error rate that most people exhibit during an emergency can be reduced by making sure that good emergency procedures are in place and by conducting as many drills as possible so that operating personnel have experience of what a real emergency may look like.
FIXATION During an emergency, people are often overloaded with urgent information. Consequently, they may tend to “fixate” on just one or two items, even if these items are only a minor part of the overall story. The situation will further deteriorate, if it turns out that an instrument signal on which the operator was fixated was wrong. Then, he or she will take actions that will exacerbate the situation. (Fixation on an incorrect signal was a factor in the accident at the Three-Mile Island nuclear power plant.)
522
CHAPTER 12 EMERGENCY MANAGEMENT
HEROISM AND BUDDY LOYALTY In many plants, there is a general rule that anyone who is not part of the emergency response team (ERT) should always move away from an emergency situation, not toward it. In practice, people sometimes feel compelled to take “heroic” action—thus violating this rule. One reason they do so is to protect or save a colleague who has been hurt. Such loyalty can lead to inappropriate action. For example, if someone is knocked down by fumes his buddy may go into the situation to rescue him without wearing the proper breathing gear. As a result there could be two people overcome by the fumes. The buddy should summon help as quickly as possible but not put himself in danger. A situation such as this occurred on a refinery. A supervisor had been over the isomerization unit for a few years, so he knew that unit very well indeed. However, some months prior to the incident he had been transferred to another department within that refinery. One morning he was walking past the isomerization unit on a routine task to collect environmental information. Suddenly, without any type of warning, a pump on the unit blew a seal and a large cloud of butane vapor was emitted. A fired heater was located nearby. If the butane cloud had lit off, a catastrophic explosion and fire would have occurred. The supervisor was faced with an immediate decision: (1) Should he run up to the pump, shut it down, and block it in and start the spare pump? Or (2) Should he move quickly to the control room, report the situation, and have them take the appropriate, formal action? In this case, the supervisor chose the first route, i.e., he decided to run to the pump and bring it to a safe condition and keep the facility running with the spare pump. Yet this was probably the wrong decision. After all, if the leak had lit off while he was taking those actions he would most likely have been killed or grievously injured. It is important to stress that the above comment is not a criticism of the person involved. After all, no one knows what they will do in an emergency. But the situation does stress the importance of going through drills and simulations so as to maximize the probabilities that correct actions will be taken.
TROUBLESHOOTING Troubleshooting has been defined as “the search for the hidden cause or causes that leads to inadequate performance.” A troubleshooting response is appropriate when there is no anticipated danger to personnel and when there is little chance of any significant equipment damage; usually the main concerns are about product quality, production rates, productivity, and equipment repair costs. Examples of “trouble” include: • • • • •
Product quality problems Erratic machinery performance Preparation for extreme weather conditions such as hurricanes or ice storms Minor environmental problems Reduced yields of raw materials and/or increased energy consumption
One of the most important decisions that an operator has to make when an abnormal operation occurs is to determine whether or not the situation with which he is faced represents “trouble” or an “emergency.” This decision often has to be made quickly and under considerable pressure. For this reason, knowledge of safe limits for all critical parameters (Figure 12.1) is vital.
LEVELS OF EMERGENCY
523
If the operator were to handle an emergency as if it were only an operational problem the consequences could, of course, be very serious. However, the opposite situation can be almost as bad. If he erroneously decides that trouble is an emergency not only will his subsequent actions lead to unnecessary production and productivity losses, but they may actually create an emergency. For example, tripping a motor-operated valve to its closed position in response to a misdiagnosis of an emergency can cause hydraulic and thermal shocks in other parts of the process that might cause an upstream flange to spread, leading to a release of toxic or flammable chemicals.
LEVELS OF EMERGENCY An emergency response can be divided into three phases: 1. The system is at or near the emergency limits, but the operators and supervisors believe that they are able to return the plant to normal conditions using normal operating procedures and techniques. It is critical that they understand the exact nature of the problem if they are to be successful in this. Many accidents would have been less severe had the operators not tried to “fight” the situation, but simply shut down the facility in an orderly manner. (On the other hand, a full facility shutdown is not always the best response to an incipient emergency because doing so increases the number of actions that the operator has to perform, and can stress many equipment items. The advantage of keeping the unit running is that the operators can concentrate on correcting the emergency situation. They do not have to simultaneously cope with bringing down all the other equipment in a safe manner. Moreover, the avoidance of a full shutdown means that the unit can be brought back online relatively quickly with minimal production loss). 2. The second phase of an emergency occurs when the safety instrumented system and other high reliability, automated devices (including relief valves) take over. At this point in time the role of the operator is simply to secure the unit as it shuts down. 3. In the third phase of an emergency, the situation is out of control. There may be a large fire or chemical release to contend with. The full emergency response system is needed to minimize injuries, environmental damage, and loss of equipment. Figure 12.2 provides more detail about what to do with the third phase. It shows the ways in which emergencies can be initiated, along with the appropriate levels of response.
CAUSE OF EMERGENCY At the top of Figure 12.2 are the possible causes of an emergency: either an internal event such as the failure of a pump seal leading to a major fire, or an external event such as a lightning strike or an explosion at an adjacent facility. These initiating events can be identified, listed, and analyzed when conducting hazards analyses and preparing a risk management plan. Factors to be considered when identifying potential accident scenarios include the location of a release, its magnitude, wind direction, and the number of people who may be in the area at the time of the release. It can be useful to model some of the scenarios, particularly the release of hazardous chemicals so that, if the accident actually does occur, the emergency responders will have some idea as to the size of the incident with which they may be expected to cope. Some companies even have online
524
CHAPTER 12 EMERGENCY MANAGEMENT
Internal initiating event
External event
Emergency operations Local emergency response General emergency response Recovery operations Investigation/ follow-up
FIGURE 12.2 Levels of emergency.
models that are available in real time. Then, if there is a release of that chemical, the response team can provide the modelers with current information so that a real-time prediction as to the magnitude of the incident can be developed. It is important to identify any chemicals that require special treatment during the course of an emergency. For example, the use of water on some chemicals may cause them to ignite. Chemicals such as these will need their own special means of response. A complicating factor is that most emergencies do not occur in isolation. Usually, there is a whole host of events going on at once. For example, the immediate emergency may be hydrocarbon overflowing from a tank. However, the cause of the overflow may have been the loss of electrical power to the site. That loss of power may also have compromised the firefighting capability of the ERT, or it may have led to a degradation of the internal communications channels. Moreover, if the spilled liquid were to ignite, the subsequent fire could burn through a critical utility header. Environmental events, such as earthquakes, are particularly prone to creating multiple, simultaneous emergency situations. For example, the earthquake that causes lines and vessels to rupture may also break the fire water header, thus placing the ERT in a less than enviable position.
EMERGENCY OPERATIONS The first level of response can be termed “emergency operations.” A line operator or maintenance technician notices that an emergency situation is developing and quickly responds to bring the
LEVELS OF EMERGENCY
525
system to a safe condition. For example, if a pump seal fails and flammable hydrocarbon liquids are being sprayed into the air, the operator will usually shut down and block in the pump, hose down the area, get the spare pump started, and call in maintenance to repair the failed seal. The emergency condition has been identified and corrected within just a few minutes. If immediate operating response is not sufficient, the operator can shut down sections of the unit so that the affected equipment can be repaired. Procedures to do with emergency operations and shutdown tell the operator how to do this without causing any further damage and without jeopardizing other units. Once more, the facility remains in operation. As a general rule, sources of heat such as fired heaters and steam reboilers should be shut down as an emergency develops. Cooling systems should continue to operate because they remove heat from the system. Utilities, such as the steam and air supplies, should remain in operation in order to retain control of the equipment that is still in operation. If there is a major accident, an accurate head count will determine if anyone needs rescuing. Therefore, the facility managers must always know how many people are on the site at any one time. For larger facilities, they should also know roughly where those people are within the facility. If key-swipe cards are used, barriers can be placed between major operating sections so that a person’s location is always roughly known. The persons responsible for running the unit should always know how many people are on the site at any one time. For larger facilities, they should also know roughly where those people are within the facility.
LOCAL EMERGENCY RESPONSE If an operator or maintenance technician recognizes that the situation is out of control and cannot be addressed through emergency operations, he or she can declare an emergency. With regard to the leaking pump seal the operator may not be able to get near the pump due to fumes in the area or because he feels that doing so would put him in danger. Therefore, he calls in the facility’s own ERT. The personnel on this team will be trained in the handling of emergencies, and they will be issued with the appropriate equipment and protective clothing.
GENERAL EMERGENCY RESPONSE If the situation becomes too large for the ERT to handle then they can call for help from outside organizations, including the local fire department, ambulance services, and other facilities in the area. The emergency plan must take into account the fact that these people are not familiar with the particular process where the emergency has occurred. Where possible, these outside agencies should have the opportunity of training with the plant ERT. In large industrial centers, such as the Texas Gulf Coast, the various plants coordinate their emergency response efforts in a mutual support system. So, if a facility has a fire and needs additional firefighting trucks, they will be supplied by neighboring units. If the incident is bad enough, there will be a ripple effect of emergency equipment moving toward the affected site from dozens of miles. It is important that the press and the public be informed of what is going on at the site, particularly if anyone is in any danger. Facility management should take the initiative when communicating with the public, and they should be open and as forthright as possible (given that there will be
526
CHAPTER 12 EMERGENCY MANAGEMENT
a good deal of uncertainty in the early stages of the response to an emergency). Telephone lines and other links for public communication must be available, and they must have sufficient capacity that they do not become jammed with unnecessary calls.
RECOVERY OPERATIONS As soon as the site is secure, and there is no danger to anyone, recovery of equipment and chemicals can start. At this time, the plant may contain many unexpected hazards, such as the danger of being struck by falling equipment that has had its foundations weakened by fire. Or there may be pockets of spilled chemicals in unexpected places. Some equipment may be contaminated with hazardous chemicals, and may need to be specially treated before it can be returned to service, or before the operators or maintenance personnel can use it.
INVESTIGATION AND FOLLOW-UP If the incident is serious, an investigation as to its cause will start as soon as everyone is out of danger. It is particularly important to find out what happened if there are reasons to believe that it could happen again, maybe at another site.
EMERGENCY PLANNING Once the nature of potential emergencies has been identified and analyzed, an emergency plan is needed.
ORGANIZATION AND PERSONNEL Each facility should have a special organizational structure for emergency response. There should be a single Incident Commander, who is in complete charge of the facility during the course of the emergency, and who directs an ERT; everyone else on the unit, including the normal management, report to the commander. The normal chain of command is bypassed until the emergency is over. The Incident Commander does not have to be a senior manager. The management skills required to run the plant on a day-to-day basis differ from those needed during an emergency. Therefore, line management may choose to assign this responsibility to someone else, probably a shift supervisor or a unit superintendent. An emergency command headquarters should be set up with communications equipment and bunker gear for the ERT members. The Emergency Plan must identify all the equipments that the emergency responders have and the equipments that they need to do their work properly. A map showing the location of fire hydrants, hose reels, safety showers, and other emergency equipment is needed.
EMERGENCY RESPONSE MANUAL Table 12.1 provides an example of a Table of Contents for an Emergency Response Manual.
EMERGENCY PLANNING
Table 12.1 Emergency Response Manual: Representative Table of Contents • • • •
• • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • • •
Introduction Emergency Operations Initiating an Alarm Response to Alarm in Other Areas • Use of Fire Monitors • Use of Fire Extinguishers Evacuation Procedures Adverse Weather Conditions High Water/Floods Command Headquarters Equipment and Clothing Equipment Failure Line Break Hose Break Excessive Flaring Loss of Utilities • Loss of Cooling Water • Loss of Steam • Loss of Control Central • Loss of Instrument Air • Loss of Plant Air • Loss of Nitrogen External Coordination Other Facilities in the Area Equipment Suppliers Fire Department Police Department Regulatory Agencies Emergency Shutdown When to Shutdown Sequence of Actions Responsibility for Emergency Shutdown Post-Emergency • Cleanup following a Spill • Decontamination Reference Material Alarm Codes Area Responsibilities Description of the Fire Water Header Telephone List Fire/Police/Ambulance Coordination Mutual Aid List Emergency Organization Emergency Control Center Emergency Drills System Test and Maintenance Terrorist/Security Threats
527
528
CHAPTER 12 EMERGENCY MANAGEMENT
EMERGENCY PROCEDURES Emergency procedures differ from normal operating and troubleshooting procedures in the following ways: • • •
They should be short and to the point. Ideally, the emergency procedures should be memorized—there is no time for reading books or manuals during an emergency. They should not require complex decision making. Because there is an almost infinitely wide range of accidents that might occur, the emergency procedures have to be flexible. Yet, because time is of the essence, the procedures also need to be rigid, short, and precise. In practice, a procedure will be written to address a general problem, such as a hydrocarbon fire. The operators and emergency responders then need to be trained to use that procedure as the basis of their specific response. Most facilities have three types of emergency procedures:
1. Emergency Operating Procedures that describe how to run the plant when an emergency situation has been declared (say on another unit). 2. Emergency Shutdown (ESD) Procedures that describe how to conduct a crash shutdown, usually as the consequence of a fire or explosion. 3. Emergency Response Procedures that describe a site-wide response to an emergency that is affecting more than one unit. When writing emergency procedures it is important to make sure that they focus on bringing the facility to a safe state, at which time management and the operators can decide on the next step. It is tempting to turn an emergency procedure into an “Emergency Response and Restart” procedure. The danger with such an approach is that the operators may be tempted to restart before the facility has been secured, and before everyone understands what caused the ESD in the first place. Emergency operating procedures can be written in the same manner as normal operating procedures. Figure 12.3 is an example of an emergency procedure module. It uses the same format as shown for normal operating procedures. However, the “Response/Discussion” column has been eliminated because action must be immediate and unambiguous.
EMERGENCY RESPONSE TRAINING Although emergency procedures have to be written, they differ from normal procedures in one major respect: they are not likely to be used at the time of the event that they cover because, as already pointed out, technicians are not likely to have time to read a manual during an emergency. With regard to normal operations, if an operator is starting a pump, say, and has some concerns as to what to do, he can stop the operation, go to the manual, and find out what he is meant to do before taking further action. In an emergency, the operators and emergency responders must know what to do right away. In other words, they need to be trained in the use of the manual, and to drill as wide a variety of scenarios as possible. Another reason for the importance of training for emergencies is that, during an emergency, operators are going to behave on instinct, and to make snap decisions. For example, on one facility
EMERGENCY PLANNING
Module Name Module Number Person
529
Emergency Shutdown of F-6301, Recycle Fired Heater U.200.5.63
March 3, 2011
Action
1
#1 Technician
Sound the emergency alarm
2
#2 Technician
Turn off the burners
3
#2 Technician
Block in the feed at FCV-6303 (see picture)
4
#2 Technician
Stop steam to: 100-EX-11 100-EX-12 100-EX-25
5
#2 Technician
Isolate the following tanks at the tank farm T-101 T-101A T-369
6
#1 / #2 Technician
Follow normal shutdown procedures for F-6303 (Module U200.2.12)
FIGURE 12.3 Emergency response module.
a pump seal started leaking a flammable hydrocarbon. A supervisor from another unit was walking by. He instantly decided to walk quickly up to the pump, shut it down, and block it. He then reported his actions to the control room (which was close by). They started the spare pump, and returned the plant to normal operations within a few minutes. The supervisor’s quick response prevented a potentially catastrophic fire from starting. Nevertheless, he probably made the wrong decision. If the pump had caught fire while he was near it, he could have been killed or seriously injured. Probably his best response would have been to report to the control room that a pump was leaking, and have the unit operators shut down the pump in an orderly manner. The essential point was that he had not been trained in how to handle this situation so he made a snap decision. It would have been much better if that facility had trained everyone on what to do in the event of an unexpected pump seal leak, and then held some drills on the topic.
COMMUNICATIONS Coordination of the numerous activities involved in controlling a large fire requires a reliable means of communication. This is best accomplished with a dedicated emergency radio channel that
530
CHAPTER 12 EMERGENCY MANAGEMENT
provides rapid communication. Messengers should also be available to maintain communications should the radio system go down. It is also necessary to develop a plan for communicating with the public and outside agencies, as discussed by Wilson (1992).
EMERGENCY SHUTDOWN If a facility does suffer from a loss of containment due to a large leak from a valve, the rupture of a vessel or pipe, or the overflow of a tank, then an ESD sequence should be initiated. An ESD may also be initiated if the process has deviated outside its safe range and it is not being brought back to a safe condition in a timely manner. The response to emergency situations is often controlled by the Safety Instrumentation System and its associated Safety Integrity Levels (SILs).
ESD HIERARCHY An ESD is generally a hierarchical system that can perform a range of shutdowns from local to global depending on the extent of the emergency encountered. Table 12.2 provides an example of the level of shutdown that can be followed, depending on the severity of the emergency. For each level it is assumed that the actions of the level before it has taken place. A printer should record all the actions taken during an emergency, including: • • •
The sequence of events both before and following a trip All the operator actions, systems alarms, system input, and output status Color prints of graphic screens.
SHUTDOWN ZONES The philosophy for determining the number and extent of shutdown zones should include an evaluation of the maximum permissible inventory of various fluids in any one zone. This will be an output from a risk assessment. The defined quantities are likely to be different for onshore and offshore facilities. The following should be considered for the analysis: • • •
Areas containing significant flammable gaseous inventory Areas containing significant toxic gaseous inventory Equipment items containing significant hydrocarbon inventory.
For vessels containing large inventories of liquid hydrocarbon or liquids above their autoignition temperatures (AIT), emergency isolation facilities should be provided. An emergency isolation valve should be provided on a vessel or column liquid outlet when inventories of flammable materials exceed values such as those shown in Table 12.3. More stringent inventory limits may apply offshore.
EMERGENCY SHUTDOWN
531
Table 12.2 ESD Hierarchy Level
Typical Causes
Suggested Actions to be Taken
1 Unit shutdown
• Deviation outside safe limits that cannot be brought under control • Automatic shutdown
• • • •
2 Process shutdown
• Loss of a utility such as instrument air, hydraulic pressure, electrical power • Hi-hi level in a flare knockout drum or scrubber
• Shutdown all process equipment • Shutdown all chemical injection • Offshore: shut subsea production valves
3 Emergency shutdown
• • • •
Manual ESD Automatic ESD Fire or explosion Confirmed toxic gas detection in a nonhazardous area
• Close all ESD valves • Open all blowdown valves • Shut down all electrical equipment apart from life-support systems • Start fire water pumps, emergency generators • A read-only communications link should exist between the ESD and plant control systems to allow the display of alarm and status information to the operator However: • Continue power generation but switch from fuel gas to diesel until the diesel day tanks are empty
4 Facility abandonment (offshore)
Can be initiated manually from the Central Control Room or from selected, strategically located manual stations such as the helideck or lifeboat stations Only authorized personnel should initiate this action
• Total shutdown However, the following will remain operational: • Emergency lights • Navigational lights (offshore) • Public address and alarm systems • Diesel fire water pumps
Production shutdown Localized equipment shutdown Shutdown of packaged equipment Depressurization/blowdown (with a 1 minute delay timer to allow for operator override) However: • Where possible, other units will be kept running • Utility systems may be kept running
SYSTEM RESET Once the emergency is over, and assuming that the facility is fit for operation, a restart sequence has to be initiated. Generally, this means that all individual field inputs will have to be reset before the overall field reset can be applied.
532
CHAPTER 12 EMERGENCY MANAGEMENT
Table 12.3 Vessel Content Limits (Typical) Vessel Content
Inventory at Normal Liquid Level
LPG
.4 tonnes
Hydrocarbons above AIT
.5 tonnes
General hydrocarbons
.30 tonnes
FIRE AND GAS DETECTION The best response to an emergency is to know about it as soon as possible, which means that instruments for detecting fire and/or gas releases should be provided in all sections of the facility. The signals will go to a central fire and gas detection system, which will call for the appropriate response to the alarm (either from the operators or the automatic instrumentation). Responses can include: • • • • • •
Providing warning to the operators so that can start manual firefighting immediately. Providing an alarm to workers in specific areas so that they can evacuate those areas. Starting fixed fire suppression systems and special systems such as CO2 deluge. Shutting down Heating, Ventilating and Air Conditioning System (HVAC) and electrical systems. Starting fire water pumps in standby mode. Initiating a partial or facility-wide shutdown.
A fire or gas alarm will be communicated through audible alarms, usually supplemented by a public address system. In high noise areas (80 dBA and greater) visible strobes can also be provided.
FIRE DETECTION Fire detection systems used in the process industries are listed in Table 12.4, along with a summary of the advantages and disadvantages of each.
FIRE EYES/FLAME DETECTORS A fire eye or flame detector detects the radiation from a flame. It requires line-of-sight capability— there must be no blockages between the instrument and the potential fire locations. A fire eye’s field of vision usually covers a larger area than that of a heat detector, but it will not detect a smoldering fire as quickly as some smoke detectors. Flame detectors are not affected by air flow characteristics. They are suitable for inside or outside use, but they must be shielded from external sources of ultraviolet or infrared radiation such as welding arcs, lightning, or radiating black bodies such as hot engines or manifolds. Ideally, the fire detection system should have more than one fire eye detecting a fire so that false alarms can be weeded out. Flame detectors can be installed inside the enclosures of all engine-driven equipment; including turbine-driven generators, compressors, and emergency and essential generators.
FIRE AND GAS DETECTION
533
Table 12.4 Fire Detection Systems Type
Advantages
Disadvantages
Applications
Fire eye (ultraviolet)
High speed High sensitivity Moderate cost
Potential for false alarms Blinded by thick smoke
Outdoors or indoors
Fire eye (infrared)
High speed Moderate sensitivity Easy to test manually Moderate cost
Affected by temperature Subject to false alarms from the many other sources of IR radiation
Outdoors or indoors
Smoke detectors (ionization)
Detects smoldering fires Low cost
Easily contaminated Affected by the weather
Indoor use
Smoke detectors (photoelectric)
Detects smoldering fires Low cost
Easily contaminated
Indoor use
Thermal/heat detectors
Reliable Low cost
Slow Affected by the wind
Indoor use
Rate of heat rise detectors
Self-adjust for temperature and ambient conditions Rapid detection of growing fire
Affected by the wind
Indoor use
Fusible links
Does not need electricity High reliability Low cost
Very slow Heat must impinge
Outdoors or indoors
Low oxygen detectors
Warn of accidental release of inert gas
Do not warn of fire directly
Indoors—especially in confined spaces
Combustible gas detectors
Warning occurs before the fire starts
Require more than one instrument to confirm a release
Outdoors or indoors. Can be portable
Manual call points
Does not rely on instrumentation
Likely to be slow False alarms possible
Outdoors and at key locations indoors
Older types of fire eye detector, which worked in the ultraviolet range, sometimes had difficulty distinguishing between the fire radiation and other sources of radiation, such as that from a lightning bolt. Modern detectors, many of which use infrared, generally do not suffer from this defect.
SMOKE DETECTORS Smoke detectors are particularly useful in those situations where the fire is likely to generate a substantial amount of smoke before temperature changes are sufficient to actuate a heat detection system and before a fire eye will detect a flame. Smoke detectors use a photoelectric beam between a receiving element and light source. If smoke obscures the beam an alarm is sounded. There are
534
CHAPTER 12 EMERGENCY MANAGEMENT
also refraction-type models that measure the light changes that occur within the instrument when smoke particles enter it. Area smoke detectors are generally installed in buildings and accommodation areas. Where this is not practical—say in the galley area—other types of fire detector should be used. Actuation of a single smoke detector will initiate a fire alarm. If additional detectors sound an alarm, the equipment in the area of the fire and HVAC systems will be shut down.
HEAT DETECTORS Heat detecting devices fall into two categories: those that respond when the detection element reaches a predetermined temperature (fixed-temperature types) and those that respond to an increase in temperature at a rate greater than some predetermined value (rate-of-rise types). The two types can be combined into a single instrument. They are generally installed when the use of smoke detectors is not practical, or as a backup to smoke detectors. They are used in the following locations: • • • • •
Engine-driven equipment enclosures Living spaces Maintenance workshops and laboratories Machinery and pump rooms Electrical rooms.
Actuation of a single thermal fire detector can be considered a confirmed fire condition, resulting in actuation of appropriate shutdown and fire protection actions.
FUSIBLE LINKS Fusible links are made of low melting point materials designed to vent pneumatic systems as the fire melts the link. The depressurization can open fire deluge valves. Fusible links are very reliable, but they do require that the fire be well under way before they work, whereas other detectors, such as fire eyes, act more quickly. Depressurization of a fusible loop is considered to be a confirmed detection of a fire, and will automatically initiate appropriate shutdowns and activate fire protection equipment.
LOW OXYGEN DETECTORS Areas that could be flooded with nitrogen, carbon dioxide, or halon-like materials should have oxygen detectors installed. Their use is particularly important in electrical switch gear rooms because inert gases are used to suppress fires. It is vital to know if the inert gas is accidentally leaking into the confined space.
COMBUSTIBLE GAS DETECTORS Combustible gas detectors are generally installed in buildings and in the intakes to the HVAC air ducts. They can also be installed in outdoor areas that could have hydrocarbon vapor present, particularly remote areas such as truck unloading stations that may not have personnel present all the
ESCAPE ROUTES
535
time. They should always be installed in living quarters, high-value computer facilities, and offices that store vital records. They will typically have two levels of alarm: 20% LFL and 60% lower flammable limit (LFL). If multiple detectors are installed in a single location then a voting system can be installed. For example, if just one 20% alarm sounds then all hot work must stop but other work can continue as normal. If three 20% alarms or one 60% alarm sounds, then an emergency response is called for. Special types of detector will warn of the presence of hydrogen, carbon monoxide, or hydrogen sulfide.
MANUAL CALL POINTS Sometimes an emergency will be detected by a person rather than by the instrumentation. In such situations, manually activated call points (MACs) are used to declare an emergency and to activate the emergency response system. MACs are generally located at entrances to buildings and at strategic positions throughout process units, including escape routes. Each call point should be accessible from at least two different locations. The typical MAC is of the open contact “Break Glass” type, suitable for Division 1 locations. MACs should be covered with a guard to prevent inadvertent alarm activation. Alternatively, the MAC can be actuated by a pulling action (to prevent spurious trips caused by someone pushing the button by mistake). The emergency response system should tell the operators and ERT which MAC was activated.
TOXIC GAS RELEASES If someone is working outdoors and they are exposed to a toxic gas, it is generally a good idea to get indoors. As a rule of thumb the concentration of toxic gas inside a building is around a tenth of the concentration outside. In principle, were the gas release continue for a long time, the concentration of the gas in the building would eventually increase to the level outside. However, most gas releases do not go on for a long time. After the initial puff release, the amount of gas reduces, either because the inventory is exhausted or because the affected unit is isolated by the operator or by the safety instrumentation.
ESCAPE ROUTES The following guidance regarding the design and use of escape routes, particularly offshore, should be considered. •
• •
The main escape route will normally be around the outside of the facility, and should be as straight and level as possible; on large platforms, there will be parallel routes at different elevations. The escape routes should direct personnel to the primary temporary refuge (TR), with alternate routes to the lifeboat embarkation points. Escape routes should be clearly marked. Usually this is done through the use of yellow paint on the deck, with arrows pointing in the direction of the TR.
536
• •
•
CHAPTER 12 EMERGENCY MANAGEMENT
The escape routes should be well illuminated at night. The escape routes should also be provided with plenty of signs at eye level. These signs should be designed and installed so that they can be seen when visibility is impaired. They also must be illuminated so that they are visible at night (and the lights should be provided with power from an uninterruptable power supply). Any tripping hazards, such as steps from one section of deck to another, must be clearly marked.
FIREFIGHTING The most effective way to extinguish a hydrocarbon fire is to stop feeding fuel to it. This is often done with isolation valves that are located at the perimeter of the facility. These valves either stop the flow of fuel to the fire, as with remotely operated fire-safe valves in pump suction lines, or they direct the inventory of hydrocarbon to a safe location, as with emergency depressuring valves. The valves must be able to withstand the largest plausible fire radiation (this is often done by placing the valves behind an earthen wall or bund). If operators need to reach these valves during an emergency they should be provided with protected access and egress routes.
SINGLE FIRE CONCEPT The fire water system and the firefighting equipment are generally designed to handle just one major fire at a time. In other words, the design capacity of major firefighting facilities is determined by the largest single fire contingency (this is analogous to the single event scenario concept used in relief valve design). Some firefighting systems are sized to handle less significant contingencies. For instance, foam concentrate requirements are usually determined by a tank fire rather than by the worst contingency, which may be a fire in the process area.
DELUGE SYSTEMS Deluge systems are used to extinguish fires, and to dissolve, disperse, or cool flammable liquids and gases so as to minimize gas expansion and/or liquid boil off. Deluge water also cools structures to prevent deformation or collapse due to heat and can help additional leakage from flanges or connections, as well as a vessel rupture. In general, nonfireproofed vessels with liquid holdup of 3,500 liters or more should be provided with water cooling. Remote locations where a fire does not pose a significant risk to people or equipment may be an exception.
FIRE ZONES For all but the smallest facilities fire zones are used. They ensure that firefighting systems are used only in those areas that actually have a problem. Offshore platforms, e.g., are typically divided into about seven zones.
FIREFIGHTING
537
Ring main (wet)
Zone 1 Dry headers to sprinklers Pressure control deluge valve
Zone 2 Dry headers to sprinklers
Fire water pump A
Jockey pump
Fire water pump B
FIGURE 12.4 Fire protection system.
Figure 12.4 shows the use of fire zones. A ring main goes around the entire facility. It is filled with water whose pressure is maintained with a jockey pump. Connected to the ring main are multiple zones. The fire water headers in each zone are normally dry. In this example, there are two fire water pumps, each of which has sufficient capacity on its own to handle the design fire case. These pumps are placed in different locations at the facility so that, if one is destroyed, the other will provide a full flow of fire water. It is common for them to have different power supplies—in particular, one of them will be driven by a stand-alone diesel motor that operates independently of the facility’s utility systems. If a fire occurs in one of the zones a fusible link will fail, causing the pressure control deluge valve (PCDV) to open and the main fire water pumps to start. Water will flow out of the sprinkler heads in that zone only. The PCDV can also be tripped manually. Once the fire has been brought under control the system is reset. If seawater is used as deluge water, then it is important to flush the zone headers and deluge nozzles with freshwater, otherwise corrosion products will build up.