Philosophy of Protection Principles

CHAPTER

3

Philosophy of Protection Principles There are basically four major areas that influence how a facility will be protected—legal, financial, management accountability, and moral or ethical. Legal concerns meeting regulations and rules that apply to the facility. Financial concerns maintaining a viable and profitable facility even if an incident occurs. Management accountability deals with the responsibility for safety that the senior authority places on the organization and which they are held accountable for. Finally, there are social and moral issues that if an incident occurs, affects the personal integrity of individuals and the prestige of the organization. There are various features of each of these areas and all of these interact together, based on management direction, to form a level of hierarchy for a philosophy of protection that can be identified for a facility. The risk management techniques of the organization should be defined before any considerations of the philosophy of protection needs for a facility are identified. An organization that is capable of obtaining a high level of insurance coverage at very low expense, even though they may have risks, may opt to have a limited outlay for protection measures since it is not cost effective. In reality this would probably never occur, but serves to demonstrate influences in a corporate approach to protection levels and risk acceptance criteria. The protection of petroleum facilities follows the same overall philosophy that would be applied to any building or installation. These basic requirements are emergency evacuation, containment, isolation, and suppression. Since these are design features that cannot be immediately

Hbk of Fire and Explosion Protection, http://dx.doi.org/10.1016/B978-0-323-31301-8.00003-9 © 2014 Elsevier Inc. All rights reserved.

41

42

Handbook of Fire and Explosion Protection Engineering Principles

brought in at the time of an incident, they must be adequately provided as part of the original facility design. What constitutes adequate is the definition fire, risk, and loss professions must be able to advise upon.

3.1. LEGAL OBLIGATIONS Two federal US agencies (OSHA and EPA) have major legal requirements for the management of process safety. These are identified below.

3.1.1 Occupational Safety and Health Administration (OSHA) OSHA Process Safety Management (PSM) regulation, 29 CFR 1910.119, requires a comprehensive set of plans, policies, procedures, practices, administrative, engineering, and operating controls designed to ensure that barriers to major incidents are in place, in use, and are effective. Its emphasis is on the prevention of major incidents rather than specific worker health and safety issues. PSM focuses its safety activities on chemical-related systems, such as chemical manufacturing plants, wherein there are large piping systems, storage, blending, and distributing activities.

3.1.2 Environmental Protection Agency (EPA) Under the authority of section 112(r) of the Clean Air Act, the Chemical Accident Prevention Provisions (40 CFR Part 68) require facilities that produce, handle, process, distribute, or store certain chemicals to develop a Risk Management Program, prepare a Risk Management Plan (RMP), and submit the RMP to the EPA. Covered facilities were initially required to comply with the rule in 1999. Additionally, the Emergency Planning and Community Right-to-Know Act (EPCRA) of 1986, which defines industrial chemical ­reporting ­requirements, dictates that facilities must report the storage, use, and release of c­ertain ­hazardous chemicals. It was created to help communities plan for e­ mergencies involving hazardous substances. EPCRA has four major p­rovisions: one addresses emergency planning and the other three outline chemical reporting.

3.2. INSURANCE RECOMMENDATIONS All insurance companies provide property risk engineers or inspectors to evaluate their insured risks for high value properties or operations. So in reality, a basic standard level of protection is probably maintained in the

Philosophy of Protection Principles

43

industry. All the major oil companies have high levels of self insurance and usually high deductibles. Their insurance coverages are also typically obtained in several financial layers from different agencies with considerable options, amendments, and exclusions. So hopefully no individual insurer would be in a financial peril from a single major incident. A general level of loss prevention practices is considered prudent both by insurers and petroleum companies, so overall all facilities are required to meet the corporate protection standard. In fact, the premium of insurance is normally based on the level of risk for the facility after an insurance engineer has “surveyed” its facilities. Isolated cases may appear where less fixed protection systems are provided in place of manual fire fighting capabilities, but the general level of overall loss prevention or risk is maintained. Insurers will also always make recommendations for loss prevention improvements where they feel the protection levels are substandard and the risk high. Where they feel the risk is too high, they may refuse to underwrite certain layers of insurance or charge substantial additional premiums for reinsurance requirements.

3.3. COMPANY AND INDUSTRY STANDARDS Both the industry and companies have safety standards for the protection of process industries. The industry standards are considered guidelines and are useful for companies to base their own particular standards on. The major industry standards include API Recommended Practices, NFPA Fire Codes, and CCPS guidelines (see Figure 3.1).

3.3.1 General Philosophy In general, the fire and explosion protection engineering philosophy for petroleum, chemical, and related facilities can be defined by the following objectives (listed in order of preference): 1. Prevent the immediate exposure on individuals to fire and explosion hazards. No facility should be designed such that an employee or member of the public could be immediately harmed if they were exposed to the operation (e.g., heat radiation from flaring should be placed so no effects will occur outside the specified area). 2. Provide inherently safe facilities. Inherently safe features at a facilities provide for adequate spacing of high risk from other areas, arrangement and segregation of from high

44

Handbook of Fire and Explosion Protection Engineering Principles

Financial Responsibility Moral & Ethical

Management Accountability

Legal Requirements

Industry Codes & Guidelines

Plant Design for SAFETY

Insurance Evaluations

Company Policies & Standards

Figure 3.1  Major influences on plant design for safety.

hazard to low hazard risks. The least hazardous process system should be selected and installed for obtaining the desired product or production objectives. Protective systems are provided to minimize the effects that may occur from a catastrophic incident. 3. Meet the prescriptive and objective requirements of governmental laws and regulations. All international, national, and local laws or regulations are to be complied with, in both prescriptive requirements and underlying objectives. Laws are provided to achieve the minimum safeguards that are required by a society to exist without excessive turmoil. Industry must abide by these laws in order to have a cohesive operation without fear of legal mandates. 4. Achieve a level of fire and explosion risk that is acceptable to the employees, the general public, the allied industry, local and national government, and the company and its stakeholders. Although a facility could conceivably be designed that would comply with all laws and regulations, if the perception exists that the facility is unsafe, it must be altered or assessed to provide for a facility that is technically judged safe by recognized experts, the industry, and the general public. 5. Protect the economic interest of the company for both shortand long-term impacts. The prime objective of a business is to provide a positive economic return to the owners. Therefore the economic interest of the owners should be protected for long and short range survival without fear of a potential loss of earnings.

Philosophy of Protection Principles

45

6. Comply with an organization's policies, standards, and guidelines. An organization’s policies, standards, and guidelines are promulgated to provide guidance in the conduction of the specific business in an efficient and cost-effective manner without fear of unexpected incident losses. 7. Consider the interest of business partners. Where a consortium may exist, the economic interest of the partners must be considered and their management usually requires approval of the risk involved in the venture. 8. Achieve a cost effective and practical approach. The safety and protection of a facility does not necessarily need to involve highly expensive and elaborate protective systems. All that is required or desired is a simplistic, practical, and economic solution to achieve a level of safety that is commensurate with the level of risk and is acceptable to all interested parties. 9. Minimize space (and weight if offshore) implications. Usually, the most expensive initial investment of any capital project is the investment in space to provide a facility. For both onshore and offshore facilities, the amount of space a facility occupies typically directly corresponds to increased capital costs, but this consideration should be balanced with the need for adequate separation, segregation, and arrangements of protection design principles. 10. Respond to the operational needs and desires. To provide effective process safety features, these features should also be effective operational features. Providing safeguards that are counterproductive to safety may cause the exact opposite to occur, since operations may override or bypass the safeguard for ease of operational convenience. 11. Protect the reputation and prestige of the company. Public perception of a company lowers if it is involved in a major incident that has considerable fatalities or does major harm to the environment. Although in most cases, these incidents can be economically recovered from, the stigma of the incident may linger and affect the sale of company products (especially if a public inquiry or considerable lawsuits occur). 12. Eliminate or prevent the deliberate opportunities for employee or public-induced damages or terrorist incidents. Negative employee moral may manifest itself in an aspect of direct damage to company equipment as retribution (although unjustified, illegal, and unethical). These effects may be disguised as incidental events in order to avoid persecution by the individuals involved. Other incidents may be perpetrated by outright terrorist activities. Incidental

46

Handbook of Fire and Explosion Protection Engineering Principles

effects may possibly develop into catastrophic incidents unbeknown even to the saboteur, until it occurs. The design of facilities should account for periods when management and labor relations may not be optimum and opportunities for vandalism could easily avail themselves. Where a terrorist threat is identified, ongoing suitable preventive measures must be instituted i.e., increased security measures, barricades, surveillance systems, etc.

3.4. WORST CASE CONDITION Normal loss prevention practices are to design protection systems for the worst case fire event that can occur at a facility (within the limits of probabilities). To interpret this literally would mean in some cases that an oil or gas facility is completely on fire or totally destroyed by an explosion. Practical, economic, and historical review considerations indicate this rationale should be redefined as the Worst Case Credible Event (WCCE) or as referenced in the insurance industry, the Probable Maximum Loss (PML), which could occur at the facility. Much discussion could be presented as the most credible worst case event at the facility. Obviously a multitude of unbelievable events can be postulated (industrial sabotage, insane employees, plane crash impacts, etc.). Only the most realistic and probable events should be considered. In most cases, historical evidence of similar facilities is used as a reference for the worst case events. Alternatively, the effect of the most probable high inventory hydrocarbon release could be postulated. The worst case event should be agreed upon with loss prevention, operational and senior executive management for the facility. The worst case credible event will normally define the highest hazard location(s) for the facility. From these hazards, suitable protection arrangements can be postulated to prevent or mitigate their effects. Several additional factors are important when considering a worst case credible event.

3.4.1 Ambient Conditions • Weather—Winds, snow, sandstorms, extremely high or low ambient temperatures, etc. Weather conditions can impede the progress of any activity and interrupt utility services if these become impacted.

Philosophy of Protection Principles

47

• Time of Day—Personnel availability, visibility, etc., plays a key role in the activities of personnel during an incident. Periods of off-duty time for offshore or remote installations, shift changes, and nighttime allow high density of personnel to develop on some occasions, which can be vulnerable to a high fatality risk. Poor visibility affects transportation operations.

3.5. INDEPENDENT LAYERS OF PROTECTION (ILP) Most facilities are designed around layers of protection commonly referred to as independent layers of protection (ILP). A protection layer or combination of protection layers qualifies as an ILP when one of the following is met: 1. The protection provided reduces the risk of a serious event by 100 times. 2. The protective function is provided with a high degree of availability, i.e., greater than 0.99. 3. It has the following characteristics—specificity, independence, dependability, and auditabilty. Table 3.1 provides a listing hierarchy of the independent layers of protection commonly found in the process industries. Most petroleum and chemical facilities rely on inherent safety and control features of the process, inherent design arrangements of the facility, and process safety emergency shutdown (ESD) features as the prime loss prevention measures. These features are immediately utilized at the time of the incident. Passive and active explosion and fire protection measures are applicable after the initiating event has occurred and an adverse effect to the operation has been realized. These features are used until their capability has been exhausted or the incident has been controlled.

3.6. DESIGN PRINCIPLES To achieve safety objectives and a philosophy of protection through ­independent layers of protection, a project or organization should define ­specific guidelines or standards to implement in its designs. Numerous industry standards are available (i.e., API, CCPS, NFPA) that provide options, general recommendations, or specific criteria once a design preference is ­chosen. It is therefore imperative to have company-specific

48

Handbook of Fire and Explosion Protection Engineering Principles

Table 3.1  Independent Levels of Protection Rank ILP Feature Typical Periods of Prime Usefulness

1 2 3 4

5 6 7

8

aLack

Basic process design (e.g., inventories, commodities, refining processes, etc.) Basic controls, process alarms, and operator supervision (BPCS) Critical alarms, operator supervision, and manual intervention of process control Emergency shutdown (ESD) intervention—isolation, power down, depressurization, blowdowns, and fail-safe features, etc. Physical process protection measures (e.g., relief valves, process integrity features, etc.) Facility passive protective measures (e.g., containment, dikes, spacing, fireproofing, etc.) Facility emergency response measures (e.g., fixed fire suppression systems, medical support, etc.) Community emergency response measures (e.g., evacuation, mutual aid, etc.)

General Level of Destruction That May Occur

Continuously during operations and emergencies Continuously during operations and emergencies Continuously during operations and emergencies From 0 to 15 min after incident occurrence

Nonea

From 0 to 2 h after incident occurrence From 0 to 4 h after incident occurrence From 0 to 6 h after incident occurrence

Major

From 0 to 24 h after incident occurrence

Catastrophic

Nonea Nonea—Minor Minor—Major

Major—Severe Severe— Catastrophic

of these features may contribute to the magnitude of destruction that may occur.

direction in order to comply with management directives for the protection of the facility (see Figure 3.2). Typically applied generic safety features in the process industries include the following: • Evacuation: Immediate faculty evacuation should be considered a prime safeguard for all personnel from an incident. Exit routes and areas of safe refuge or assembly areas should be identified. All onsite personnel should be fully trained and where required, certified for such an eventuality (e.g., offshore evacuation mechanisms).

Philosophy of Protection Principles

49

Figure 3.2  Design considerations.

• Process Safety Priority: Process system emergency safety features, i.e., ESD, depressurization, blowdown, etc., should be considered the prime safeguard for loss prevention over fire protection measures (e.g., fireproofing, firewater systems, manual fire fighting). • Regulatory & Company Compliance: The facility should meet the requirements of local, national, or international regulations and company polices pertaining to safety health and the protection of the environment. • Utilization of Industry Standards: Recognized international codes and standards should be used (e.g., API, ASME, ASTM, CCPS, NACE, NFPA) in the design and in any proposed modification. It should be realized that compliance with a code or a standard is not sufficient in itself to ensure a safe design is provided. • Inherent Safety Practices: Inherent safety practices implement the least risk options for conducting an operation and provide sufficient safety margins. General methods include using inert or high flash point materials over highly volatile low flash point materials, use of lower pressures instead of higher pressures, smaller volumes instead of large volumes, etc. In general, these design characteristics: • are intrinsically safe, • incorporate adequate design margins or safety factors, • have sufficient reliability, • have failsafe features, • incorporate fault detection and alarms, and • provide protection instrumentation.

50

Handbook of Fire and Explosion Protection Engineering Principles

Specific inherent safety design features: • ESD—Automatic ESD (shutdown and isolation) activation from confirmed process system instrumentation set points. • Inventory Disposal—Automatic de-inventorying of high volume hydrocarbon processes (gaseous and liquids) for emergency conditions to remote disposal systems. • Spacing—Separation distances are maximized for high risks. Occupied facilities, i.e., control rooms, offices, accommodations, temporary project site offices, etc., should be located as far as practical from high risks and should be evaluated for potential blast impacts. High volume storage is highly spaced from other risks. Safety factors are included in calculated spacing distances, determined by mathematical modeling of probable fire and explosion incidents. Spacing is implemented over passive protective barriers. • Inventory Minimization—The amounts of combustible gases and liquids that may contribute to an incident should be minimized for normal operations and during emergency conditions (limited vessel sizes, isolation provisions, blowdown and depressurization, etc.). The maximum allowable levels for operational and emergency periods should be identified as part of the design process and risk analysis. • Automatic Controls—Automatic control (DCS-BPCS, PLC, etc.) for high risk processes should be used and backed up by human supervision. • Control Integrity—High integrity ESD systems containing failsafe devices should be used where practical. Failure modes are selected for operating devices that isolate fuel supplies (i.e., fail close) and depressure high volume gas supplies (i.e., fail open) upon disruption of utility services during an incident. • Staggered Alarms—Two separate alarm indications (e.g., high/highhigh; low/low-low) should be used for critical alarms and controls. • Avoidance of Atmospheric Releases—The release or exposure of combustible vapors or liquids to the operating environment should not be allowed. Relief valve outlets should be connected to a flare or blowdown header, pump seal leakages should be immediately corrected, and vibration stresses on piping components should be avoided. • Single Point Failure—Single point failure locations in the process flow should be eliminated for the prime production process and support systems (e.g., electrical power, heat transfer, cooling water, etc.) that are critical to maintain the production process.

Philosophy of Protection Principles

51

• Superior Corrosion Prevention Systems—High performance corrosion protective measures or allowances should be instituted. Corrosion monitoring should be used in all hydrocarbon containing systems. • Free Air Circulation—The facility should be designed with the maximum use of open space for free air ventilation and circulation to avoid the buildup of unexpected vapor releases, especially for offshore installations. Enclosed spaces should be avoided. • Control of Ignition Sources—Exposed ignition sources (e.g., vehicles, smoking, etc.) should be spaced as far as practical from hydrocarbon-containing systems (maximize electrical area classification requirements). • Critical Air Supplies—Air supplies for ventilation of control rooms, prime movers, emergency generators, etc., should be located at the least likely ­location for the accumulation of combustible vapors or routes of dispersion. • Personnel Evacuation—Two separate on-site evacuation mechanisms should be provided and available. • Critical System Preservation—The integrity of safety systems (e.g., ESD, depressurization, fire detection, fire suppression, evacuation means) should be maximized and preserved from a fire or explosion incident. • Drainage—Surface drainage and safe removal of spilled or accumulated liquids is adequately provided and arranged to prevent exposure to the hazard to the process system or critical facility support systems. Liquids should be immediately removed from an area through surface runoff, drains, area catch basins, sumps, sewers, dikes, curbing, or remote impounding. • Use of Low Hazard Commodities—High flash point, noncombustible, or inert liquids and gases should be utilized whenever possible. • Low Pressure Preferences—Gravity or low pressure systems should be used over high pressure systems (e.g., fuel to prime movers, day tank supplies, etc.). • Minimization of Leak Points—Common vulnerable leakage points should be minimized (e.g., glass level gauges, hose transfer systems, etc.). • Piping Protection—Piping carrying a hazardous material should be minimized where practical and where exposed afforded protection considered necessary by the risk. • Personnel Incipient Actions—Operational personnel should be expected to suppress only very small incipient fires. All other emergencies are to be handled with emergency shutdown (ESD), blowdown, isolation, fire

52

Handbook of Fire and Explosion Protection Engineering Principles

protection systems (active or passive), or exhaustion of the fuel sources by the incident. • Employee Unrest—Opportunities for employee-induced damages are minimized. All activities are made so that they are direct actions and cannot be attributed to purely mechanical failures, e.g., easily broken gauge glasses are protected or removed, drains are capped, field ESD push buttons are provided with protective covers, work permit procedures are enforced, lock-out/tag-out measures are used, etc. • Weather/Geological Impacts—The facility is secured and evacuated if weather or geological event predictions suggest severe conditions may be imminent at the location. • Controls Technologically Updated—The controls are designed and updated with the use of the best available control technology (BACT), e.g., DCS/PLCs, process management systems commensurate to the level of the risk the facility represents. • Process Hazard Reviews—The facility and subsequent changes are subjected to a process hazard analysis commensurate to the level of hazards the facility represents (i.e., Checklist, What-If, PHA, HAZOP, Event Tree, FMEA, LOPA, etc.). The results of these analyses are fully understood and acknowledged by management. Where high risk events are identified as probable, quantifiable risk estimation and effects of mitigation measures should be undertaken and applied if productive. These are some of the numerous inherent design features that can be incorporated into the design of a process system depending on its characteristics. Not only should a process design achieve economic efficiency but inherent safety of the process should be optimized simultaneously as well.

3.7. ACCOUNTABILITY AND AUDITABILITY An organization should have a well-thought-out protection design philosophy that is understood and accepted by management. The safety design philosophies should be reflected in the engineering design standards or guidelines used by the organization. The standards or guidelines form the basis from which safety of the facility can be audited against. Organizations that do not provide such information do not have any accountability standards to meet or achieve, and therefore the safety of the facility will suffer accordingly. Additionally, the objectives of design standards and guidelines can be more fully understood if a philosophy of design (protection) is documented (see Figure 3.3). The argument cannot be made that standards and guidelines restrict innovation or are unduly expensive. Waivers and exceptions to the

Philosophy of Protection Principles

53

Figure 3.3  Management accountability.

requirements can always be allowed when fully justified. Such justification must demonstrate equivalency or superiority in meeting the requirements or safety objective or intent. In this fashion, standards or guidelines can be also improved to account for such acceptable changes or improvements in technology. Although not easily calculated, a firm set of requirements also prevents “re-inventing the wheel” each time a facility is designed. This will also hopefully prevent mistakes made in the past from reoccurring. Thus, they establish a long-term savings to the organization. Additionally, reference to industry standards, e.g., API, NFPA, etc., will not specify the actual protection measures to be provided at a facility. In most cases, they only define the design parameters. A project or facility requires the “local jurisdiction” to determine the protection requirements, which is usually the company itself. Industry codes and guidelines can only provide detailed design guidance that can be used on a particular protection philosophy is specified.

FURTHER READING [1] American Petroleum Institute (API). RP 75L, Recommended practices for development of a safety and environmental management program for outer continental shelf (OCS) operations and facilities. Washington, DC: API; 2007. [2] American Petroleum Institute (API). RP 76, Contractor safety management for oil and gas drilling and production operations. 2nd ed. Washington, DC: API; 2007. [3] Center for Chemical Process Safety (CCPS). Guidelines for engineering design for process safety. 2nd ed. New York, NY: Wiley-AIChE; 2012. [4] Environmental Protection Agency (EPA). US regulation 40 CFR Part 68, Risk management chemical release prevention provisions. Washington, DC: EPA; 2011. [5] FM Global. Property loss prevention data sheet 7-43, Loss prevention in chemical plants. Norwood, MA: FM Global; 2013.

54

Handbook of Fire and Explosion Protection Engineering Principles

[6] Health and Safety Executive (HSE). A guide to the control of industrial major accident hazards regulations. London, UK: COMAH, HMSO; 1999. [7] Health and Safety Executive (HSE). A guide to offshore installation (safety case) regulations 2005. London, UK: HMSO; 2005. [8] Kletz TA, Amyotte P. Process plants: a handbook for inherently safer design. 2nd ed. Boca Raton, FL: CRC Press; 2010. [9] Mannan S, editors. Lees’ loss prevention in the process industries, Hazard identification, assessment and control. 4th ed. Oxford, UK: Elsevier Butterworth-Heinemann; 2012. [10] Occupational Safety and Health Administration (OSHA). US regulation 29 CFR 1919.119, process safety management of highly hazardous chemicals. Washington, DC: Department of Labor, OSHA; 2000.