Академический Документы
Профессиональный Документы
Культура Документы
Introduction
The growth of industry and, as a result, the economy are dependent on technology
advances and innovations. However, these same activities often lead to more com-
plex processes, especially in the chemical industry, which is using comparatively
severe operating conditions (temperature, pressure, flow rate, etc.), more reactive
chemicals, and exotic chemistry. These more complex processes require in-depth
analysis and knowledge of process chemistry and hazards. It is even more impor-
tant now to design the process and equipment to precise standards based on a
complete understanding of the underlying hazards, process chemistry, and the im-
pact of operating conditions. Recently, much attention has been paid to human
factors and its impact on chemical plant incidents. However, one can also say that
process knowledge and understanding is the most human factor. This is based on
the concept that inadequate knowledge, information, and understanding of the pro-
cess hazards, chemistry, and impact of operating conditions are the root cause of
many process plant incidents.
Managing safety is no easy task, but it makes bottom-line sense. There is a
direct payoff in savings on a company’s workers’ compensation insurance, whose
premiums are partly based on the number of claims paid for job injuries [1]. The
indirect benefits are far larger, for safe plants tend to be well run in general and
more productive. The recipe for safety is remarkably consistent from industry to
industry. It starts with sustained support of top management followed by imple-
mentation of appropriate programs and practices that institutionalize safety as a
culture as compared to add-on procedures. The ingraining of safety as second na-
ture in day-to-day activities requires a paradigm shift and can only be accomplished
when safety is viewed as an integral and comprehensive part of any activity as
compared to being a stand-alone or add-on activity.
To prevent accidents, we must modify this accident process. This can be done
by eliminating or reducing the likelihood of initiating events or propagating events,
reducing the ability of propagating events to increase the magnitude of the accident,
or by providing terminating events to interrupt the accident sequence before unac-
ceptable consequences can occur. For the example described, some corrective ac-
tions might include the following:
• Using a pump with an improved design, which would require less frequent seal
repair (reducing the likelihood of the initiating event)
• Providing a double block between the sulfuric acid supply and the pump, and
improving procedures and training to ensure timely washing of equipment and
use of protective equipment (reducing likelihood of propagating events)
• Training the mechanic to assume the pump contains sulfuric acid and to drain
it to a safe place before he begins his work (provide a safe terminating event
by safely removing the acid)
FIG. 1 Typical layers of protection for a chemical process. (Based on Fig. 2.2 of Ref. 3.)
[3]. The layers of protection might include the basic process design, basic process
controls and operating procedures, critical alarms and process shutdown proce-
dures, safety interlocks, emergency equipment such as rupture disks and pressure
relief valves, physical containment systems such as catch tanks and spill con-
tainment dikes, emergency response equipment and services such as sprinkler sys-
52 Process Safety and Risk Management
tems and fire-fighting equipment and personnel, and personnel evacuation proce-
dures.
Multiple barriers are generally required because no barrier will be perfect—
all are subject to potential failure. An inherently safer process (discussed elsewhere
in this article) will reduce or eliminate the hazard and will require fewer or less
robust layers of protection—and, if the hazard is sufficiently small, there may be
no need for additional protective layers at all. This is highly desirable because the
layers of protection may require significant initial capital investment and ongoing
operating costs to ensure their continued effectiveness. Also, although the layers
of protection may be highly reliable and the risk of an accident may be small, it
can never be zero—there is always a possibility that all of the layers of protection
will fail simultaneously and the accident will occur.
The number and required reliability of the barriers or layers of protection must
be established through the use of the various hazard and risk analysis techniques
described in the following sections. This requires a complete understanding of the
hazards of the process and plant-hazard identification, and an understanding of the
mechanisms or scenarios by which those hazards might result in harm to people,
the environment, or property—hazard analysis or hazard evaluation.
Regulations
During the past 15 years, a number of chemical or related incidents in the petro-
chemical industry have adversely affected surrounding communities. A few of
these incidents, such as the vapor cloud explosion in Flixborough in 1974, the
liquefied petroleum gas explosion in Mexico City in 1984, the toxic material re-
lease in Bhopal in 1984, and the fire and radiation release in Chernobyl, were
reported worldwide. Both governmental agencies and trade organizations re-
sponded by developing standards and regulations to improve process safety. The
American Petroleum Institute (API) and the American Chemistry Council (ACC)
started to work with their members to develop organizational guidelines. The U.S.
Department of Labor directed the Occupational Safety and Hazard Administration
(OSHA) to develop federal standards for managing process safety.
A consensus started to emerge in 1990. Although the language, application,
and extent of each document differed, the contents and objectives were almost the
same. The API published Recommended Practice 750: Management of Process
Hazards [4] in January 1990. OSHA published the proposed federal process safety
rule [5] in July 1990. In October 1990, the ACC published its Resource Guide for
Implementing the Process Safety Management Code of Practices [6]. In addition,
the Clean Air Act Amendments of 1990 directed OSHA and the Environmental
Protection Agency (EPA) to develop process safety management regulations to
protect workers and the environment. The final OSHA rule on Process Safety Man-
agement of Hazardous Chemicals (29 CFR 1910.119) was published in the Federal
Register [7] on February 24, 1992. A matrix showing the relevance of OSHA
Process Safety Management (PSM) elements to the Center for Chemical Process
Process Safety and Risk Management 53
The 14 elements of the OSHA Process Safety Management (PSM) regulation (29
CFR 1910.119) were published in the Federal Register on February 24, 1992 [7].
The objective of the regulation is to prevent or minimize the consequences of
catastrophic releases of toxic, reactive, flammable, or explosive chemicals. The
regulation requires a comprehensive management program: a holistic approach that
integrates technologies, procedures, and management practices.
The process safety management regulation applies to processes that involve
certain specified chemicals at or above threshold quantities, processes that involve
flammable liquids or gases on-site in one location, in quantities of 10,000 lbs, or
more (subject to few exceptions), and processes that involve the manufacture of
explosives and pyrotechnics. Hydrocarbon fuels, which may be excluded if used
solely as a fuel, are included if the fuel is part of a process covered by this regula-
tion. In addition, the regulation does not apply to retail facilities, oil or gas well
drilling or servicing operations, or normally unoccupied remote facilities.
The process safety management regulation requires a systems approach for
managing safety. Segments of the hazardous chemicals industry have for sometime
practiced some or all of the required programs. The promulgation of the regulation
formalized the requirements and established a minimum criterion. This is both
good and bad. The regulation now requires everyone to establish the management
systems and apply the technologies needed to comply with the regulation. How-
ever, because of the same reason, there is a tendency to look for ‘‘paper compli-
ance’’ as compared to making real improvements in safety programs and technolo-
gies.
In 1996, the EPA promulgated the regulation for Risk Management Programs for
Chemical Accident Release Prevention (40 CFR 68). This federal regulation was
mandated by section 112(r) of the Clean Air Act Amendments of 1990. The reg-
ulation requires regulated facilities to develop and implement appropriate risk
management programs to minimize the frequency and severity of chemical plant
accidents. In keeping with regulatory trends, EPA required a performance-based
approach toward compliance with the risk management program regulation.
The EPA regulation also requires regulated facilities to develop a Risk Manage-
ment Plan (RMP). The RMP includes a description of the hazard assessment, pre-
vention program, and the emergency response program. Facilities submit the RMP
to the EPA and, subsequently, it is made available to governmental agencies, the
state emergency response commission, the local emergency planning committees,
and communicated to the public.
The risk management program regulation defines the worst-case release as the
release of the largest quantity of a regulated substance from a vessel or process
line failure, including administrative controls and passive mitigation that limit the
total quantity involved or release rate. For gases, the worst-case release scenario
assumes the quantity is released in 10 min. For liquids, the scenario assumes an
Process Safety and Risk Management 55
instantaneous spill and that the release rate to the air is the volatilization rate from
a pool 1 cm deep unless passive mitigation systems contain the substance in a
smaller area. For flammables, the scenario assumes an instantaneous release and
a vapor cloud explosion using a 10% yield factor. For alternative scenarios (note:
EPA used the term alternative scenario as compared to the term more-likely sce-
nario used earlier in the proposed regulation), facilities may take credit for both
passive and active mitigation systems.
Appendix A of the final regulation lists endpoints for toxic substances to be
used in worst-case and alternative scenario assessment. The toxic endpoints are
based on ERPG-2 (Emergency Response Planning Guidelines—Level 2) or level
of concern data compiled by the EPA. The flammable endpoints represent vapor
cloud explosion distances based on overpressure of 1 psi or radiant heat distances
based on exposure to 5 kW/m2 for 40 s.
These hazards cannot be changed; they are intrinsic to the material or its conditions
of use. The only way to eliminate or reduce hazards is to change the material or
conditions of use. Although it is generally preferable to eliminate or reduce hazards
(see later discussion on inherent safety), this is not always possible. The properties
of a material or system, which create a hazard, may be the same as the properties,
which make the material or system useful. A highly reactive monomer, when poly-
merized under controlled conditions, will produce a valuable product. However,
if the polymerization is not controlled, the result could be overpressurization of a
reactor and a possible explosion. Therefore, it is often necessary to manage and
control the hazards of a process and plant. To do this, you must first identify and
understand the hazards—hazard identification. Then, you must understand how
56 Process Safety and Risk Management
the harm to people, the environment, or property can be realized from the hazard-
ous material or condition—hazard evaluation or hazard analysis.
Risk
There can be many different kinds of risk associated with a chemical process or
plant; for example, safety risk to plant workers, health risk to workers, health risk
to neighbors, risk of various kinds of environmental damage, risk of damage to
the plant or other property, risk of producing product which does not meet specifi-
cations and cannot be sold, risk of loss of business due to a plant outage, business
risk that the product cannot be sold, and others. All of these risks must be under-
stood and managed to successfully operate a profitable plant and business over the
long term.
There are many different measures for each of the risks associated with a chem-
ical manufacturing facility. For example, some measures of risk to employees in
a plant include the following:
The CCPS Guidelines for Chemical Process Quantitative Risk Analysis [13] de-
scribes many different measures of safety risk which might be used in understand-
ing the risk of a chemical plant and also provides quantitative methodologies for
calculation.
A full understanding of all hazards of a process is the essential first step in eliminat-
ing, minimizing, or managing those hazards.
The objective of hazard evaluation is the identification of specific mechanisms
by which the potential harm associated with the process hazards can be realized.
Hazard evaluation techniques can also include the identification of protective mea-
sures which have been incorporated into the process design to manage the hazards,
qualitative assessment of the risk of the specific incident scenarios identified, and
evaluation of the adequacy of existing protective features or recommendation for
additional safeguards.
Hazard Identification
Interaction Matrix
The Chemistry Hazard Analysis (CHA) is derived from the Hazard and Operability
(HAZOP) study methodology. The thought process of a HAZOP study can be
applied at any stage in process development. The CHA is a HAZOP applied to a
chemical reaction, without the detailed plant design information required for a
traditional HAZOP study. For the CHA, the chemist or engineer usually assumes
that the deviation identified by the application of the guide word to the chemical
reaction does occur for some reason, not developing specific causes, and investi-
gates the consequences. If the consequences are known, the designer should deter-
mine if they represent a hazard which must be understood and managed as a part
of the process development, and document this information for future action or
reference. In many cases, early in process development, the consequences may not
be known, and additional research or experiments may be needed.
TABLE 2 Process Hazard Analysis Tools Commonly Used in the Chemical Process Industries
Category Process Hazard Analysis Tool Description and Comments
Brainstorming tech- Safety review Relatively unstructured brainstorming
niques Preliminary hazard analysis techniques to identify hazards and po-
What If tential accident scenarios.
Hazard and Operability Study (HAZOP) A structured analysis procedure that fo-
Failure Mode and Effect Analysis cuses brainstorming activities, includ-
(FMEA) ing use of a specific set of guide words
or knowledge and checklists of known
equipment failure modes.
Checklist techniques Checklist Predefined checklists based on previ-
What If/checklist ous experience compare a design to
specific standards or good practice.
When combined with What If analysis,
the checklists are used to prompt brain-
storming activities.
Risk-ranking techniques Relative ranking A general category that includes a
large number of quantitative and semi-
quantitative techniques which use
checklists or equations based on mate-
rial properties, quantities, and handling
conditions to numerically rank risk. Ex-
amples include the Dow Fire and Ex-
plosion Index and the Dow Chemical
Exposure Index.
Logic model techniques Fault-tree analysis Logic models which identify specific
Event-tree analysis causes combinations of events which
lead to a potential accident scenario.
These techniques require much detailed
design information and usually focus
on analyzing a few specific accident
scenarios in detail. These techniques
can be quantified and are important
tools in quantitative risk analysis
guidance on how the various techniques have commonly been applied through the
life cycle of a chemical process.
What-If Analysis
Note.—䊉: PHA technique commonly used; 䊊: PHA technique rarely used or not appropriate.
Source: Based on Ref. 5.
Process Safety and Risk Management
Process Safety and Risk Management 61
be applied at any stage in the process life cycle. The unstructured nature of What-
If Analysis can be both an advantage and a disadvantage. With an experienced and
knowledgeable team, the technique can be powerful. The discussion and interaction
among team members in the meeting can enhance the identification of hazards.
However, the unstructured nature may result in an incomplete analysis by an inex-
perienced team. Table 4 is an example of the results of a What-If Analysis. What-
If is often combined with a checklist to ensure that a minimum set of ‘‘What-If’’
questions are covered by the review team.
Checklist Analysis
A checklist is a list of items used to verify that a plant or process is designed and
operated consistently with a predetermined set of good practices defined by the
checklist. A checklist is often used to confirm that a plant complies with codes,
standards, or regulations. Checklists vary from general lists of questions describing
common chemical hazards and processing concerns to detailed lists of specific
requirements of a standard. Many checklists are simple, requiring only ‘‘yes, no,
62 Process Safety and Risk Management
not applicable’’ answers. The use of checklist analysis depends on the availability
of suitable checklists for the plant being reviewed. Good checklists are most likely
to be available for common types of installation, such as flammable-solvent storage
facilities, and are unlikely to be available for unique process operations. Checklist
completeness depends on the experience of the checklist authors. The output of a
checklist analysis is a list of responses to the checklist questions, with areas of
noncompliance highlighted and recommendations for bringing the facility into
compliance.
Combining a What-If Analysis with a checklist can be a very effective hazard
identification and evaluation technique. The What-If allows creative brainstorming
of a team to identify hazards, and the checklist ensures that the team considers a
specified list of hazards based on prior experience, addressing the concern about
completeness of the What-If analysis.
A Hazard and Operability Study (HAZOP) is a guide word hazard evaluation tech-
nique normally done by a review team. HAZOP begins with the premise that the
process is safe if operated, as intended, and the team must agree that this is true.
Incidents are assumed to result from deviation from intended operation. Guide
words are used in conjunction with the process operating parameters to identify
potential deviations, and the review team determines the consequences of those
deviations.
A Hazard and Operability Study is best applied when specific process and plant
information is available (e.g., a detailed plant design or an operating plant). To
do a HAZOP, the process is first divided into sections, or nodes, which are analyzed
individually. A node might be a transfer line from one vessel to another, a piece
of process equipment such as a reactor or heat exchanger, or a step in a batch
process. The team states the intended operation of each process node, including
values of the process parameters—the process intention. The team then applies
guide words to the parameters to identify potential deviations from intended opera-
tion. The following are basic guide words:
• No
• More
• Less
• Part Of
• Reverse
• As Well As
• Other
As an example, the guide word ‘‘less’’ can be combined with a specified reactor
temperature intention to arrive at the deviation ‘‘less (lower) reactor temperature.’’
Once a deviation has been identified, the team determines as many potential causes
of the deviation as possible. For the deviation ‘‘less reactor temperature,’’ causes
might include a cooling water control valve stuck open, incorrect temperature set
point, and others. The team determines the consequences of each deviation, cause
Process Safety and Risk Management 63
Fault-Tree Analysis
A fault tree is a logic model which identifies the multiple ways in which equipment
and human failures in a system can combine to cause an undesired event (the ‘‘Top
Event’’). The analyst begins with a specific undesired event and develops a model
using Boolean ‘‘AND’’ and ‘‘OR’’ logic gates to identify the immediate causes.
These immediate causes can then be further developed to identify their causes,
also using Boolean logic gates. The development of the tree continues until it
reaches a level of resolution judged to be adequate for understanding potential
incident sequences and identifying system improvements. These events are not
further developed and are called basic events. Normally, basic events are at the
level of failure of individual plant components (e.g., a shutoff valve stuck in the
open position, a pump failure to run, a pressure sensor failing to detect high pres-
sure). Human error can be incorporated into a fault tree by including specific opera-
tor actions (e.g., opening the wrong manual valve) or errors (e.g., failure to act in
response to a high temperature alarm). Figure 3 is an example of the top levels
of a fault tree for a fire.
A fault tree can be solved using Boolean algebra techniques to identify specific
combinations of individual equipment failures and human errors, which can cause
the undesired top event. These combinations of failures and errors describe specific
potential incident scenarios and are called minimal cut sets. The cut sets can be
used to identify areas where the system can be improved. Fault trees can also be
quantified by assigning failure rate and probability data to the basic events. These
data can be mathematically manipulated to estimate the likelihood of the top event
and to understand the relative contribution of individual basic events and cut sets
to the total probability of failure.
Event-Tree Analysis
An event tree is a graphical logic model which shows the possible outcomes
resulting from an initiating event. An event tree describes the response of a sys-
tem to a disturbance created by the initiating event. For example, Fig. 4 shows an
event tree for the sulfuric acid splash incident used to describe the accident pro-
cess. An event tree describes a number of potential outcomes from a single initiat-
ing event. These outcomes may vary in severity, and the event tree is useful in
understanding the full range of possible outcomes that can result from a single
system failure. Event trees are very useful in understanding the effectiveness of
64
Note.—Intention: Feed 150–160 lbs./h of 42–44% aqueous Raw Material A solution from Feed Tank F-101 using Pump P-110 through line 10436 and flow controller FIC-
301-01 to Reactor R-310. Raw Material A solution temperature is 20–35°C. While feeding, Reactor R-310 agitator is running at 50 rpm.
Process Safety and Risk Management
Process Safety and Risk Management 65
the multiple layers of protection, which are often present in a chemical process.
Each independent layer of protection is a branch point in the event tree, with the
branches corresponding to the success or failure of the layer of protection. An
event tree, like a fault tree, can also be quantified by estimating a frequency
for the initiating event and the probabilities of success and failure at each branch
point in the event tree. Quantitative event tree analysis is often combined with
fault-tree analysis: Fault trees are used to quantify the frequency of the initiating
event and the probability of failure of the protective systems at the event-tree
branch points.
A Failure Mode and Effect Analysis (FMEA) lists the known failure modes of
specific pieces of equipment in a plant and determines the impact of those failures
on the plant. FMEA and HAZOP are similar; the main difference is the starting
point for identifying potential hazardous incident scenarios. HAZOP starts by pos-
tulating a deviation in the value of a process parameter (e.g., more flow) and asking
what kind of equipment failures or operating errors might have caused that devia-
66 Process Safety and Risk Management
tion and what the process impact will be. FMEA starts by postulating a known
equipment failure mode (e.g., control valve stuck open) and asks what impact this
failure will have on the operation of the process.
The FMEA starts with a functional description of each piece of process equip-
ment and identifies ways in which that piece of equipment might fail to perform
as designed. A good understanding of the equipment and potential failure modes
is required. The FMEA determines how the process will respond to the potential
equipment failure, determines if a potentially hazardous incident will result, identi-
fies existing safeguards, evaluates their effectiveness, and develops recommenda-
tions for action where appropriate. These steps are very similar to the correspond-
ing step in a HAZOP study. Table 6 shows a part of the output from a typical
FMEA study.
Risk-Ranking Techniques
Risk-ranking techniques such as the Dow Fire and Explosion Index [16] and the
Dow Chemical Exposure Index [17] develop a numerical risk-ranking index based
on various process characteristics such as material properties, chemical reactions,
unit operations, operating conditions, and other factors. These risk indices provide
a relative ranking of specific types of process hazards (e.g., fire and explosion
hazards) and are useful for comparing alternate process or plant designs (including
location and siting), understanding the parts of a plant or process which are the
major sources of risk, and prioritizing other hazard evaluation and risk management
activities.
Process Safety and Risk Management
This section has briefly described a number of commonly used hazard identification
and evaluation tools. Most of these tools are best used in a multidisciplinary team
environment, providing a wide variety of plant and process experience and interac-
tive discussion to understand the process and identify potential hazards and inci-
dent scenarios. CCPS [18] and Wells [19] provide more information on the applica-
tion of these and other hazard evaluation tools in the chemical industry.
Consequence Analysis
Source Models
Source models quantitatively estimate the magnitude, rate, duration, physical state
(solid, liquid, gas, or a combination), and temperature or other physical condition
of a chemical release based on the physical and chemical parameters associated
with a particular release scenario.
Most source models are well developed in chemical engineering theory and
are essentially the same as the models used for similar material flow scenarios
used to design plant equipment. These include single-phase and multiphase flow
models for flow-through holes, orifices, and pipes, which are readily adapted to
describe flow from a leaking pipe or vessel. Two-phase flashing flow models are
based on technology developed by the Design Institute for Emergency Relief Sys-
tems (DIERS) [26]. Two-phase or flashing jet release models must also consider
the formation of fine aerosols in the discharge and the potential for the small drops
Process Safety and Risk Management 69
to remain suspended in the atmosphere rather than ‘‘raining out’’ into an evaporat-
ing pool on the ground. For a discharge of material from a reactive system, the
models required to fully understand the system may be quite complex and data
from reaction calorimetry tests may be required.
If a release is wholly or partially in the form of a liquid, it will form a pool
on the ground. The evaporation of vapor from this pool is another potential source
term for atmospheric dispersion models, which estimate the downwind concentra-
tion of the vapor. The first step in estimating evaporation from a liquid pool is to
estimate the size of the pool. Pool size models consider the momentum of the
liquid stream entering the pool, gravity spreading resulting from the depth of the
pool, and the liquid physical properties (e.g., viscosity, surface tension, and surface
wetting properties). Physical constraints such as dikes and containment systems
may also determine the size of a pool of spilled liquid.
There are three major pool evaporation situations, which are typically modeled:
boiling liquid pools, volatile liquid pools, and relatively nonvolatile liquid pools.
• Boiling liquid pools occur when the pool liquid boils at a temperature below
that of its surroundings (the ground and atmosphere). In this case, vapor genera-
tion is controlled by heat transfer into the liquid pool, both from the ground
and from the surrounding atmosphere. The vapor release rate is determined from
an estimate of the total heat transfer into the pool and the heat of vaporization
of the liquid.
• Volatile liquid pools exert a significant vapor pressure but are at a temperature
below the liquid boiling point. Evaporation models for volatile liquid pools
consider both heat transfer into the pool and mass transfer rates into the atmo-
sphere from the pool surface.
• The evaporation of relatively nonvolatile liquid pools is primarily determined
by mass transfer at the surface of the pool. Because the evaporation rate is low,
the pool temperature will be essentially the same as the temperature of the
surroundings after any initial temperature differences equilibrate. Evaporation
models are based on standard methodologies for estimating convective mass
transfer from a liquid into a gas.
Vapor cloud dispersion models estimate the area covered by the vapor cloud from
a chemical release as it disperses in the atmosphere, and they estimate the vapor
concentrations at specific locations in the cloud. Some of the data required for a
vapor cloud dispersion model include the following:
Some of the complex vapor cloud dispersion models may require additional infor-
mation to characterize the release, the atmospheric conditions, and surface condi-
tions.
Vapor cloud dispersion models consider three typical types of behavior:
The CCPS [20] describes vapor cloud models in detail, including all of the
major types of dispersion models and release types. The CCPS [22] provides a
more condensed summary of some of these models. The output of these models
describes the concentration of the released material in both time and space as the
vapor cloud travels downwind.
Fires
Pool Fire
The primary mechanism of damage from a pool fire is thermal radiation from the
flame. Pool fire models estimate the thermal effects based on the properties of the
material burning in the pool, the geometry of the pool, atmospheric characteristics,
and geometry of the fire relative to the receiving source. Pool fire models are
well developed. They are based on empirically determined characteristics such as
burning rate, flame height, surface emissive power, and atmospheric transmissivity,
all of which are well established in the literature. Pool fire models provide an
estimate of the thermal radiation at locations of interest surrounding the fire.
Process Safety and Risk Management 71
Jet Fire
Many jet fire models are based on models used for the design of flare systems.
As for pool fires, the damage from a jet fire results primarily from thermal radiation
from the fire. Jet fire models require an understanding of the characteristics of the
jet (discharge rate and velocity, material burning properties) and, like pool fires,
characteristics of the atmosphere. Jet fire models are primarily empirical but are
derived from much data and experience. The models produce an estimate of the
thermal radiation at locations surrounding the jet fire.
Flash Fire
A flash fire results from the ignition of a cloud of flammable gas (a cloud containing
a flammable material at a concentration between its lower and upper explosive
limits in air). Such a cloud can explode under the proper conditions (size and
degree of confinement), resulting in a vapor cloud explosion. If the conditions
required for a vapor cloud explosion are not present, the cloud may still ignite and
burn. In this case, the burning cloud will not generate pressure and an explosion,
but the flash fire is still capable of causing significant damage. The primary hazard
is from direct contact with the flame and from thermal radiation, which is normally
for a brief time of a few tenths of a second. Flash fires are normally modeled by
determining the dimensions of the flammable cloud using vapor dispersion models
and estimating the thermal radiation resulting from combustion of the cloud.
Explosions
Chemical incident consequence analysis may need to consider four types of explo-
sion:
Physical Explosions
Physical explosion models generally estimate the amount of energy which would
be released by the sudden expansion of the material contained in a vessel from its
initial temperature, pressure, and volume to atmospheric pressure. This estimated
energy is then converted to an equivalent amount of TNT. A number of correlations
of explosion pressure as a function of distance from a TNT explosion have been
published, and these can be used to estimate damage. It may also be necessary to
consider the potential impact of the vessel fragments, which result from a vessel
explosion. Empirical models to estimate the number and size of fragments, their
travel distance, and energy are available.
If ignited, a flammable vapor cloud can burn as a flash fire, or, if the flame speed
accelerates sufficiently, it can produce significant blast pressure from a vapor cloud
explosion. A number of factors have been found to be important in determining
whether a vapor cloud explosion occurs when a flammable vapor cloud is ignited.
These include the following:
• Turbulence in the vapor cloud. This turbulence may arise from the energy from
the release of the fuel itself (from a jet or catastrophic loss of containment) or
from the interaction of the cloud with its surroundings during the combustion
process.
• Partial confinement of the vapor cloud as a result of obstacles, structures, or
other factors, which could cause local partial confinement. The explosive com-
bustion in the locally confined cloud can propagate into the rest of the cloud.
• Mass of the cloud. Experimental studies have demonstrated that there is a mini-
mum mass of flammable material required to transition to a vapor cloud explo-
sion. The CCPS [21] reports studies indicating that this minimum mass is in
the range of 1 to 15 tons for typical hydrocarbons.
• Combustion properties of the fuel. Materials with a high fundamental burning
velocity such as ethylene oxide and ethylene are reported to be more readily
inclined to propagate to a vapor cloud explosion.
• TNT Equivalency Models. The total energy available from the combustion is
estimated from the mass of fuel in the cloud and the heat of combustion of the
fuel. This combustion energy is then converted to an equivalent mass of TNT
and reduced by an ‘‘explosion efficiency’’ factor, which is empirically esti-
mated. The explosion overpressure and other characteristics can then be esti-
mated as a function of distance from the cloud using readily available experi-
mental data for TNT explosions. TNT equivalency models are empirical, and
the results are strongly dependent on the explosion efficiency, which may not
be known for a particular material or cloud configuration. TNT equivalency
models also do not characterize the vapor cloud explosion well in the area close
Process Safety and Risk Management 73
to the cloud, where they may predict much higher pressure than typically result
from the combustion of a flammable cloud.
• Multienergy Method. This model is based on the assumption that the blast char-
acteristics of a flammable vapor cloud depend more on the level of congestion
and confinement than on the fuel. The models require dispersion models to
determine the size of the cloud. Then, areas with different confinement and
congestion characteristics are identified and considered to be sources of strong
blasts. The energy from each blast source is estimated, and the potential damage
is estimated from empirically derived correlations.
• Baker–Strehlow Method. This model also considers confinement as the basis
for the size of the flammable vapor cloud. It also considers burning characteris-
tics and reactivity of the fuel, geometry of the confined volume, and the degree
of confinement created by the obstacles in the confined volume. Blast character-
istics are then estimated using a set of correlations and charts.
Confined Explosions
A BLEVE is the rapid release of a large amount of superheated liquid to the atmo-
sphere. It often occurs as a result of weakening of a pressure vessel caused by
direct flame impingement on the vessel above the liquid level. This weakens the
metal vessel and it can fail rapidly and catastrophically. The sudden loss of con-
finement allows the superheated liquid to rapidly flash, increasing its volume sev-
eral hundred times and generating a pressure wave and fragments. If the released
liquid is flammable, it can also ignite, resulting in a fireball. BLEVE models are
based on the expansion energy of the flashing liquid. Blast effects tend to be local,
and the impact of the fireball, which usually accompanies a BLEVE of a flammable
material, is the more important source of damage. BLEVE fireball models empiri-
cally estimate the fireball dimensions based on the quantity of material released.
74 Process Safety and Risk Management
Thermal radiation characteristics of the fireball are then modeled using a combina-
tion of empirically derived relationships and fundamental models for the geometry
of the fireball with respect to the receptor and atmospheric transmission of the
thermal radiation. The result is an estimate of the radiant energy flux level and
duration at various locations surrounding the BLEVE.
Effect Models
The result of the application of the models discussed in this section so far is an
estimate of some type of physical parameter at various locations surrounding a
chemical release: a concentration of toxic gas in the atmosphere, the amount of
radiant energy at a specific location from a fire, and the peak pressure and impulse
duration from an explosion. Effect models estimate the damage, which results from
these physical effects. There are a wide range of possible effect models correspond-
ing to the wide range of potential damage to people, the environment, and property,
which can result from exposure to toxic materials, fires, and explosions.
The CCPS [22] provides a summary of effect models commonly used to esti-
mate the impact of toxic vapors, fires, and explosions on people. These models
are generally empirical and are based on experimental data and evaluation of the
consequences of past incidents. Models are available to estimate the impact of a
hazardous agent using the dose-response relationship (e.g., relating probability of
fatality to concentration and duration of exposure by inhalation of a toxic gas,
relating severity of burns to intensity and duration of exposure to thermal radiation,
or estimating damage to structures based on peak overpressure and duration).
Risk Assessment
Before carrying out a risk assessment, we have to identify the hazards (i.e., the
substances, objects, or situations that can give rise to injury or damage) using one
of the methods described earlier. (A risk, in contrast, is the probability that injury
or damage will occur.) There are then three questions to answer:
Process Safety and Risk Management 75
Whenever possible, the answer to the first question should be based on experi-
ence, but often there is no experience, as the equipment is new or failure has never
occurred. We then estimate a failure rate for the equipment as a whole, based on the
known failure rates of its components, as described earlier. Similarly, the answer to
the second question should be based on experience whenever possible but can be
estimated as by one of the methods described earlier. The answer to the third
question depends on the nature of the consequences. If damage is possible but
injury is not, then the average cost of the damage (including consequential loss)
is compared with the cost of prevention.
If injury is possible, then the QRA approach is to set a target or criterion,
usually based on the risk to life. Risks above a certain level should be removed
or reduced as a matter of priority. Those below this level can be left alone, at least
for the time being. Thus, QRA is a method for determining priorities. In a later
development, there are two levels of risk. Risks above an upper level are considered
intolerable; if they cannot be reduced, the plant should not be built (or should not
be operated if it is already built). The risk considered tolerable for members of
the public is much lower than that considered tolerable for employees. Risks below
a much lower level are considered acceptable and need not be reduced. In between
the two levels, we reduce the risks if we can, but we tolerate them if it is impractica-
ble or very expensive to do so. The pressure to reduce them is great if the risk is
near the intolerable level and reduces as we approach the acceptable level.
The extent to which this approach is used and the risk levels are made explicit
differs from country to country. The United Kingdom has long accepted the princi-
ple that we should compare the size of a risk with the cost, in money, time, and
trouble, of removing it (although the ability to pay is not a deciding factor). If
there is a gross disproportion between them, the risk being insignificant in relation
to the cost, the risk can be tolerated. QRA was therefore accepted readily and the
regulatory authority has suggested figures for the tolerable and acceptable risk
levels. Other governments have been reluctant to admit that even trivial and infre-
quent risks should be tolerated and this has hindered the use of QRA.
The actual risk levels suggested for the United Kingdom are as follows. They
are similar to those used by many organizations elsewhere.
The maximum tolerable risk to employees seems rather high, but this risk is, in
fact, tolerated in some industries.
76 Process Safety and Risk Management
For comparison, the annual risk of death from all causes is about 10⫺4 for
someone aged 20 years and about 10⫺3 for someone aged 60 years.
Public Attitudes
Quantitative risk assessment is difficult to explain to the public. They pick on the
fact that a number of people could be killed in an industrial accident but ignore
the fact that the probability that this will occur is extremely low. The death of 10
people once in 10 years is given far more publicity than the death of 1 person per
year for 10 years. As a result, public pressure often compels industry and govern-
ment to reduce risks which are already low but which the public perceives as high.
At its best, this is democracy in action; at its worst, it is giving the most to those
that shout the loudest.
The public tends to oppose risks with the following traits:
When the public cannot judge the message, they judge the messenger. Unfortu-
nately, most of these concerns make the man in the street oppose the chemical
industry: The risks are imposed, not under his control, man-made, unfamiliar, and
dreaded; past experience has been unpleasant; the industry does not obviously
benefit him; and the spokesmen for the industry are often outsiders. There is no
easy way of countering this perception. We try to explain the benefits of the indus-
try and the low levels of risk, but we cannot say that accidents will never happen.
Incident Investigation
The purpose of incident investigation is to find out why the incident occurred so
that we can prevent it from happening again. The purpose is not to find out who
should be blamed. Many people have an opportunity to prevent almost every inci-
dent. Figure 5 shows by example the opportunities that are available to prevent a
fire or minimize the consequences of an apparently simple incident: An expansion
joint (bellows) was incorrectly installed in a pipeline so that it was distorted. After
some months, it leaked and a passing vehicle ignited the escaping vapor. Damage
Process Safety and Risk Management 77
FIG. 5 An example of an accident chain. An expansion joint (bellows) was incorrectly installed so
that it was distorted. After some months, it leaked and the escaping vapor was ignited by a
passing vehicle. Damage was extensive, as the surrounding equipment had not been fire-
protected to save the cost. Many people in various functions could have prevented the incident
or minimized the consequences.
was extensive, as the surrounding equipment had not been fire-protected to save
the cost.
Many people could have prevented the fire, not just the fitter who installed the
expansion joint incorrectly. The fire could have been prevented by better detailed
design (not using expansion joints for hazardous materials), by better design meth-
ods (using HAZOP, consulting experts, better design standards, better training of
designers), by better training of the fitter, by better inspection of workmanship,
by keeping eyes open on plant visits, and by not tolerating poor workmanship in
the past.
We should investigate all incidents, including those, which, by good fortune,
caused no injury or damage, but might easily have done so. Next time, they may.
78 Process Safety and Risk Management
They should look out for what is not said. For example, writers of accident reports
are naturally reluctant to draw attention to similar incidents that had occurred else-
where and, if they had been followed up, could have prevented the accident.
Many companies restrict the circulation of incident reports, but this will not prevent
the incident from happening again. We should circulate the essential messages
throughout the company. There is no need to say where the incident occurred.
Remember that incident reports grab people’s attention and are read, whereas ad-
vice and instruction are put aside to be read when we have time (if we ever do).
Having paid the high price of an accident, we can recover some of the cost by
turning it into a learning experience.
Circulate reports containing new or forgotten information throughout the indus-
try, so that others can learn from them. There are several reasons for doing so.
Incident reports are written, acted on, and then filed and forgotten. After a few
years, people forget the reasons for the changes that were made. Procedures lapse
or the equipment falls out of use and the incident happens again, even in the plant
where it happened before. To prevent this from happening we should do the fol-
lowing:
• Include in every instruction, code, and standard a note on the reasons for it and
accounts of accidents that would not have occurred if the instruction, code, or
standard had been followed.
• Never remove equipment before you know why it was installed. Never abandon
a procedure before you know why it was adopted.
• Describe prior accidents as well as recent ones in safety bulletins and discuss
them at safety meetings. Giving the message once is not enough.
• Follow up at regular intervals to see that the recommendations made after acci-
dents are being followed, in design as well as operations.
• Remember that the first step down the road to an accident occurs when someone
turns a blind eye to a missing blind.
• Include important accidents of the past in the training of undergraduates and
company employees.
• Keep in every control room a folder of reports on past accidents. It should be
read by all new arrivals and others should browse it during quiet shifts.
80 Process Safety and Risk Management
• Devise better retrieval systems so that we can find, more easily than at present,
details of past accidents in our own and other companies and the recommenda-
tions made afterward.
The first step in the management of safety, after the hazards have been identified
(see the section Hazard Identification and Hazard Evaluation), is to see if they can
be removed. Only when we cannot do so, should we look for ways of keeping
them under control or mitigating their consequences. When we remove a hazard,
the safety is inherent in the design and cannot be lost. When we control a hazard,
the protective equipment may fail, or be neglected, or the safety procedures may
lapse.
Note that we refer to inherently safer, not safe, design as we can rarely, if ever,
remove every hazard. The principle routes to inherently safer design are as follows:
• Simplicity: Simpler plants are safer than complex plants, as they provide fewer
opportunities for error and contain less equipment that develop faults. They are
usually also cheaper.
Defense in Depth
Human Factors
Engineers are interested in equipment, its failures, and ways of preventing them
and often less interested in people. However, all systems involve both equipment
and people. Engineers, whether they are designers, supervisors, or managers, there-
fore, should understand the way people react with equipment and why they some-
time fail to act in the way we instruct them or expect them to act.
• Some errors, usually called mistakes, occur because people do not know what
to do. The intention was wrong. Employers should provide adequate training
and instructions and should not write the sort of instructions that are designed
to protect the writer rather than help the reader. However, for many instructions
we write, problems will arise that are not covered by them and so people, partic-
ularly operators, should be trained in flexibility (i.e., the ability to diagnose and
handle unforeseen situations). If instructions are not being followed, are they
too complex? Can the job be simplified?
• Some errors, usually called violations or noncompliances, occur because some-
one knows what to do but makes a deliberate decision not to do it. Some viola-
tions occur because all people carrying out routine tasks tend to cut corners
after a while. Many more occur because people think they know a better way
82 Process Safety and Risk Management
of doing the job. Note that if the instructions are wrong, noncompliance may
achieve the intention. There is a fine line between showing initiative and break-
ing the rules.
• Explain the reasons for the instructions. We do not live in a society in which
people will simply do as they are told. They want to know the reason why.
• If possible, simplify the job. If the correct method is difficult, an incorrect
method will be used.
• Carry out checks from time to time to see that instructions are being followed
and do not turn a blind eye if they are not.
• Some errors (mismatches) occur because the job is beyond the physical or men-
tal ability of the person asked to do it, sometimes beyond anyone’s ability. For
example, errors occur if people are overloaded, or underloaded, or asked to
break well-established habits. We should change the plant design or method of
working.
• The fourth category is the commonest—a momentary slip or lapse of attention.
People know what to do, intend to do it, and are able to do it, but it slips their
mind. Compared with mistakes, the intention is correct but is not fulfilled. They
happen to everyone from time to time and cannot be prevented by telling people
to be more careful or by telling them to keep their minds on the job. All we
can do is to change the plant design or method of working so as to remove
opportunities for error (or minimize the consequences or provide opportunities
for recovery). We should, whenever possible, design inherently safer plants
which can withstand errors (and equipment failures) without serious effects on
safety (and output and efficiency).
Managers and designers as well as operators make errors, but because they
usually have time to check their work, slip and lapses of attention are infrequent.
Most of their errors are mistakes or violations.
Management Systems
Some management systems have been discussed in earlier sections on risk assess-
ment, hazard identification, and accident investigation. The following are also im-
portant:
looks right. What does not look right is often wrong and should always be
checked.
Testing and inspection of equipment: All protective equipment is liable to fail and
should be tested or inspected at regular intervals. When active equipment such
as relief valves and interlocks fails, the failure is usually hidden and regular
testing is necessary. If passive equipment such as fire insulation is missing,
this is visible, but, nevertheless, it should be checked regularly. If 10% of the
fire insulation on a vessel is missing, the rest is useless. The following equip-
ment is often overlooked but should be tested or inspected regularly:
• Drain holes in relief valve tailpipes. If they choke, rainwater will accumulate
in the tailpipe.
• Drain valves in tank bunds. If they are left open, the bund is useless.
• Emergency equipment such as diesel-driven firewater pumps and genera-
tors.
• Earth connections, especially the moveable ones used for earthing road
tankers.
• Fire and smoke detectors and fire-fighting equipment.
• Flame arrestors.
• Hired equipment. Who will test it, the owner or the hirer?
• Labels are a sort of protective equipment. They vanish with remarkable
speed and regular checks should be made to make sure that they are still
there.
• Mechanical protective equipment such as overspeed trips.
• Nitrogen blanketing (on tanks, stacks and centrifuges).
• Nonreturn valves and other backflow prevention devices, if their failure can
affect the safety of the plant.
• Open vents. These are the simplest possible sort of relief device and should
be treated as relief valves.
• Spare pumps, especially those fitted with auto-starts.
• Steam traps.
• Trace heating (steam or electrical).
• Valves, remotely operated and hand-operated, which have to be used in an
emergency.
• Ventilation equipment.
• Water sprays and steam curtains.
All protective equipment should be designed so that it can be tested or inspected.
Test results should be displayed for all to see, for example, on a board in the
control room.
Remembering the past: A most important system, discussed in the subsection Re-
membering the Message, is one to ensure that the lessons learned from past
accidents, in our own and other companies, is not forgotten and that the infor-
mation can readily be retrieved.
84 Process Safety and Risk Management
All systems are subject to a form of corrosion more rapid than that which
affects the steelwork and can vanish without trace once managers lose interest.
Continuous monitoring is necessary to make sure that systems continue in use.
Limitations of systems: Some managers seem to believe that good safety manage-
ment systems will ensure a safe plant. All the systems can do, however, is
ensure that people’s knowledge and experience are applied systematically. If
the staff lack knowledge and experience, then the systems are empty shells.
People will go through the motions, but the output will be poor. Without a
system, people will not achieve their full potential. Without knowledge and
experience, systems will achieve nothing. This is a particular danger at times
when companies are reducing manpower and experienced people are leaving.
Senior managers should systematically assess the levels of knowledge and ex-
perience needed and ensure that they are maintained.
Audits
• Those who work in a plant do not notice the hazards they see everyday.
• Auditors may have specialized knowledge and thus see hazards not apparent
to others.
• Auditors have more time for investigation in depth than those who work regu-
larly on a plant.
Safety auditing should not be a police activity; it is intended to help the local
management, who may miss hazards through familiarity, ignorance, or lack of
time.
Auditors should pay particular attention to the following:
• The quality of the training and instructions and the knowledge and experience
of employees.
• The procedures for preparing equipment for maintenance, controlling modifica-
tions, and testing protective equipment and whether or not these procedures are
actually followed.
• Procedures for investigating accidents, passing on the lessons learned, and en-
suring that they are not forgotten.
• Process hazards as well as mechanical ones.
Process Safety and Risk Management 85
Auditors (and managers) should visit the plant at night and at weekends, not just
during the day.
• An index based on audit results. Unlike many other measures of safety, this
one tries to detect falling standards before an accident occurs.
• A monthly summary of the cost of incidents.
• An annual report of the progress made in reducing inventories of hazardous
substances.
• The number of faulty permits-to-work found by routine inspection.
• The number of faulty protective systems found by routine testing.
Mitigation
• Inherent safety: These include inventory reduction (i.e., less chemicals stored
or less in process vessels), substitution of a less hazardous chemical for one
more hazardous, and use of lower temperatures and pressures.
• Engineering design: Examples are use of better seals or materials of construc-
tion, ensuring proper operating conditions and material purity, and installing
dikes and spill vessels.
• Management: Examples include consistent operating policies and procedures,
training for vapor release prevention and control, audits and inspections, equip-
ment testing, maintenance program, management of modification and changes
to prevent new hazards, and general plant security.
Response
Technology Advances
Recent research on relief valve sizing and overpressure protection alternatives has
focused on the development of validated engineering design procedures for the
proper sizing of safety relief valves for systems, which involve two-phase flows
of viscous fluids. Systems which are being considered include single-phase viscous
liquids and gas flows, ‘‘frozen’’ (e.g., air–liquid) two-phase flows of gases and
viscous liquids, and flashing flows of viscous and nonviscous liquids.
Reactive Chemistry
In the Reactive Chemistry arena, calorimeters are being used increasingly for
studying the thermal behavior of reactive systems. One such calorimeter is the
Reactive Systems Screening Tool (RSST), which is designed for rapid measure-
ment of thermal behavior of small samples (10 cm3) for temperatures up to 400°C
and pressures to 500 psia. Another apparatus is the Automatic Pressure Tracking
Adiabatic Calorimeter (APTAC) for detailed analyses of thermal behavior of larger
samples (up to ⬃130 cm3) for temperatures up to 450°C and pressures up to 2000
psia. In this calorimeter, closed-cell sample pressures are continuously matched
by an external pressure of nitrogen so that sample cells of low mass and therefore
low thermal inertia can be used for highly sensitive measurements of sample ther-
mal behavior. Other advanced features of the APTAC include in situ additions to
the sample cell of reactants or catalysts with a high-pressure syringe pump.
Process Safety and Risk Management 89
skin diseases, violence in the workplace, employee stress, and back injuries) as
well as categories of workers and prevention strategies for mine workers, farm
workers, and adolescents. In addition, surveillance efforts will assist the develop-
ment of comprehensive databases, thereby helping to establish baseline and trend
information in the occupational safety and health area.
Future Developments
Increasingly, the process safety requirements for chemical plants will become more
and more stringent. In addition, the pressure to operate safely from the point of
view of competitiveness and profitability will also keep increasing. Finally, the
public outcry for improved safety performance also creates significant pressure on
the industry. In fact, in future processes, safety performance will quite likely be
dictated by national goal setting. This would require the establishment of a baseline
assessment of the status of process safety incidents. Given a baseline assessment,
National Chemical Safety Goals can be established, with the identification of activ-
ities necessary to accomplish the goals and the development of a measurement
system to measure progress toward the goals.
Regulatory programs and industrial standards and practices in the United States
have quite often been reactive (i.e., in response to catastrophic accidents or other
events). The pros and cons of establishing national process safety goals and evalua-
tion approaches include the following:
The industrial revolution brought prosperity and, along with it, the use of hazardous
processes and complex technologies. Growing economies and global competition
has led to more complex processes involving the use of hazardous chemicals, ex-
otic chemistry, and extreme operating conditions. As a result, a fundamental under-
standing of the hazards and associated risks is essential. Process safety and risk
management requires the application of the basic sciences and a systematic ap-
proach. Recent advances, such as overpressure protection alternatives and reactive
chemistry, allow safer design and operation of processes.
In the multiple-barriers concept, plants are designed with several layers, so that
an accident would require the failure of several systems. Another novel approach to
92 Process Safety and Risk Management
References
1. M. Connors, ‘‘The Battle for Industrial Safety,’’ Fortune, 116[C-P] (August 4, 1997).
2. D. A. Crowl and J. F. Louvar, Chemical Process Safety: Fundamentals with Applica-
tions, Prentice-Hall, Englewood Cliffs, NJ, 1990.
3. Center for Chemical Process Safety, Guidelines for Safe Automation of Chemical Pro-
cesses, American Institute of Chemical Engineers, New York, 1993.
4. American Petroleum Institute, Recommended Practice 750: Management of Process
Hazards, API, Washington, DC, 1990.
5. ‘‘Notice of Proposed Rule Making on Process Safety Management of Highly Hazard-
ous Chemicals’’: 29 CFR 1910.119, Federal Register, Washington, DC, July 17, 1990.
6. Chemical Manufacturers Association, Resource Guide for Implementing the Process
Safety Management Code of Practices, Chemical Manufacturers Association, Wash-
ington, DC, 1990.
7. ‘‘Final Rule on Process Safety Management of Highly Hazardous Chemicals’’: 29
CFR 1910.119, Federal Register, Washington, DC, February 24, 1992.
8. Norwegian Petroleum Directorate, ‘‘Safety Evaluation of Platform Conceptual De-
sign,’’ Stavanger, Norway, 1981.
9. European Community Directive, ‘‘On the Major Accident Hazards of Certain Indus-
trial Activities,’’ 82/501/E, J. Eur. Community, L230 (June 1982).
10. Offshore Installation (Safety Case) Regulation 1992, Health and Safety Executive,
London, UK, 1992.
11. ‘‘Techniques for Assessing Industrial Hazards,’’ World Bank Technical Paper #55,
Washington, DC, 1988.
12. Major Hazard Control, a Practical Manual, International Labour Office, Geneva,
1988.
Process Safety and Risk Management 93
13. Center for Chemical Process Safety, Guidelines for Chemical Process Quantitative
Risk Analysis, American Institute of Chemical Engineers, New York, 1989.
14. R. J. Lewis (ed.), Sax’s Dangerous Properties of Industrial Materials, 9th ed., John
Wiley & Sons, New York, 1996.
15. P. G. Urben (ed.), Bretherick’s Handbook of Reactive Chemical Hazards, 5th ed.,
Butterworth-Heinemann Boston, 1995.
16. Dow Chemical Company, Dow’s Fire and Explosion Index Hazard Classification
Guide, 7th ed., American Institute of Chemical Engineers, New York, 1994.
17. Dow Chemical Company, Dow’s Chemical Exposure Index Guide, American Institute
of Chemical Engineers, New York, 1994.
18. Center for Chemical Process Safety (CCPS), Guidelines for Hazard Evaluation Proce-
dures, 2nd ed., with Worked Examples, American Institute of Chemical Engineers,
New York, 1992.
19. G. Wells, Hazard Identification and Risk Assessment, Institution of Chemical Engi-
neers, Rugby, Warwickshire, UK, 1996.
20. Center for Chemical Process Safety (CCPS), Guidelines for Use of Vapor Cloud
Dispersion Models, 2nd ed., American Institute of Chemical Engineers, New York,
1996.
21. Center for Chemical Process Safety (CCPS), Guidelines for Evaluating the Character-
istics of Vapor Cloud Explosions, Flash Fires, and BLEVES, American Institute of
Chemical Engineers, New York, 1994.
22. Center for Chemical Process Safety (CCPS), Guidelines for Consequence Analysis of
Chemical Releases, American Institute of Chemical Engineers, New York, 1999.
23. G. E. DeVaull, J. A. King, R. J. Lantzy, and D. J. Fontaine, Understanding Atmo-
spheric Dispersion of Accidental Releases, American Institute of Chemical Engineers,
New York, 1995.
24. The Netherlands Organization for Applied Scientific Research (TNO), Methods for
the Calculation of Physical Effects, Part 1 and 2 CPR-14, 3rd ed., SdU Uitgevers,
The Hague, 1997.
25. F. P. Lees, Loss Prevention in the Process Industries, 2nd ed., Butterworth-Heine-
mann, Boston, 1996.
26. H. G. Fisher, H. S. Forrest, S. S. Grossel, J. E. Huff, A. R. Muller, J. A. Noronha, D. A.
Shaw, and B. J. Tilley, Emergency Relief System Design Using DIERS Technology,
American Institute of Chemical Engineers, New York, 1992.
27. M. Mannan, D. B. Pfenning, and C. D. Zinn, ‘‘Sour Gas Pipeline—1: Risk-Analysis
Procedures Ensure System Safety,’’ Oil Gas J. 83–87 (June 3, 1991).
28. M. Mannan, D. B. Pfenning, and C. D. Zinn, ‘‘Sour Gas Pipeline—Conclusion: Line,
Weather Conditions Among Variables to Determine Public Risk,’’ Oil Gas J., 34–
35 (June 10, 1991).
29. Center for Chemical Process Safety (CCPS), Guidelines for Vapor Release Mitigation,
American Institute of Chemical Engineers, New York, 1988.
30. A. E. Summers, ‘‘Techniques for Assigning a Target Safety Integrity Level,’’ ISA
Trans., 37, 95–104 (1998).
31. IEC 61508, 65A/255/CDV, ‘‘Functional Safety of Electrical/Electronic/Programma-
ble Electronic Safety Related Systems, Parts 1, 3, 4, and 5,’’ International Electrotech-
nical Commission, Final Standard, December 1998.
32. IEC 61508, 65A/255/CDV, ‘‘Functional Safety of Electrical/Electronic/Programma-
ble Electronic Safety Related Systems, Parts 2, 6, and 7,’’ International Electrotechni-
cal Commission, Final Draft International Standard, January 1999.
33. ‘‘Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Tech-
niques, Part 1: Introduction,’’ TR84.0.02, Draft, Version 4, March 1998.
34. ‘‘Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Tech-