Fundamentals of Process Safety and Risk Management

Process Safety and Risk Management 49
Fundamentals of Process Safety

and Risk Management
Introduction
The growth of industry and, as a result, the economy are dependent on technology
advances and innovations. However, these same activities often lead to more com-
plex processes, especially in the chemical industry, which is using comparatively
severe operating conditions (temperature, pressure, flow rate, etc.), more reactive
chemicals, and exotic chemistry. These more complex processes require in-depth
analysis and knowledge of process chemistry and hazards. It is even more impor-
tant now to design the process and equipment to precise standards based on a
complete understanding of the underlying hazards, process chemistry, and the im-
pact of operating conditions. Recently, much attention has been paid to human
factors and its impact on chemical plant incidents. However, one can also say that
process knowledge and understanding is the most human factor. This is based on
the concept that inadequate knowledge, information, and understanding of the pro-
cess hazards, chemistry, and impact of operating conditions are the root cause of
many process plant incidents.
Managing safety is no easy task, but it makes bottom-line sense. There is a
direct payoff in savings on a company’s workers’ compensation insurance, whose
premiums are partly based on the number of claims paid for job injuries [1]. The
indirect benefits are far larger, for safe plants tend to be well run in general and
more productive. The recipe for safety is remarkably consistent from industry to
industry. It starts with sustained support of top management followed by imple-
mentation of appropriate programs and practices that institutionalize safety as a
culture as compared to add-on procedures. The ingraining of safety as second na-
ture in day-to-day activities requires a paradigm shift and can only be accomplished
when safety is viewed as an integral and comprehensive part of any activity as
compared to being a stand-alone or add-on activity.
Accident Process and Multiple Barrier Concept
Most chemical plant accidents follow a typical pattern. It is important to study

these patterns in order to be able to develop management systems to prevent these
accidents. Also, many accidents occur as a result of the failure of multiple systems
or ‘‘barriers.’’ In fact, it can be argued that many of these accidents may not have
occurred, had at least one of the ‘‘barriers’’ not failed. Thus, it is important to study
the concept of multiple barriers and its role in preventing process plant accidents.
50 Process Safety and Risk Management
The Accident Process
Most chemical accidents follow a three-step process, as described by Crowl and

Louvar [2]:
• Initiation: the event, which starts the accident process

• Propagation: the event, series of events, or condition which allows the accident
process to continue, or which expands the magnitude of the accident
• Termination: the event or events, which stop the accident
The following is an example of the process:
• A seal on a sulfuric acid pump leaked, requiring replacement (initiating event).

• The pump was drained and washed, but some time passed before maintenance
began (propagating event).
• An isolation valve between the pump and the sulfuric acid supply was leaking
(propagating event).
• The mechanic wore most of the required personal protective equipment, but
failed to wear rubber boots (propagating event).
• When the mechanic began to work on the pump, he was splashed on the foot
when a small amount of sulfuric acid was released, resulting in an acid burn
(terminating event—all of the acid in the pump was released).
To prevent accidents, we must modify this accident process. This can be done
by eliminating or reducing the likelihood of initiating events or propagating events,
reducing the ability of propagating events to increase the magnitude of the accident,
or by providing terminating events to interrupt the accident sequence before unac-
ceptable consequences can occur. For the example described, some corrective ac-
tions might include the following:
• Using a pump with an improved design, which would require less frequent seal
repair (reducing the likelihood of the initiating event)
• Providing a double block between the sulfuric acid supply and the pump, and
improving procedures and training to ensure timely washing of equipment and
use of protective equipment (reducing likelihood of propagating events)
• Training the mechanic to assume the pump contains sulfuric acid and to drain
it to a safe place before he begins his work (provide a safe terminating event
by safely removing the acid)
Multiple Barrier Concept (Layers of Protection)
Chemical processes traditionally rely on multiple layers of protections, or barri-

ers, between a hazardous agent and the people, environment, and property which
might be adversely impacted by an incident. This concept is illustrated in Fig. 1
FIG. 1 Typical layers of protection for a chemical process. (Based on Fig. 2.2 of Ref. 3.)
[3]. The layers of protection might include the basic process design, basic process
controls and operating procedures, critical alarms and process shutdown proce-
dures, safety interlocks, emergency equipment such as rupture disks and pressure
relief valves, physical containment systems such as catch tanks and spill con-
tainment dikes, emergency response equipment and services such as sprinkler sys-
tems and fire-fighting equipment and personnel, and personnel evacuation proce-
dures.
Multiple barriers are generally required because no barrier will be perfect—
all are subject to potential failure. An inherently safer process (discussed elsewhere
in this article) will reduce or eliminate the hazard and will require fewer or less
robust layers of protection—and, if the hazard is sufficiently small, there may be
no need for additional protective layers at all. This is highly desirable because the
layers of protection may require significant initial capital investment and ongoing
operating costs to ensure their continued effectiveness. Also, although the layers
of protection may be highly reliable and the risk of an accident may be small, it
can never be zero—there is always a possibility that all of the layers of protection
will fail simultaneously and the accident will occur.
The number and required reliability of the barriers or layers of protection must
be established through the use of the various hazard and risk analysis techniques
described in the following sections. This requires a complete understanding of the
hazards of the process and plant-hazard identification, and an understanding of the
mechanisms or scenarios by which those hazards might result in harm to people,
the environment, or property—hazard analysis or hazard evaluation.
Regulations
During the past 15 years, a number of chemical or related incidents in the petro-
chemical industry have adversely affected surrounding communities. A few of
these incidents, such as the vapor cloud explosion in Flixborough in 1974, the
liquefied petroleum gas explosion in Mexico City in 1984, the toxic material re-
lease in Bhopal in 1984, and the fire and radiation release in Chernobyl, were
reported worldwide. Both governmental agencies and trade organizations re-
sponded by developing standards and regulations to improve process safety. The
American Petroleum Institute (API) and the American Chemistry Council (ACC)
started to work with their members to develop organizational guidelines. The U.S.
Department of Labor directed the Occupational Safety and Hazard Administration
(OSHA) to develop federal standards for managing process safety.
A consensus started to emerge in 1990. Although the language, application,
and extent of each document differed, the contents and objectives were almost the
same. The API published Recommended Practice 750: Management of Process
Hazards [4] in January 1990. OSHA published the proposed federal process safety
rule [5] in July 1990. In October 1990, the ACC published its Resource Guide for
Implementing the Process Safety Management Code of Practices [6]. In addition,
the Clean Air Act Amendments of 1990 directed OSHA and the Environmental
Protection Agency (EPA) to develop process safety management regulations to
protect workers and the environment. The final OSHA rule on Process Safety Man-
agement of Hazardous Chemicals (29 CFR 1910.119) was published in the Federal
Register [7] on February 24, 1992. A matrix showing the relevance of OSHA
Process Safety Management (PSM) elements to the Center for Chemical Process
TABLE 1 Summary Comparison of OSHA Elements with CCPS Elements

CCPS 12 elements of chemical process
safety management Relevant paragraphs of OSHAs PSM rule
1. Accountability: Objectives and
Goals
2. Process Knowledge and Documenta- Process Safety Information § 1910.119 (d)
tion
3. Capital Project Review and Design Pre-Startup Safety Review § 1910.119 (i)
Procedures (for new and existing
plants, expansions, and acquisi-
tions)
Mechanical Integrity § 1910.119 (j)
4. Process Risk Management Process Hazard Analysis § 1910.119 (e)
Pre-Startup Safety Review § 1910.119 (i)
5. Management of Change Management of Change § 1910.119 (l)
6. Process and Equipment Integrity Process Hazard Analysis § 1910.119 (e)
Operating Procedures § 1910.119 (f )
Mechanical Integrity § 1910.119 (j)
7. Human Factors Process Hazard Analysis § 1910.119 (e)
Operating Procedures § 1910.119 (f )
8. Training and Performance Operating Procedures § 1910.119 (f )
Training § 1910.119 (g)
Pre-Startup Safety Review § 1910.119 (i)
Emergency Planning and Response
§ 1910.119 (n)
9. Incident Investigation Incident Investigation § 1910.119 (m)
10. Standards, Codes, and Laws
11. Audits and Corrective Actions Compliance Audits § 1910.119 (o)
12. Enhancement of Process Safety
Knowledge
Safety’s (CCPS) chemical process safety management elements is given in Table 1.

EPA published the Risk Management Program in June 1996.
The international chemical and petroleum community has also been addressing
process safety management through regulations and recommended practices. The
Norwegian Petroleum Directorate issued rules [8] in 1981 requiring quantita-
tive hazard analyses for offshore petroleum operations. In response to the 1976
chemical dioxin release in Seveso, Italy, a European Directive [9] (commonly
called the Seveso Directive) on process safety management was issued in 1982.
More recently, the British government has issued process safety management
regulations [10] for North Sea petroleum operations, following the recommenda-
tions of the widely distributed Cullen Report, which investigated the 1985 Piper
Alpha offshore platform tragedy. Outside of Europe, the World Bank [11] has
provided process safety management guidance for third-world projects. Similarly,
the International Labor Office in Geneva has issued hazard analysis recommenda-
tions [12].
The Process Safety Management Program
The 14 elements of the OSHA Process Safety Management (PSM) regulation (29
CFR 1910.119) were published in the Federal Register on February 24, 1992 [7].
The objective of the regulation is to prevent or minimize the consequences of
catastrophic releases of toxic, reactive, flammable, or explosive chemicals. The
regulation requires a comprehensive management program: a holistic approach that
integrates technologies, procedures, and management practices.
The process safety management regulation applies to processes that involve
certain specified chemicals at or above threshold quantities, processes that involve
flammable liquids or gases on-site in one location, in quantities of 10,000 lbs, or
more (subject to few exceptions), and processes that involve the manufacture of
explosives and pyrotechnics. Hydrocarbon fuels, which may be excluded if used
solely as a fuel, are included if the fuel is part of a process covered by this regula-
tion. In addition, the regulation does not apply to retail facilities, oil or gas well
drilling or servicing operations, or normally unoccupied remote facilities.
The process safety management regulation requires a systems approach for
managing safety. Segments of the hazardous chemicals industry have for sometime
practiced some or all of the required programs. The promulgation of the regulation
formalized the requirements and established a minimum criterion. This is both
good and bad. The regulation now requires everyone to establish the management
systems and apply the technologies needed to comply with the regulation. How-
ever, because of the same reason, there is a tendency to look for ‘‘paper compli-
ance’’ as compared to making real improvements in safety programs and technolo-
gies.
The Risk Management Program
In 1996, the EPA promulgated the regulation for Risk Management Programs for
Chemical Accident Release Prevention (40 CFR 68). This federal regulation was
mandated by section 112(r) of the Clean Air Act Amendments of 1990. The reg-
ulation requires regulated facilities to develop and implement appropriate risk
management programs to minimize the frequency and severity of chemical plant
accidents. In keeping with regulatory trends, EPA required a performance-based
approach toward compliance with the risk management program regulation.
The EPA regulation also requires regulated facilities to develop a Risk Manage-
ment Plan (RMP). The RMP includes a description of the hazard assessment, pre-
vention program, and the emergency response program. Facilities submit the RMP
to the EPA and, subsequently, it is made available to governmental agencies, the
state emergency response commission, the local emergency planning committees,
and communicated to the public.
The risk management program regulation defines the worst-case release as the
release of the largest quantity of a regulated substance from a vessel or process
line failure, including administrative controls and passive mitigation that limit the
total quantity involved or release rate. For gases, the worst-case release scenario
assumes the quantity is released in 10 min. For liquids, the scenario assumes an
instantaneous spill and that the release rate to the air is the volatilization rate from
a pool 1 cm deep unless passive mitigation systems contain the substance in a
smaller area. For flammables, the scenario assumes an instantaneous release and
a vapor cloud explosion using a 10% yield factor. For alternative scenarios (note:
EPA used the term alternative scenario as compared to the term more-likely sce-
nario used earlier in the proposed regulation), facilities may take credit for both
passive and active mitigation systems.
Appendix A of the final regulation lists endpoints for toxic substances to be
used in worst-case and alternative scenario assessment. The toxic endpoints are
based on ERPG-2 (Emergency Response Planning Guidelines—Level 2) or level
of concern data compiled by the EPA. The flammable endpoints represent vapor
cloud explosion distances based on overpressure of 1 psi or radiant heat distances
based on exposure to 5 kW/m2 for 40 s.
Hazard and Risk

Hazard
A hazard is a physical or chemical characteristic of a material or process which

has the potential to cause harm to people, the environment, or property. A hazard
can be a characteristic property of a material, it can be a result of the conditions
of use of the material, or it can be the result of an interaction among two or more
materials or sources of energy. Some examples of hazards include the following:
• Chlorine is a toxic gas.

• Gasoline is a flammable liquid.
• Sulfuric acid is corrosive.
• A cylinder containing compressed air contains significant potential energy from
the pressurized gas.
• A mixture of a vinyl monomer and a peroxide initiator has significant potential
chemical energy of reaction.
• A 600 psig steam pipe is at elevated temperature and also contains a lot of
energy from the pressure of the steam.
These hazards cannot be changed; they are intrinsic to the material or its conditions
of use. The only way to eliminate or reduce hazards is to change the material or
conditions of use. Although it is generally preferable to eliminate or reduce hazards
(see later discussion on inherent safety), this is not always possible. The properties
of a material or system, which create a hazard, may be the same as the properties,
which make the material or system useful. A highly reactive monomer, when poly-
merized under controlled conditions, will produce a valuable product. However,
if the polymerization is not controlled, the result could be overpressurization of a
reactor and a possible explosion. Therefore, it is often necessary to manage and
control the hazards of a process and plant. To do this, you must first identify and
understand the hazards—hazard identification. Then, you must understand how
the harm to people, the environment, or property can be realized from the hazard-
ous material or condition—hazard evaluation or hazard analysis.
Risk
Risk is a measure of human injury, environmental damage, or property loss ex-

pressed in terms of both the likelihood of the incident and the magnitude of the
injury, damage, or loss. Risk can be considered to be a function of the potential
incident occurrence, incident consequence, and incident likelihood:
Risk ⫽ f (incident, consequence, likelihood)
There can be many different kinds of risk associated with a chemical process or
plant; for example, safety risk to plant workers, health risk to workers, health risk
to neighbors, risk of various kinds of environmental damage, risk of damage to
the plant or other property, risk of producing product which does not meet specifi-
cations and cannot be sold, risk of loss of business due to a plant outage, business
risk that the product cannot be sold, and others. All of these risks must be under-
stood and managed to successfully operate a profitable plant and business over the
long term.
There are many different measures for each of the risks associated with a chem-
ical manufacturing facility. For example, some measures of risk to employees in
a plant include the following:
• Average risk of fatality from a process accident to an employee in the plant

• Maximum risk of fatality from a process accident to the employee at greatest
risk
• Average risk to a specific employee in a plant over the course of a normal
working day as he does various specific jobs
• An estimate of the distribution of likelihood of accidents of various size (im-
pacting one employee, two employees, three employees, etc.)
• Average risk of injury to an employee
The CCPS Guidelines for Chemical Process Quantitative Risk Analysis [13] de-
scribes many different measures of safety risk which might be used in understand-
ing the risk of a chemical plant and also provides quantitative methodologies for
calculation.
Hazard Identification and Hazard Evaluation

Objective of Hazard Identification and Evaluation
The objective of hazard identification is to fully understand the hazards of a chemi-

cal process, including the hazards associated with the following:
• Materials; for example, toxicity, reactivity

• Process conditions; for example, high temperature, high pressure
• Potential interactions among one or more materials; for example, chemical reac-
tion, decomposition, corrosion
A full understanding of all hazards of a process is the essential first step in eliminat-
ing, minimizing, or managing those hazards.
The objective of hazard evaluation is the identification of specific mechanisms
by which the potential harm associated with the process hazards can be realized.
Hazard evaluation techniques can also include the identification of protective mea-
sures which have been incorporated into the process design to manage the hazards,
qualitative assessment of the risk of the specific incident scenarios identified, and
evaluation of the adequacy of existing protective features or recommendation for
additional safeguards.
Hazard Identification
Hazard identification is based on a complete knowledge of the properties of the

materials being handled and the chemical and physical processes used. Hazards
of materials can be identified from literature searches, publications such as Sax’s
Dangerous Properties of Industrial Materials [14], and libraries of Material Safety
Data Sheets. The best source of hazard information for raw materials is often the
material supplier. Bretherick’s Handbook of Reactive Chemical Hazards [15] pro-
vides a comprehensive summary of reactive chemical hazard literature. Checklists
are a good mechanism for identifying process hazards (checklists as a hazard evalu-
ation technique will be discussed later). Two specific tools for hazard identification,
which are particularly useful in understanding chemical reaction hazards, are dis-
cussed in more detail in the following sections.
Interaction Matrix
The interaction matrix (Fig. 2) is intended to identify chemical reaction hazards

among materials and energy sources in a chemical process. This tool is particularly
useful early in the development of a new chemical process. To create an interaction
matrix, list all of the materials, materials of construction, likely contaminants, po-
tential sources of energy, process utilities (such as steam, water, nitrogen, com-
pressed air, ethylene glycol coolant, and heat transfer oil), and other relevant pa-
rameters along each axis of the matrix. It is a good idea to also include ‘‘people’’
on one of the axes, to prompt questions about toxicity and other adverse impacts
of materials on people. Then, ask what happens for each interaction where the
matrix columns and rows intersect. The matrix should go beyond a simple yes–
no answer, but rather should provide some detailed information on the nature of
the interactions identified. Often an interaction matrix will generate more questions
than answers, particularly early in development. In this case, it may be appropriate
to recommend a literature search or laboratory experiments to understand potential
interactions.
FIG. 2 Example interaction matrix.
Chemistry Hazard Analysis
The Chemistry Hazard Analysis (CHA) is derived from the Hazard and Operability
(HAZOP) study methodology. The thought process of a HAZOP study can be
applied at any stage in process development. The CHA is a HAZOP applied to a
chemical reaction, without the detailed plant design information required for a
traditional HAZOP study. For the CHA, the chemist or engineer usually assumes
that the deviation identified by the application of the guide word to the chemical
reaction does occur for some reason, not developing specific causes, and investi-
gates the consequences. If the consequences are known, the designer should deter-
mine if they represent a hazard which must be understood and managed as a part
of the process development, and document this information for future action or
reference. In many cases, early in process development, the consequences may not
be known, and additional research or experiments may be needed.
Hazard Evaluation: Selection of Procedure
A number of different hazard evaluation techniques are in common use in the

chemical industry, as listed in Table 2. Some techniques, particularly those based
on logic models, require more detailed plant design information and it may not
be possible to apply them early in process development. Table 3 provides some
TABLE 2 Process Hazard Analysis Tools Commonly Used in the Chemical Process Industries
Category Process Hazard Analysis Tool Description and Comments
Brainstorming tech- Safety review Relatively unstructured brainstorming
niques Preliminary hazard analysis techniques to identify hazards and po-
What If tential accident scenarios.
Hazard and Operability Study (HAZOP) A structured analysis procedure that fo-
Failure Mode and Effect Analysis cuses brainstorming activities, includ-
(FMEA) ing use of a specific set of guide words
or knowledge and checklists of known
equipment failure modes.
Checklist techniques Checklist Predefined checklists based on previ-
What If/checklist ous experience compare a design to
specific standards or good practice.
When combined with What If analysis,
the checklists are used to prompt brain-
storming activities.
Risk-ranking techniques Relative ranking A general category that includes a
large number of quantitative and semi-
quantitative techniques which use
checklists or equations based on mate-
rial properties, quantities, and handling
conditions to numerically rank risk. Ex-
amples include the Dow Fire and Ex-
plosion Index and the Dow Chemical
Exposure Index.
Logic model techniques Fault-tree analysis Logic models which identify specific
Event-tree analysis causes combinations of events which
lead to a potential accident scenario.
These techniques require much detailed
design information and usually focus
on analyzing a few specific accident
scenarios in detail. These techniques
can be quantified and are important
tools in quantitative risk analysis
guidance on how the various techniques have commonly been applied through the
life cycle of a chemical process.
What-If Analysis
What-If Analysis is a brainstorming technique in which a team with expertise on

the process asks ‘‘what-if ’’ questions about the process to identify potential haz-
ards or incident scenarios. The Preliminary Hazard Analysis and Safety Review
techniques are forms of What-If Analysis. In a What-If Analysis, a team of experts
on the process and plant meet in a free brainstorming session to ask ‘‘what-if ’’
questions to identify what can go wrong. The technique is very flexible and can
60
TABLE 3 Process Hazard Evaluation Techniques
Process Hazard Analysis Technique

Failure Hazard
Mode and and
Preliminary Effect Operability Fault- Event-
Chemical Process Safety Relative Hazard What-If/ Analysis Analysis Tree Tree
Life-Cycle Stage Review Checklist Ranking Analysis What-If Checklist (FMEA) (HAZOP) Analysis Analysis
Research and development 䊊䊊䊉䊉䊉䊊䊊䊊䊊䊊
Conceptual design 䊊䊉䊉䊉䊉䊉䊊䊊䊊䊊
Detailed engineering 䊊䊉䊊䊉䊉䊉䊉䊉䊉䊉
Construction 䊉䊉䊊䊊䊉䊉䊊䊊䊊䊊
Start-up 䊉䊉䊊䊊䊉䊉䊊䊊䊊䊊
Routine operation, modifi- 䊉䊉䊉䊉䊉䊉䊉䊉䊉䊉
cations, and expansions
Decommissioning 䊉䊉䊊䊊䊉䊉䊊䊊䊊䊊
Demolition 䊉䊉䊊䊊䊉䊉䊊䊊䊊䊊
Note.—䊉: PHA technique commonly used; 䊊: PHA technique rarely used or not appropriate.
Source: Based on Ref. 5.
Process Safety and Risk Management
TABLE 4 Example of the Results of a What-If Analysis for a Batch Process

Hazard or
What-If...? consequence Safeguards Recommendations
1. Reactant feed 1. Heat generation 1. High reactant 1. Establish preven-
rate is too high? rate exceeds heat flow rate inter- tive maintenance
removal capabil- lock shuts down and testing pro-
ity, increased tem- feed. High reactor gram for flow
perature, poten- temperature in- and temperature
tial runaway terlock shuts interlocks.
reaction. down feed. Rup-
ture disk sized ad-
equately to pro-
tect reactor for
maximum feed
rate with no cool-
ing.
2. Reactor tempera- 2. Reaction may 2. Low reactor tem- 2. Evaluate rupture
ture is too low? stall, resulting in perature alarm disk size relative
a buildup of re- warns operator. to potential pool-
actants. This pool ing of unreacted
of unreacted mate- material. Based
rial has signifi- on result, deter-
cant potential en- mine if additional
ergy, possible protection is
runaway reaction needed.
if temperature is
subsequently in-
creased.
be applied at any stage in the process life cycle. The unstructured nature of What-
If Analysis can be both an advantage and a disadvantage. With an experienced and
knowledgeable team, the technique can be powerful. The discussion and interaction
among team members in the meeting can enhance the identification of hazards.
However, the unstructured nature may result in an incomplete analysis by an inex-
perienced team. Table 4 is an example of the results of a What-If Analysis. What-
If is often combined with a checklist to ensure that a minimum set of ‘‘What-If’’
questions are covered by the review team.
Checklist Analysis
A checklist is a list of items used to verify that a plant or process is designed and
operated consistently with a predetermined set of good practices defined by the
checklist. A checklist is often used to confirm that a plant complies with codes,
standards, or regulations. Checklists vary from general lists of questions describing
common chemical hazards and processing concerns to detailed lists of specific
requirements of a standard. Many checklists are simple, requiring only ‘‘yes, no,
not applicable’’ answers. The use of checklist analysis depends on the availability
of suitable checklists for the plant being reviewed. Good checklists are most likely
to be available for common types of installation, such as flammable-solvent storage
facilities, and are unlikely to be available for unique process operations. Checklist
completeness depends on the experience of the checklist authors. The output of a
checklist analysis is a list of responses to the checklist questions, with areas of
noncompliance highlighted and recommendations for bringing the facility into
compliance.
Combining a What-If Analysis with a checklist can be a very effective hazard
identification and evaluation technique. The What-If allows creative brainstorming
of a team to identify hazards, and the checklist ensures that the team considers a
specified list of hazards based on prior experience, addressing the concern about
completeness of the What-If analysis.
Hazard and Operability Study
A Hazard and Operability Study (HAZOP) is a guide word hazard evaluation tech-
nique normally done by a review team. HAZOP begins with the premise that the
process is safe if operated, as intended, and the team must agree that this is true.
Incidents are assumed to result from deviation from intended operation. Guide
words are used in conjunction with the process operating parameters to identify
potential deviations, and the review team determines the consequences of those
deviations.
A Hazard and Operability Study is best applied when specific process and plant
information is available (e.g., a detailed plant design or an operating plant). To
do a HAZOP, the process is first divided into sections, or nodes, which are analyzed
individually. A node might be a transfer line from one vessel to another, a piece
of process equipment such as a reactor or heat exchanger, or a step in a batch
process. The team states the intended operation of each process node, including
values of the process parameters—the process intention. The team then applies
guide words to the parameters to identify potential deviations from intended opera-
tion. The following are basic guide words:
• No
• More
• Less
• Part Of
• Reverse
• As Well As
• Other
As an example, the guide word ‘‘less’’ can be combined with a specified reactor
temperature intention to arrive at the deviation ‘‘less (lower) reactor temperature.’’
Once a deviation has been identified, the team determines as many potential causes
of the deviation as possible. For the deviation ‘‘less reactor temperature,’’ causes
might include a cooling water control valve stuck open, incorrect temperature set
point, and others. The team determines the consequences of each deviation, cause
combination, and existing safeguards. It then qualitatively judges the effectiveness

of the safeguards to determine if they are adequate. A semiquantitative risk-ranking
system is often used to aid the team in evaluating the significance of the hazards
identified. If the existing safeguards are judged to be inadequate, the team should
recommend appropriate action to mitigate the potential hazard. The team continues
to apply the guide words to each node until no additional deviations can be identi-
fied. These steps are repeated for each process node, until the entire process has
been reviewed. Table 5 shows a part of the output of a typical HAZOP study.
Fault-Tree Analysis
A fault tree is a logic model which identifies the multiple ways in which equipment
and human failures in a system can combine to cause an undesired event (the ‘‘Top
Event’’). The analyst begins with a specific undesired event and develops a model
using Boolean ‘‘AND’’ and ‘‘OR’’ logic gates to identify the immediate causes.
These immediate causes can then be further developed to identify their causes,
also using Boolean logic gates. The development of the tree continues until it
reaches a level of resolution judged to be adequate for understanding potential
incident sequences and identifying system improvements. These events are not
further developed and are called basic events. Normally, basic events are at the
level of failure of individual plant components (e.g., a shutoff valve stuck in the
open position, a pump failure to run, a pressure sensor failing to detect high pres-
sure). Human error can be incorporated into a fault tree by including specific opera-
tor actions (e.g., opening the wrong manual valve) or errors (e.g., failure to act in
response to a high temperature alarm). Figure 3 is an example of the top levels
of a fault tree for a fire.
A fault tree can be solved using Boolean algebra techniques to identify specific
combinations of individual equipment failures and human errors, which can cause
the undesired top event. These combinations of failures and errors describe specific
potential incident scenarios and are called minimal cut sets. The cut sets can be
used to identify areas where the system can be improved. Fault trees can also be
quantified by assigning failure rate and probability data to the basic events. These
data can be mathematically manipulated to estimate the likelihood of the top event
and to understand the relative contribution of individual basic events and cut sets
to the total probability of failure.
Event-Tree Analysis
An event tree is a graphical logic model which shows the possible outcomes
resulting from an initiating event. An event tree describes the response of a sys-
tem to a disturbance created by the initiating event. For example, Fig. 4 shows an
event tree for the sulfuric acid splash incident used to describe the accident pro-
cess. An event tree describes a number of potential outcomes from a single initiat-
ing event. These outcomes may vary in severity, and the event tree is useful in
understanding the full range of possible outcomes that can result from a single
system failure. Event trees are very useful in understanding the effectiveness of
64
TABLE 5 Example of Partial Results of a HAZOP
Deviation Causes Consequences Safeguards Recommendations

1. MORE than 160 lbs/h A. Wrong set point (too A. Reactor R-310 tempera- A. 1. High flow alarm on A. Confirm that operator
Raw Material A flow high) on FIC-301-01 ture increases, heat bal- FIC-301-01 warns opera- training includes proper
B. FIC-301-01 control value ance indicates there is no tors. response to FIC-301-01
stuck open potential for runaway re- 2. High temperature and TAH-310-05 high
C. FIC-301-01 flow sensor action, even for maxi- alarm TAH-310-05 on Re- alarms.
miscalibrated—reads low mum possible flow rate; actor R-310 warns oper-
product will not meet ator.
specifications if R-310 B. Same as A.
temperature increases C. A-2 only applies. A-1
above 90°C. will not provide an alarm
B. Same as A. because the flow sensor is
C. Same as A. miscalibrated. Plant expe-
rience indicates this is not
likely.
Note.—Intention: Feed 150–160 lbs./h of 42–44% aqueous Raw Material A solution from Feed Tank F-101 using Pump P-110 through line 10436 and flow controller FIC-
301-01 to Reactor R-310. Raw Material A solution temperature is 20–35°C. While feeding, Reactor R-310 agitator is running at 50 rpm.
FIG. 3 Top levels of a fault tree for a fire.
the multiple layers of protection, which are often present in a chemical process.
Each independent layer of protection is a branch point in the event tree, with the
branches corresponding to the success or failure of the layer of protection. An
event tree, like a fault tree, can also be quantified by estimating a frequency
for the initiating event and the probabilities of success and failure at each branch
point in the event tree. Quantitative event tree analysis is often combined with
fault-tree analysis: Fault trees are used to quantify the frequency of the initiating
event and the probability of failure of the protective systems at the event-tree
branch points.
Failure Mode and Effect Analysis
A Failure Mode and Effect Analysis (FMEA) lists the known failure modes of
specific pieces of equipment in a plant and determines the impact of those failures
on the plant. FMEA and HAZOP are similar; the main difference is the starting
point for identifying potential hazardous incident scenarios. HAZOP starts by pos-
tulating a deviation in the value of a process parameter (e.g., more flow) and asking
what kind of equipment failures or operating errors might have caused that devia-
FIG. 4 Example event tree.
tion and what the process impact will be. FMEA starts by postulating a known
equipment failure mode (e.g., control valve stuck open) and asks what impact this
failure will have on the operation of the process.
The FMEA starts with a functional description of each piece of process equip-
ment and identifies ways in which that piece of equipment might fail to perform
as designed. A good understanding of the equipment and potential failure modes
is required. The FMEA determines how the process will respond to the potential
equipment failure, determines if a potentially hazardous incident will result, identi-
fies existing safeguards, evaluates their effectiveness, and develops recommenda-
tions for action where appropriate. These steps are very similar to the correspond-
ing step in a HAZOP study. Table 6 shows a part of the output from a typical
FMEA study.
Risk-Ranking Techniques
Risk-ranking techniques such as the Dow Fire and Explosion Index [16] and the
Dow Chemical Exposure Index [17] develop a numerical risk-ranking index based
on various process characteristics such as material properties, chemical reactions,
unit operations, operating conditions, and other factors. These risk indices provide
a relative ranking of specific types of process hazards (e.g., fire and explosion
hazards) and are useful for comparing alternate process or plant designs (including
location and siting), understanding the parts of a plant or process which are the
major sources of risk, and prioritizing other hazard evaluation and risk management
activities.
TABLE 6 Example of Partial Results of a Failure Mode and Effects Analysis
Item and Description Failure mode Effects Safeguards Recommendations

1. Cooling Water Control A. Valve stuck in closed A. Unable to increase flow A. High temperature inter- A. Confirm that there is no
Valve FIC-301-10. Pneu- position of cooling water to reac- lock TAH-310-08 on Re- buildup of unreacted ma-
matically operated valve, tor to control tempera- actor R-310 closes raw terial and stopping feed
fails closed on air supply ture of batch during exo- material feed valve. will stop reaction. Re-
failure thermic reaction. view maintenance proce-
Possible uncontrolled re- dures and make sure
action generating high Valve FIC-301-10 is reg-
temperature and pressure. ularly inspected and
tested.
B. Air failure to FIC-301- B. Valve will open, putting B. Full cooling is sufficient
10 full cooling on the reac- to control temperature at
tor. maximum raw material
feed rate.
67
Summary of Hazard Identification and Evaluation
This section has briefly described a number of commonly used hazard identification
and evaluation tools. Most of these tools are best used in a multidisciplinary team
environment, providing a wide variety of plant and process experience and interac-
tive discussion to understand the process and identify potential hazards and inci-
dent scenarios. CCPS [18] and Wells [19] provide more information on the applica-
tion of these and other hazard evaluation tools in the chemical industry.
Consequence Analysis
As mentioned earlier, risk is defined as a function of incident occurrence, fre-

quency, and consequence. Consequence analysis is the quantitative estimation of
the consequence of a chemical process incident—an estimate of the magnitude of
the potential harm to people, the environment, or property. Because there is a
wide range of potentially harmful impacts of chemical process incidents, there is
a number of different tools which may be useful in analyzing these impacts. In
this discussion, the consequence analysis tools described will be limited to those
commonly used to estimate the potential for injury or fatality to people as an imme-
diate result of exposure to harmful materials or energy. However, it is recognized
that there is a wide variety of other potential consequences of incidents and a
correspondingly wide variety of tools used to understand these consequences.
Consequence models can be quite complex and can only be described in general
terms in this discussion. A number of publications by the Center for Chemical
Process Safety [20–24] describe specific types of consequence analysis models in
detail. Les [25] also provides a detailed description of incident consequence mod-
els. There are also a number of public domain and proprietary commercial com-
puter-modeling systems available for chemical release consequence analysis.
Source Models
Source models quantitatively estimate the magnitude, rate, duration, physical state
(solid, liquid, gas, or a combination), and temperature or other physical condition
of a chemical release based on the physical and chemical parameters associated
with a particular release scenario.
Most source models are well developed in chemical engineering theory and
are essentially the same as the models used for similar material flow scenarios
used to design plant equipment. These include single-phase and multiphase flow
models for flow-through holes, orifices, and pipes, which are readily adapted to
describe flow from a leaking pipe or vessel. Two-phase flashing flow models are
based on technology developed by the Design Institute for Emergency Relief Sys-
tems (DIERS) [26]. Two-phase or flashing jet release models must also consider
the formation of fine aerosols in the discharge and the potential for the small drops
to remain suspended in the atmosphere rather than ‘‘raining out’’ into an evaporat-
ing pool on the ground. For a discharge of material from a reactive system, the
models required to fully understand the system may be quite complex and data
from reaction calorimetry tests may be required.
If a release is wholly or partially in the form of a liquid, it will form a pool
on the ground. The evaporation of vapor from this pool is another potential source
term for atmospheric dispersion models, which estimate the downwind concentra-
tion of the vapor. The first step in estimating evaporation from a liquid pool is to
estimate the size of the pool. Pool size models consider the momentum of the
liquid stream entering the pool, gravity spreading resulting from the depth of the
pool, and the liquid physical properties (e.g., viscosity, surface tension, and surface
wetting properties). Physical constraints such as dikes and containment systems
may also determine the size of a pool of spilled liquid.
There are three major pool evaporation situations, which are typically modeled:
boiling liquid pools, volatile liquid pools, and relatively nonvolatile liquid pools.
• Boiling liquid pools occur when the pool liquid boils at a temperature below
that of its surroundings (the ground and atmosphere). In this case, vapor genera-
tion is controlled by heat transfer into the liquid pool, both from the ground
and from the surrounding atmosphere. The vapor release rate is determined from
an estimate of the total heat transfer into the pool and the heat of vaporization
of the liquid.
• Volatile liquid pools exert a significant vapor pressure but are at a temperature
below the liquid boiling point. Evaporation models for volatile liquid pools
consider both heat transfer into the pool and mass transfer rates into the atmo-
sphere from the pool surface.
• The evaporation of relatively nonvolatile liquid pools is primarily determined
by mass transfer at the surface of the pool. Because the evaporation rate is low,
the pool temperature will be essentially the same as the temperature of the
surroundings after any initial temperature differences equilibrate. Evaporation
models are based on standard methodologies for estimating convective mass
transfer from a liquid into a gas.
Vapor Cloud Dispersion
Vapor cloud dispersion models estimate the area covered by the vapor cloud from
a chemical release as it disperses in the atmosphere, and they estimate the vapor
concentrations at specific locations in the cloud. Some of the data required for a
vapor cloud dispersion model include the following:
• Characteristics of the release, including rate, total quantity released, location of

the release
• Characteristics of the release (phase, direction, velocity, composition, tempera-
ture, pressure)
• Atmospheric conditions, including wind speed, atmospheric stability, tempera-

ture, pressure
• Characteristics of the surface, including surface roughness
Some of the complex vapor cloud dispersion models may require additional infor-
mation to characterize the release, the atmospheric conditions, and surface condi-
tions.
Vapor cloud dispersion models consider three typical types of behavior:
• Neutrally buoyant gases (having a density close to the density of air)

• Positively buoyant gases (having a lower density than air)
• Dense or heavy (negatively buoyant) gases
Two major types of releases must also be considered:
• Instantaneous (puff releases)

• Continuous releases (plumes)
The CCPS [20] describes vapor cloud models in detail, including all of the
major types of dispersion models and release types. The CCPS [22] provides a
more condensed summary of some of these models. The output of these models
describes the concentration of the released material in both time and space as the
vapor cloud travels downwind.
Fires
Incident consequence analysis may require consideration of one or more of several

different types of fire:
• Pool fire: a burning pool of a flammable or combustible liquid

• Jet fires: burning of a flowing jet of flammable liquid or gas, usually from a
pipe or vessel
• Flash fire: nonexplosive combustion of a flammable mixture of a combustible
vapor in air
Pool Fire
The primary mechanism of damage from a pool fire is thermal radiation from the
flame. Pool fire models estimate the thermal effects based on the properties of the
material burning in the pool, the geometry of the pool, atmospheric characteristics,
and geometry of the fire relative to the receiving source. Pool fire models are
well developed. They are based on empirically determined characteristics such as
burning rate, flame height, surface emissive power, and atmospheric transmissivity,
all of which are well established in the literature. Pool fire models provide an
estimate of the thermal radiation at locations of interest surrounding the fire.
Jet Fire
Many jet fire models are based on models used for the design of flare systems.
As for pool fires, the damage from a jet fire results primarily from thermal radiation
from the fire. Jet fire models require an understanding of the characteristics of the
jet (discharge rate and velocity, material burning properties) and, like pool fires,
characteristics of the atmosphere. Jet fire models are primarily empirical but are
derived from much data and experience. The models produce an estimate of the
thermal radiation at locations surrounding the jet fire.
Flash Fire
A flash fire results from the ignition of a cloud of flammable gas (a cloud containing
a flammable material at a concentration between its lower and upper explosive
limits in air). Such a cloud can explode under the proper conditions (size and
degree of confinement), resulting in a vapor cloud explosion. If the conditions
required for a vapor cloud explosion are not present, the cloud may still ignite and
burn. In this case, the burning cloud will not generate pressure and an explosion,
but the flash fire is still capable of causing significant damage. The primary hazard
is from direct contact with the flame and from thermal radiation, which is normally
for a brief time of a few tenths of a second. Flash fires are normally modeled by
determining the dimensions of the flammable cloud using vapor dispersion models
and estimating the thermal radiation resulting from combustion of the cloud.
Explosions
Chemical incident consequence analysis may need to consider four types of explo-
sion:
• Physical explosions: the failure of a vessel containing material under pressure

without chemical reaction (e.g., due to a vessel defect or excess pressure in the
vessel).
• Vapor cloud explosions: explosion of a cloud of flammable vapor dispersed in
the atmosphere.
• Confined explosions: explosion resulting from a rapid chemical reaction gener-
ating high temperature and pressure inside a confined space such as a vessel
or a building.
• Boiling liquid expanding vapor explosions (BLEVE): the catastrophic failure
of a vessel containing a superheated liquid. If the liquid is flammable, ignition
may result in a fireball.
The CCPS [20,22] describes commonly used explosion models in detail.

Physical Explosions
Physical explosion models generally estimate the amount of energy which would
be released by the sudden expansion of the material contained in a vessel from its
initial temperature, pressure, and volume to atmospheric pressure. This estimated
energy is then converted to an equivalent amount of TNT. A number of correlations
of explosion pressure as a function of distance from a TNT explosion have been
published, and these can be used to estimate damage. It may also be necessary to
consider the potential impact of the vessel fragments, which result from a vessel
explosion. Empirical models to estimate the number and size of fragments, their
travel distance, and energy are available.
Vapor Cloud Explosions
If ignited, a flammable vapor cloud can burn as a flash fire, or, if the flame speed
accelerates sufficiently, it can produce significant blast pressure from a vapor cloud
explosion. A number of factors have been found to be important in determining
whether a vapor cloud explosion occurs when a flammable vapor cloud is ignited.
These include the following:
• Turbulence in the vapor cloud. This turbulence may arise from the energy from
the release of the fuel itself (from a jet or catastrophic loss of containment) or
from the interaction of the cloud with its surroundings during the combustion
process.
• Partial confinement of the vapor cloud as a result of obstacles, structures, or
other factors, which could cause local partial confinement. The explosive com-
bustion in the locally confined cloud can propagate into the rest of the cloud.
• Mass of the cloud. Experimental studies have demonstrated that there is a mini-
mum mass of flammable material required to transition to a vapor cloud explo-
sion. The CCPS [21] reports studies indicating that this minimum mass is in
the range of 1 to 15 tons for typical hydrocarbons.
• Combustion properties of the fuel. Materials with a high fundamental burning
velocity such as ethylene oxide and ethylene are reported to be more readily
inclined to propagate to a vapor cloud explosion.
Vapor cloud explosions are modeled using three types of model:
• TNT Equivalency Models. The total energy available from the combustion is
estimated from the mass of fuel in the cloud and the heat of combustion of the
fuel. This combustion energy is then converted to an equivalent mass of TNT
and reduced by an ‘‘explosion efficiency’’ factor, which is empirically esti-
mated. The explosion overpressure and other characteristics can then be esti-
mated as a function of distance from the cloud using readily available experi-
mental data for TNT explosions. TNT equivalency models are empirical, and
the results are strongly dependent on the explosion efficiency, which may not
be known for a particular material or cloud configuration. TNT equivalency
models also do not characterize the vapor cloud explosion well in the area close
to the cloud, where they may predict much higher pressure than typically result
from the combustion of a flammable cloud.
• Multienergy Method. This model is based on the assumption that the blast char-
acteristics of a flammable vapor cloud depend more on the level of congestion
and confinement than on the fuel. The models require dispersion models to
determine the size of the cloud. Then, areas with different confinement and
congestion characteristics are identified and considered to be sources of strong
blasts. The energy from each blast source is estimated, and the potential damage
is estimated from empirically derived correlations.
• Baker–Strehlow Method. This model also considers confinement as the basis
for the size of the flammable vapor cloud. It also considers burning characteris-
tics and reactivity of the fuel, geometry of the confined volume, and the degree
of confinement created by the obstacles in the confined volume. Blast character-
istics are then estimated using a set of correlations and charts.
These models are discussed in detail in Refs. 20 and 22.
Confined Explosions
Confined explosions result from combustion or another rapid chemical reaction

in a confined vessel or building. Confined combustion reactions may occur with
flammable vapor–air mixtures or from the dispersion of a cloud of combustible
dust in air. The combustion or reaction products are often gases, and pressure is
generated by the gas and also the elevated temperature resulting from the heat of
combustion or reaction. Confined explosions are modeled by estimating the peak
pressure that can be generated from the chemical reaction. The models are specific
to the reaction and may require considerable reaction thermodynamic and kinetic
data. The maximum pressure resulting from the reaction model is then compared
to the failure characteristics of the confining vessel or building. If the pressure
exceeds the expected failure pressure of the vessel, the damage resulting from
vessel failure and the potential for damage or injury from fragments can be esti-
mated using the methods for physical explosions discussed earlier.
Boiling Liquid Expanding Vapor Explosions
A BLEVE is the rapid release of a large amount of superheated liquid to the atmo-
sphere. It often occurs as a result of weakening of a pressure vessel caused by
direct flame impingement on the vessel above the liquid level. This weakens the
metal vessel and it can fail rapidly and catastrophically. The sudden loss of con-
finement allows the superheated liquid to rapidly flash, increasing its volume sev-
eral hundred times and generating a pressure wave and fragments. If the released
liquid is flammable, it can also ignite, resulting in a fireball. BLEVE models are
based on the expansion energy of the flashing liquid. Blast effects tend to be local,
and the impact of the fireball, which usually accompanies a BLEVE of a flammable
material, is the more important source of damage. BLEVE fireball models empiri-
cally estimate the fireball dimensions based on the quantity of material released.
Thermal radiation characteristics of the fireball are then modeled using a combina-
tion of empirically derived relationships and fundamental models for the geometry
of the fireball with respect to the receptor and atmospheric transmission of the
thermal radiation. The result is an estimate of the radiant energy flux level and
duration at various locations surrounding the BLEVE.
Effect Models
The result of the application of the models discussed in this section so far is an
estimate of some type of physical parameter at various locations surrounding a
chemical release: a concentration of toxic gas in the atmosphere, the amount of
radiant energy at a specific location from a fire, and the peak pressure and impulse
duration from an explosion. Effect models estimate the damage, which results from
these physical effects. There are a wide range of possible effect models correspond-
ing to the wide range of potential damage to people, the environment, and property,
which can result from exposure to toxic materials, fires, and explosions.
The CCPS [22] provides a summary of effect models commonly used to esti-
mate the impact of toxic vapors, fires, and explosions on people. These models
are generally empirical and are based on experimental data and evaluation of the
consequences of past incidents. Models are available to estimate the impact of a
hazardous agent using the dose-response relationship (e.g., relating probability of
fatality to concentration and duration of exposure by inhalation of a toxic gas,
relating severity of burns to intensity and duration of exposure to thermal radiation,
or estimating damage to structures based on peak overpressure and duration).
Risk Assessment
However many the resources we devote to the prevention of accidents, we can

never eliminate every risk. We have to decide our priorities: Which risks should
we deal with first? Which are so small compared with the other risks to which we
are exposed that we should tolerate them, at least for the time being? Often, the
judgment is qualitative: Some risks are illegal; some are obviously intolerable large
or acceptably small; sometimes a generally accepted standard or code of practice
tells us what to do. In other cases, the decision is not obvious and we use a numeri-
cal method known as quantitative risk assessment (QRA), probabilistic risk assess-
ment (PRA), or, in the chemical industry, hazard analysis (Hazan).
Stages of Risk Assessment
Before carrying out a risk assessment, we have to identify the hazards (i.e., the
substances, objects, or situations that can give rise to injury or damage) using one
of the methods described earlier. (A risk, in contrast, is the probability that injury
or damage will occur.) There are then three questions to answer:
• How often will injury or damage occur?

• What is the extent of the injury or damage?
• What action should we take?
Whenever possible, the answer to the first question should be based on experi-
ence, but often there is no experience, as the equipment is new or failure has never
occurred. We then estimate a failure rate for the equipment as a whole, based on the
known failure rates of its components, as described earlier. Similarly, the answer to
the second question should be based on experience whenever possible but can be
estimated as by one of the methods described earlier. The answer to the third
question depends on the nature of the consequences. If damage is possible but
injury is not, then the average cost of the damage (including consequential loss)
is compared with the cost of prevention.
If injury is possible, then the QRA approach is to set a target or criterion,
usually based on the risk to life. Risks above a certain level should be removed
or reduced as a matter of priority. Those below this level can be left alone, at least
for the time being. Thus, QRA is a method for determining priorities. In a later
development, there are two levels of risk. Risks above an upper level are considered
intolerable; if they cannot be reduced, the plant should not be built (or should not
be operated if it is already built). The risk considered tolerable for members of
the public is much lower than that considered tolerable for employees. Risks below
a much lower level are considered acceptable and need not be reduced. In between
the two levels, we reduce the risks if we can, but we tolerate them if it is impractica-
ble or very expensive to do so. The pressure to reduce them is great if the risk is
near the intolerable level and reduces as we approach the acceptable level.
The extent to which this approach is used and the risk levels are made explicit
differs from country to country. The United Kingdom has long accepted the princi-
ple that we should compare the size of a risk with the cost, in money, time, and
trouble, of removing it (although the ability to pay is not a deciding factor). If
there is a gross disproportion between them, the risk being insignificant in relation
to the cost, the risk can be tolerated. QRA was therefore accepted readily and the
regulatory authority has suggested figures for the tolerable and acceptable risk
levels. Other governments have been reluctant to admit that even trivial and infre-
quent risks should be tolerated and this has hindered the use of QRA.
The actual risk levels suggested for the United Kingdom are as follows. They
are similar to those used by many organizations elsewhere.
Risk of death per

person per year
Maximum tolerable risk (employees) 10⫺3
Maximum tolerable risk (public) 10⫺4
Maximum tolerable risk (public—nuclear risks) 10⫺5
Broadly acceptable risk (employees and public) 10⫺6
The maximum tolerable risk to employees seems rather high, but this risk is, in
fact, tolerated in some industries.
For comparison, the annual risk of death from all causes is about 10⫺4 for
someone aged 20 years and about 10⫺3 for someone aged 60 years.
Public Attitudes
Quantitative risk assessment is difficult to explain to the public. They pick on the
fact that a number of people could be killed in an industrial accident but ignore
the fact that the probability that this will occur is extremely low. The death of 10
people once in 10 years is given far more publicity than the death of 1 person per
year for 10 years. As a result, public pressure often compels industry and govern-
ment to reduce risks which are already low but which the public perceives as high.
At its best, this is democracy in action; at its worst, it is giving the most to those
that shout the loudest.
The public tends to oppose risks with the following traits:
• Imposed rather than accepted voluntarily

• Not under the individual’s control
• Of no obvious benefit to them
• Man-made rather than natural
• Unfamiliar
• Dreaded (e.g., cancer is more dreaded than heart disease though the latter kills
far more people)
• Immoral (e.g., crime is feared more than road accidents)
• Associated with unpleasant events (e.g., nuclear power reminds us of atomic
bombs)
When the public cannot judge the message, they judge the messenger. Unfortu-
nately, most of these concerns make the man in the street oppose the chemical
industry: The risks are imposed, not under his control, man-made, unfamiliar, and
dreaded; past experience has been unpleasant; the industry does not obviously
benefit him; and the spokesmen for the industry are often outsiders. There is no
easy way of countering this perception. We try to explain the benefits of the indus-
try and the low levels of risk, but we cannot say that accidents will never happen.
Incident Investigation
The purpose of incident investigation is to find out why the incident occurred so
that we can prevent it from happening again. The purpose is not to find out who
should be blamed. Many people have an opportunity to prevent almost every inci-
dent. Figure 5 shows by example the opportunities that are available to prevent a
fire or minimize the consequences of an apparently simple incident: An expansion
joint (bellows) was incorrectly installed in a pipeline so that it was distorted. After
some months, it leaked and a passing vehicle ignited the escaping vapor. Damage
FIG. 5 An example of an accident chain. An expansion joint (bellows) was incorrectly installed so
that it was distorted. After some months, it leaked and the escaping vapor was ignited by a
passing vehicle. Damage was extensive, as the surrounding equipment had not been fire-
protected to save the cost. Many people in various functions could have prevented the incident
or minimized the consequences.
was extensive, as the surrounding equipment had not been fire-protected to save
the cost.
Many people could have prevented the fire, not just the fitter who installed the
expansion joint incorrectly. The fire could have been prevented by better detailed
design (not using expansion joints for hazardous materials), by better design meth-
ods (using HAZOP, consulting experts, better design standards, better training of
designers), by better training of the fitter, by better inspection of workmanship,
by keeping eyes open on plant visits, and by not tolerating poor workmanship in
the past.
We should investigate all incidents, including those, which, by good fortune,
caused no injury or damage, but might easily have done so. Next time, they may.
Finding the Facts
• Include people with a variety of experience on the investigating panel. It should

not be too large; four or five people are usually sufficient.
• Do not disturb evidence that may be useful to experts who may be called in
later.
• Draw up a list of everyone who may be able to help, such as witnesses, experts,
designers, and people on other shifts.
• Be patient when questioning witnesses. Valuable information may be missed
if we try to take police-type statements. Do not put ideas into people’s minds.
Avoid questions to which the answer is ‘‘yes’’ or ‘‘no.’’
• Make it clear that the objective of the investigation is to find out the facts, so
that we can prevent the incident happening again, not to establish blame.
• Inform any authorities who have to be notified.
• Record information on damage and injuries so that others can use it for predic-
tion.
Drawing Conclusions from the Facts
Accident investigation is like peeling an onion. Beneath the immediate technical

causes, look for ways of avoiding the hazard, such as inherently safer design. Look
also for weaknesses in management, such as poor training or instructions or turning
a blind eye to previous failures to follow instructions.
Concentrate on prevention rather than causes. Look for causes that lead to
actions. Do not, for example, quote corrosion as a cause and stop there. Ask if it
was foreseen. If not, why? If it was foreseen, why did it occur? Was the right
material of construction used? Were operating conditions outside the design range?
Was monitoring carried out? If so, were the results followed up?
Preventing leaks is a more effective way of preventing liquid and gas fires than
removing sources of ignition (although we should also do what we can to remove
known sources of ignition). Avoid the use of the term ‘‘human error’’ and never
recommend someone to take more care. Instead, ask if we need better training,
better instructions, or better compliance with instructions and, if so, say how this
will be achieved. If an error was due to a slip or lapse of attention, inevitable from
time to time, look for ways of removing opportunities for error.
It is often useful, especially when investigating fires and explosions, to ask
why it occurred when it did and not at some other time. It is also useful to ask
if similar incidents, perhaps with less serious results, have occurred before,
what recommendations were then made, and if they were effective or allowed to
lapse.
Avoid long shopping lists of possible recommendations. Ask if the cost of each
recommendation is proportional to the size of the risk. Consider alternative solu-
tions as well as the obvious ones.
For each recommendation, make it clear who will carry it out and when. Bring
the report forward at that time. Otherwise, nothing will happen except a repeat of
the incident.
Managers should not accept reports that fall short in any of these respects.
They should look out for what is not said. For example, writers of accident reports
are naturally reluctant to draw attention to similar incidents that had occurred else-
where and, if they had been followed up, could have prevented the accident.
Spreading the Message
Many companies restrict the circulation of incident reports, but this will not prevent
the incident from happening again. We should circulate the essential messages
throughout the company. There is no need to say where the incident occurred.
Remember that incident reports grab people’s attention and are read, whereas ad-
vice and instruction are put aside to be read when we have time (if we ever do).
Having paid the high price of an accident, we can recover some of the cost by
turning it into a learning experience.
Circulate reports containing new or forgotten information throughout the indus-
try, so that others can learn from them. There are several reasons for doing so.
• Moral: If we have information that might prevent another accident, we have a

duty to pass it on.
• Pragmatic: If we tell other organizations about our accidents, they may tell us
about theirs.
• Economic: We would like our competitors to spend as much as we do on safety.
• The industry is one: Every accident affects its reputation.
Remembering the Message
Incident reports are written, acted on, and then filed and forgotten. After a few
years, people forget the reasons for the changes that were made. Procedures lapse
or the equipment falls out of use and the incident happens again, even in the plant
where it happened before. To prevent this from happening we should do the fol-
lowing:
• Include in every instruction, code, and standard a note on the reasons for it and
accounts of accidents that would not have occurred if the instruction, code, or
standard had been followed.
• Never remove equipment before you know why it was installed. Never abandon
a procedure before you know why it was adopted.
• Describe prior accidents as well as recent ones in safety bulletins and discuss
them at safety meetings. Giving the message once is not enough.
• Follow up at regular intervals to see that the recommendations made after acci-
dents are being followed, in design as well as operations.
• Remember that the first step down the road to an accident occurs when someone
turns a blind eye to a missing blind.
• Include important accidents of the past in the training of undergraduates and
company employees.
• Keep in every control room a folder of reports on past accidents. It should be
read by all new arrivals and others should browse it during quiet shifts.
• Devise better retrieval systems so that we can find, more easily than at present,
details of past accidents in our own and other companies and the recommenda-
tions made afterward.
The Management of Safety

Inherently Safer Design
The first step in the management of safety, after the hazards have been identified
(see the section Hazard Identification and Hazard Evaluation), is to see if they can
be removed. Only when we cannot do so, should we look for ways of keeping
them under control or mitigating their consequences. When we remove a hazard,
the safety is inherent in the design and cannot be lost. When we control a hazard,
the protective equipment may fail, or be neglected, or the safety procedures may
lapse.
Note that we refer to inherently safer, not safe, design as we can rarely, if ever,
remove every hazard. The principle routes to inherently safer design are as follows:
• Intensification or minimization: Using so little hazardous material that it does

not matter if it all leaks out. ‘‘What you don’t have, can’t leak.’’ This may
seem obvious but until the explosion at Flixborough, UK in 1974 little thought
was given to ways of reducing the amount of hazardous material in a plant.
Engineers simply designed a plant and accepted whatever inventories the design
required, confident that they could keep it under control. Flixborough weakened
that confidence, and 10 years later, Bhopal almost destroyed it.
Microreactors promise much greater intensification than has been possible in

the past. Intensification, when it is practicable, is the first choice, as it brings about
greater reductions in cost. If less material is present, we need smaller pipes and
vessels and smaller structures and foundations.
• Substitution: If intensification is not possible, then an alternative is substitution,

using a safer material in place of a hazardous one. Thus, it may be possible
to replace flammable solvents by nonflammable ones and processes that use
hazardous raw materials or intermediates by processes that use safer ones.
• Attenuation or moderation: Another alternative to intensification is attenua-
tion—using a hazardous material under the least hazardous conditions. Thus,
liquefied chlorine and ammonia can be stored as refrigerated liquids at atmo-
spheric pressure instead of storing them under pressure at ambient temperature.
The lower pressure results in smaller leaks through a hole of a given size leak
and the lower temperature results in less evaporation.
• Limitation of effects, by changing designs or reaction conditions rather than by
adding on protective equipment, which may fail or be neglected. For example,
it is better to prevent overheating by using steam or oil at a safe temperature
than by using a hotter medium and a control system.
• Simplicity: Simpler plants are safer than complex plants, as they provide fewer
opportunities for error and contain less equipment that develop faults. They are
usually also cheaper.
Defense in Depth
The hazards that cannot be removed have to be controlled. Because we depend

on equipment and people, both of which may fail, we use defense in depth. If we
handle flammable liquids or gases and an inherently safer design is not possible,
we use some or all of the following:
• Prevent leaks by good design, construction, maintenance, and operation.

• Install automatic detectors so that leaks are detected promptly and people not
required to deal with the leak can leave the area.
• Install remotely operated emergency isolation valves in places where leaks are
most likely to occur or where a large quantity could leak.
• Remove all known sources of ignition.
• Minimize damage by installing fire protection. Passive equipment such as fire
insulation is usually better than active equipment such as water spray turned
on by automatic equipment. This is better than active equipment turned on by
people.
• Provide fire-fighting equipment.
It is essential to carry out regular audits—tests and inspections to make sure

that automatic equipment is in working order and those procedures have not lapsed.
Human Factors
Engineers are interested in equipment, its failures, and ways of preventing them
and often less interested in people. However, all systems involve both equipment
and people. Engineers, whether they are designers, supervisors, or managers, there-
fore, should understand the way people react with equipment and why they some-
time fail to act in the way we instruct them or expect them to act.
• Some errors, usually called mistakes, occur because people do not know what
to do. The intention was wrong. Employers should provide adequate training
and instructions and should not write the sort of instructions that are designed
to protect the writer rather than help the reader. However, for many instructions
we write, problems will arise that are not covered by them and so people, partic-
ularly operators, should be trained in flexibility (i.e., the ability to diagnose and
handle unforeseen situations). If instructions are not being followed, are they
too complex? Can the job be simplified?
• Some errors, usually called violations or noncompliances, occur because some-
one knows what to do but makes a deliberate decision not to do it. Some viola-
tions occur because all people carrying out routine tasks tend to cut corners
after a while. Many more occur because people think they know a better way
of doing the job. Note that if the instructions are wrong, noncompliance may
achieve the intention. There is a fine line between showing initiative and break-
ing the rules.
To prevent or reduce violations, we should do the following
• Explain the reasons for the instructions. We do not live in a society in which
people will simply do as they are told. They want to know the reason why.
• If possible, simplify the job. If the correct method is difficult, an incorrect
method will be used.
• Carry out checks from time to time to see that instructions are being followed
and do not turn a blind eye if they are not.
• Some errors (mismatches) occur because the job is beyond the physical or men-
tal ability of the person asked to do it, sometimes beyond anyone’s ability. For
example, errors occur if people are overloaded, or underloaded, or asked to
break well-established habits. We should change the plant design or method of
working.
• The fourth category is the commonest—a momentary slip or lapse of attention.
People know what to do, intend to do it, and are able to do it, but it slips their
mind. Compared with mistakes, the intention is correct but is not fulfilled. They
happen to everyone from time to time and cannot be prevented by telling people
to be more careful or by telling them to keep their minds on the job. All we
can do is to change the plant design or method of working so as to remove
opportunities for error (or minimize the consequences or provide opportunities
for recovery). We should, whenever possible, design inherently safer plants
which can withstand errors (and equipment failures) without serious effects on
safety (and output and efficiency).
Managers and designers as well as operators make errors, but because they
usually have time to check their work, slip and lapses of attention are infrequent.
Most of their errors are mistakes or violations.
Management Systems
Some management systems have been discussed in earlier sections on risk assess-
ment, hazard identification, and accident investigation. The following are also im-
portant:
The preparation of equipment for maintenance: Many accidents have occurred

because equipment was not isolated correctly, was not freed from hazardous
materials, or was not correctly identified and the wrong equipment was opened
up. Sometimes, procedures were poor; sometimes, they were not followed.
The management of change: Many accidents have occurred because a change to
plant, process, or organization had unforeseen effects. Before any change is
made, it should be examined by professionally qualified people using HAZOP
(or a simpler technique if the change is minor) and then inspected after comple-
tion to make sure that the intention has been followed and that the modification
looks right. What does not look right is often wrong and should always be
checked.
Testing and inspection of equipment: All protective equipment is liable to fail and
should be tested or inspected at regular intervals. When active equipment such
as relief valves and interlocks fails, the failure is usually hidden and regular
testing is necessary. If passive equipment such as fire insulation is missing,
this is visible, but, nevertheless, it should be checked regularly. If 10% of the
fire insulation on a vessel is missing, the rest is useless. The following equip-
ment is often overlooked but should be tested or inspected regularly:
• Drain holes in relief valve tailpipes. If they choke, rainwater will accumulate
in the tailpipe.
• Drain valves in tank bunds. If they are left open, the bund is useless.
• Emergency equipment such as diesel-driven firewater pumps and genera-
tors.
• Earth connections, especially the moveable ones used for earthing road
tankers.
• Fire and smoke detectors and fire-fighting equipment.
• Flame arrestors.
• Hired equipment. Who will test it, the owner or the hirer?
• Labels are a sort of protective equipment. They vanish with remarkable
speed and regular checks should be made to make sure that they are still
there.
• Mechanical protective equipment such as overspeed trips.
• Nitrogen blanketing (on tanks, stacks and centrifuges).
• Nonreturn valves and other backflow prevention devices, if their failure can
affect the safety of the plant.
• Open vents. These are the simplest possible sort of relief device and should
be treated as relief valves.
• Spare pumps, especially those fitted with auto-starts.
• Steam traps.
• Trace heating (steam or electrical).
• Valves, remotely operated and hand-operated, which have to be used in an
emergency.
• Ventilation equipment.
• Water sprays and steam curtains.
All protective equipment should be designed so that it can be tested or inspected.
Test results should be displayed for all to see, for example, on a board in the
control room.
Operators sometimes regard tests and inspections as a nuisance, interfering

with the smooth operation of the plant. Training should emphasize that protective
equipment is there for their protection and they should ‘‘own’’ it.
Remembering the past: A most important system, discussed in the subsection Re-
membering the Message, is one to ensure that the lessons learned from past
accidents, in our own and other companies, is not forgotten and that the infor-
mation can readily be retrieved.
Introducing and maintaining systems: When systems are introduced or changed,

they should be discussed with those who will have to operate them and not
just sent to them through the mail. Discussions should start with descriptions
of incidents that would not have occurred if the systems had been in operation
at the time. These have much more impact than mere procedures and bring
out the need for the changes. Discussions will allow the manager to check that
the message has been received and understood and he may discover that it is
impracticable or difficult to use in its present form.
All systems are subject to a form of corrosion more rapid than that which
affects the steelwork and can vanish without trace once managers lose interest.
Continuous monitoring is necessary to make sure that systems continue in use.
Limitations of systems: Some managers seem to believe that good safety manage-
ment systems will ensure a safe plant. All the systems can do, however, is
ensure that people’s knowledge and experience are applied systematically. If
the staff lack knowledge and experience, then the systems are empty shells.
People will go through the motions, but the output will be poor. Without a
system, people will not achieve their full potential. Without knowledge and
experience, systems will achieve nothing. This is a particular danger at times
when companies are reducing manpower and experienced people are leaving.
Senior managers should systematically assess the levels of knowledge and ex-
perience needed and ensure that they are maintained.
Audits
We need audits of equipment and procedures by outsiders because of the following:
• Those who work in a plant do not notice the hazards they see everyday.
• Auditors may have specialized knowledge and thus see hazards not apparent
to others.
• Auditors have more time for investigation in depth than those who work regu-
larly on a plant.
Safety auditing should not be a police activity; it is intended to help the local
management, who may miss hazards through familiarity, ignorance, or lack of
time.
Auditors should pay particular attention to the following:
• The quality of the training and instructions and the knowledge and experience
of employees.
• The procedures for preparing equipment for maintenance, controlling modifica-
tions, and testing protective equipment and whether or not these procedures are
actually followed.
• Procedures for investigating accidents, passing on the lessons learned, and en-
suring that they are not forgotten.
• Process hazards as well as mechanical ones.
• Places where others do not look, behind, and underneath equipment.

• Although it may be a separate exercise, process hazards should be reassessed
every few years in the light of new knowledge and new techniques.
Auditors (and managers) should visit the plant at night and at weekends, not just
during the day.
The Measurement of Safety
Whenever possible, we should provide a numerical measure of the success of each

management function. Accident rates in good companies are now so low that the
usual measure of safety, the lost-time accident rate, merely measures luck and the
willingness of injured people to remain at work. In any case, it never measured
process safety. Possible additional or alternative measures are as follows:
• An index based on audit results. Unlike many other measures of safety, this
one tries to detect falling standards before an accident occurs.
• A monthly summary of the cost of incidents.
• An annual report of the progress made in reducing inventories of hazardous
substances.
• The number of faulty permits-to-work found by routine inspection.
• The number of faulty protective systems found by routine testing.
Mitigation
Mitigation is the cornerstone of emergency management. It is the ongoing effort

to lessen the impact disasters have on people and property. Mitigation involves
keeping homes and populated areas away from industry, engineering process plants
to be inherently safer, and creating and enforcing effective engineering codes to
protect employees, the public, and the environment from potential process plant
upsets and incidents.
Mitigation is defined as ‘‘sustained action that reduces or eliminates long-term
risk to people and property from hazards and their family and belongings are better
protected from floods, earthquakes, hurricanes, and other natural hazards. They
can be utilized to help business and industry avoid damages to their facilities and
remain operational in the face of catastrophe. Mitigation technologies can be used
to strengthen hospitals, fire stations, and other critical service facilities so that they
can remain operational or reopen more quickly after an event. In addition, mitiga-
tion measures can help reduce disaster losses and suffering so that there is less
demand for money and resources in the aftermath.
In practice, mitigation can take many forms. It can involve actions such as the
following:
• Promoting sound land use planning based on known hazards

• Buying flood insurance to protect your belongings
• Relocating or elevating structures out of the floodplains

• Having hurricane straps installed to more securely attach a structure’s roof to
its walls and foundation
• Developing, adopting, and enforcing effective engineering codes and standards
• Engineering process plants to be inherently safer
• Using fire-retardant materials in new construction
• Developing and implementing a plan in your business or community to reduce
your susceptibility to hazards
In the multiple-barriers concept and development of inherently safer layers of

protection, mitigation is a much lower-level activity and should be looked at only
when all other measures in the inherently safer hierarchy are exhausted. For exam-
ple, mitigation should be addressed only after the following options have been
exhausted:
• Inherent safety: These include inventory reduction (i.e., less chemicals stored
or less in process vessels), substitution of a less hazardous chemical for one
more hazardous, and use of lower temperatures and pressures.
• Engineering design: Examples are use of better seals or materials of construc-
tion, ensuring proper operating conditions and material purity, and installing
dikes and spill vessels.
• Management: Examples include consistent operating policies and procedures,
training for vapor release prevention and control, audits and inspections, equip-
ment testing, maintenance program, management of modification and changes
to prevent new hazards, and general plant security.
Some of the common mitigation techniques employed by process plants are

as follows:
• Early vapor detection and warning: Detection by sensors or personnel. De-

pending on the nature and extent of the chemical hazards, some plants may
choose to employ very sophisticated sensor systems. For example, a pipeline
company handling sour gas mixtures with very high H2S content decided to
install an early warning H2S-sensing system. The system known, in the industry
as Teledyne Geotech’s ‘‘LASP’’ [27,28] (Leak Alarm System for Pollutants)
consisted of a semipermeable tubing which is laid above the sour gas pipeline
under the ground. The tubing is capable of drawing air through it, which is
analyzed for H2S contamination at regular intervals. Another common technique
utilized to protect high-hazard pipelines is the installation of labeled warning
ribbons approximately 1 ft below grade over the pipeline.
• Use of engineered and management systems to impede the progress of the re-
leased chemicals. Some of the engineered systems, which have been very effec-
tive in mitigation, include water sprays, water curtains, steam curtains, and air
curtains. Management systems may include standing procedures to deliberately
ignite explosive clouds, procedures for forced dilution of contaminant, and pro-
cedures to mitigate or suppress released chemicals by the use of foams and
other suppressants.
Isolation by distance of a chemical process from on-site and off-site sur-

rounding populations is generally a very effective consequence–mitigation mea-
sure. Separating the process from vulnerable populations affords both attenuation
of the effects and time to provide emergency response. The isolation distances
needed to appreciably reduce blast effects and impact from toxic releases is sig-
nificantly large, whereas this type of mitigation measure is not useful for the protec-
tion of on-site personnel. Other hazard mitigation measures should be used for
protection of on-site personnel. For example, explosion hazards may warrant the
construction of blast-resistant buildings or blast walls. Toxic release hazards may
require the availability of shelter-in-place facilities or escape respirators. Some
process plants use consequence modeling in deciding the layout of the plant. For
example, a hazards analysis early in the design stage may identify one particular
unit as having the greatest potential for a toxic release and that unit may then be
located on the site as far as possible from off-site neighbors, perhaps considering
prevailing directions as well.
Process integrity may also be addressed in the engineering design. Process
integrity involves the chemistry of plant design and operation. Mitigation after loss
of containment can also be effective and usually must be provided for in the process
design stage. Secondary containment by double-walled piping or double-walled
vessels may be needed. Dikes, curbs, and trenches leading away from storage ves-
sels to strategically located impoundments can be used to reduce the rate of evapo-
ration, help keep the liquid source of the vapor away from the most sensitive areas
of the plant, and limit the extent of emergency response activities.
Mitigation measures such as active and passive scrubbers, stacks, flares, catch
tanks for vapor–liquid separation, incinerators, absorbers, adsorbers, and condens-
ers are used widely for reducing the impact after loss of containment. CCPS’s
Guidelines for Vapor Release Mitigation [29] provides detailed discussions on
these mitigation techniques.
Response
Emergency response plans for process plants should be developed in accordance

with applicable governmental regulations and operating company requirements.
Written emergency response procedures, accident investigation protocol and proce-
dures, and repair procedures should be prepared, and the appropriate operating
personnel should be trained in their proper use. Results or risk assessment studies
and hazard zone calculations should be used in the formulation of emergency re-
sponse actions contained in the emergency plans.
In addition to being quickly and effectively warned of a dangerous situation,
personnel need to know ahead of time the best response to minimize their chances
of being affected by the vapors. Questions that should be settled in advance include
emergency shutdown criteria, incident commander designation, and the roles of
incident commander and other emergency personnel. Other issues that should be
settled in advance include circumstances which would warrant shelter-in-place for
the employees and the affected public.
Communicating warnings to potentially exposed personnel is essential in an

emergency. Warnings can be communicated through the use of public address
systems, alarm systems, and sirens. Recently, many companies are also moving
toward the installation of automatic telephone dialing and alerting systems or com-
municating hazard warnings to downwind personnel. Preprogrammed computers
can be used to dial thousands of preselected numbers in very short periods of time.
Every plant should establish clearly defined procedures for emergency shut-
down of equipment. The procedures should clearly indicate what constitutes an
emergency situation. The extent and nature of steps taken to bring the process
back under control should also be clearly indicated. Finally, the conditions which
would unambiguously require a shutdown should be spelled out. Personnel author-
ized to make the decision to shutdown should be aware of their responsibilities
and the role of other personnel.
Technology Advances
Advances in the understanding of chemical hazards have led to the development

of new technology in the arena of process design, equipment, and risk management.
A discussion of three major areas of development is given here.
Relief Valve Sizing and Overpressure Alternatives
Recent research on relief valve sizing and overpressure protection alternatives has
focused on the development of validated engineering design procedures for the
proper sizing of safety relief valves for systems, which involve two-phase flows
of viscous fluids. Systems which are being considered include single-phase viscous
liquids and gas flows, ‘‘frozen’’ (e.g., air–liquid) two-phase flows of gases and
viscous liquids, and flashing flows of viscous and nonviscous liquids.
Reactive Chemistry
In the Reactive Chemistry arena, calorimeters are being used increasingly for
studying the thermal behavior of reactive systems. One such calorimeter is the
Reactive Systems Screening Tool (RSST), which is designed for rapid measure-
ment of thermal behavior of small samples (10 cm3) for temperatures up to 400°C
and pressures to 500 psia. Another apparatus is the Automatic Pressure Tracking
Adiabatic Calorimeter (APTAC) for detailed analyses of thermal behavior of larger
samples (up to ⬃130 cm3) for temperatures up to 450°C and pressures up to 2000
psia. In this calorimeter, closed-cell sample pressures are continuously matched
by an external pressure of nitrogen so that sample cells of low mass and therefore
low thermal inertia can be used for highly sensitive measurements of sample ther-
mal behavior. Other advanced features of the APTAC include in situ additions to
the sample cell of reactants or catalysts with a high-pressure syringe pump.
During typical experiments with each calorimeter, the sample temperature is

measured during temperature scans when the temperature is increased at a steady
rate or held isothermally (in the APTAC). Thermal energy released or absorbed
by the sample (as defined by sample temperature changes of ⱖ0.04°C/min) is
measured by the calorimeter as a nearly adiabatic excursion from the thermal scan
baseline. For each sample, the thermal peaks can be identified and measured from
ambient up to 450°C (up to 400°C in the RSST). With this experimental capability,
investigations of thermal behavior of wide ranges of reactive systems and systems
of questionable chemical compatibility can be performed, which, in turn, is used
to design safe processes and choose safe operating conditions.
Safety Integrity Levels
Industry is moving toward the use of high-integrity protection systems to reduce

flare loading and alleviate the need to upgrade existing flare systems when expanding
facilities. In the process industry, a key safety consideration is the control and re-
sponse to overpressure situations. Industry standards from the American Petroleum
Institute (API) and American Society of Mechanical Engineers (ASME) provide
criteria for the design of vessels and the protection of these vessels from overpres-
sure. Traditionally, pressure relief valves and flares were used to handle the relieving
of vessels in the worst credible scenario. Flare loading calculations gave no credit
for operator intervention, fail-safe equipment operation, or trip systems.
In many communities and countries around the world, the belt is tightening
on the venting and combustion of gases. It is simply not acceptable to flare large
volumes of gas. In addition, the cost of designing and installing large flare systems
has continued to rise. API 521 and Case 2211 of ASME Section VIII, Division 1
and 2, provide alternatives in the design of overpressure protection systems. These
alternatives revolve around the use of an instrumented system that exceeds the
protection provided by a pressure relief valve and flare system.
ASME Code Case 2211, approved in 1996, sets the conditions under which
overpressure protection may be provided by an instrumented system instead of a
pressure relief valve (PRV). The ruling is intended to enhance the overall safety
and environmental performance of a facility by utilizing the most appropriate engi-
neered option for pressure protection. Although there are no specific performance
criteria in the Case Code, the substitution of the high-integrity protection systems
for the pressure relief valve should provide a safer installation. Consequently, the
substitution is generally intended for limited services where the PRV may not
work properly due to process condition (e.g., plugging, multiple phases, etc.). The
overpressure protection can be provided by a safety instrumented system in lieu
of a pressure-relieving device under the following conditions:
One of the most important criteria for safety instrumented system (SIS) design
is the requirement that the User assign and verify the safety integrity level (SIL)
for the SIS [30]. The assignment of SIL is a corporate decision based on risk
management philosophy and risk tolerance. The SIS should be designed to meet
a safety integrity level, which is appropriate for the degree of hazard associated
with the process upset. Safety integrity levels per draft IEC 61508 [31,32] and
ANSI/ISA S84.01 [33–37] are designated in Table 7.
TABLE 7 Safety Integrity Levels

Availability Probability to fail
Safety integrity level required on demand 1/PFD
IEC 61508:
4 ⬎99.99% 10⫺5 to 10⫺4 100,000–10,000
ISA S84:
3 99.90–99.99% 10⫺4 to 10⫺3 10,000–1,000
2 99.00–99.90% 10⫺3 to 10⫺2 1,000–100
1 90.00–99.00% 10⫺2 to 10⫺1 100–10
Industrial Hygiene and Toxicology
As the world becomes more industrialized in an attempt to increase the quality of

life, more and more environmental problems will require the attention of engineers,
managers, and planners. In the coming years, findings and advances on chemical
toxicity will require the implementation of stringent industrial hygiene standards.
Although there are many toxic effects, both acute and long term associated with
chemicals, one of the most dreaded is cancer. It is quite apparent that industrial
hygiene requirements in the coming years will be dictated to a large extent by the
upcoming findings on carcinogenesis and mutagenesis. By one estimate, there are
500 new chemicals marketed each year [38]. Thus, determining the toxicological
effects of these chemicals and, as a result, developing industrial hygiene programs
to protect people from these effects will command significant attention and re-
sources from process safety personnel.
Although workers are often exposed to contaminant mixtures, exposure regula-
tions do not take into account the effects of the various types of contaminant inter-
actions capable of modifying toxicity. To remedy this situation, the scientific re-
search and development of databases on the toxicity of mixtures are needed. With
this information, health and safety specialists will be able to quantify contaminant
interactions for any given situation.
Although substantial progress has been made in the United States toward im-
proving worker protections since 1970 (largely a result of occupational safety and
health research), workplace hazards continue to inflict a tremendous toll in terms
of human and economic costs. Clearly, there is much work to be done.
The practical impact of the toxicological and industrial hygiene research pro-
grams on the workplace largely depends on the actions of employers, employees,
and partners in governmental agencies, industry, labor, academia, and community
organizations. The stated objectives in this area include target levels of improve-
ments in work-related conditions. Examples are reducing work-related deaths and
injuries, reducing lost work days and incidences of cumulative trauma and skin
disorders, and increasing the number of workplaces with rehabilitation and safety
and health programs. The work of governmental agencies and research organiza-
tions has had and will continue to have an impact on improving health and safety
at the workplace; therefore, it will help address many of the issues related to work-
related hazards, injuries, illnesses, and deaths (such as musculoskeletal problems,
skin diseases, violence in the workplace, employee stress, and back injuries) as
well as categories of workers and prevention strategies for mine workers, farm
workers, and adolescents. In addition, surveillance efforts will assist the develop-
ment of comprehensive databases, thereby helping to establish baseline and trend
information in the occupational safety and health area.
Future Developments
Increasingly, the process safety requirements for chemical plants will become more
and more stringent. In addition, the pressure to operate safely from the point of
view of competitiveness and profitability will also keep increasing. Finally, the
public outcry for improved safety performance also creates significant pressure on
the industry. In fact, in future processes, safety performance will quite likely be
dictated by national goal setting. This would require the establishment of a baseline
assessment of the status of process safety incidents. Given a baseline assessment,
National Chemical Safety Goals can be established, with the identification of activ-
ities necessary to accomplish the goals and the development of a measurement
system to measure progress toward the goals.
Regulatory programs and industrial standards and practices in the United States
have quite often been reactive (i.e., in response to catastrophic accidents or other
events). The pros and cons of establishing national process safety goals and evalua-
tion approaches include the following:
1. Stakeholder consensus on national chemical (process) safety goals

2. Identification of where we want to be and by when in relation to national
chemical safety goals
3. List of activities that need to be implemented to accomplish Step 2 above
4. Agreement on some common metrics for measurement of progress toward
national chemical safety goals
Summary and Conclusions
The industrial revolution brought prosperity and, along with it, the use of hazardous
processes and complex technologies. Growing economies and global competition
has led to more complex processes involving the use of hazardous chemicals, ex-
otic chemistry, and extreme operating conditions. As a result, a fundamental under-
standing of the hazards and associated risks is essential. Process safety and risk
management requires the application of the basic sciences and a systematic ap-
proach. Recent advances, such as overpressure protection alternatives and reactive
chemistry, allow safer design and operation of processes.
In the multiple-barriers concept, plants are designed with several layers, so that
an accident would require the failure of several systems. Another novel approach to
process safety and risk management is to consider various actions in a descending

hierarchical order. Inherently safer design consideration should be first in the hier-
archy, followed by prevention systems, mitigation, and response. The success of
these systems is dependent on the fundamental understanding of the process and
the associated hazards. Chronic as well as catastrophic consequences resulting
from toxic and flammable substances can be reduced and/or eliminated through
appropriate design and operating practices.
In the end, progress toward the improvement in safety performance can be
measured only by a reduction in occupational injuries, illnesses, and fatalities. In
fact, measurable progress has been made in the period 1970 to 1995, during which
the rate of workplace fatalities fell by 78% and the number of workplace deaths
has declined by 62%. We have also seen a 25% decline in the rate of occupational
injuries and illnesses from 1973 through 1994. These reductions are the result of
the combined efforts of all the partners in occupational safety and health: industry,
labor, academic researchers, National Institute of Occupational Safety and Health,
Occupational Safety and Health Administration, Mining Safety and Health Admin-
istration, state and local agencies, and others. No single partners can claim exclu-
sive credit for the progress. Thus, if further progress is to be made, all of the
partners must act—from identifying the causes of disease and injury through con-
trolling or eliminating the hazards or exposures at the worksite.
References
1. M. Connors, ‘‘The Battle for Industrial Safety,’’ Fortune, 116[C-P] (August 4, 1997).
2. D. A. Crowl and J. F. Louvar, Chemical Process Safety: Fundamentals with Applica-
tions, Prentice-Hall, Englewood Cliffs, NJ, 1990.
3. Center for Chemical Process Safety, Guidelines for Safe Automation of Chemical Pro-
cesses, American Institute of Chemical Engineers, New York, 1993.
4. American Petroleum Institute, Recommended Practice 750: Management of Process
Hazards, API, Washington, DC, 1990.
5. ‘‘Notice of Proposed Rule Making on Process Safety Management of Highly Hazard-
ous Chemicals’’: 29 CFR 1910.119, Federal Register, Washington, DC, July 17, 1990.
6. Chemical Manufacturers Association, Resource Guide for Implementing the Process
Safety Management Code of Practices, Chemical Manufacturers Association, Wash-
ington, DC, 1990.
7. ‘‘Final Rule on Process Safety Management of Highly Hazardous Chemicals’’: 29
CFR 1910.119, Federal Register, Washington, DC, February 24, 1992.
8. Norwegian Petroleum Directorate, ‘‘Safety Evaluation of Platform Conceptual De-
sign,’’ Stavanger, Norway, 1981.
9. European Community Directive, ‘‘On the Major Accident Hazards of Certain Indus-
trial Activities,’’ 82/501/E, J. Eur. Community, L230 (June 1982).
10. Offshore Installation (Safety Case) Regulation 1992, Health and Safety Executive,
London, UK, 1992.
11. ‘‘Techniques for Assessing Industrial Hazards,’’ World Bank Technical Paper #55,
Washington, DC, 1988.
12. Major Hazard Control, a Practical Manual, International Labour Office, Geneva,
1988.
13. Center for Chemical Process Safety, Guidelines for Chemical Process Quantitative
Risk Analysis, American Institute of Chemical Engineers, New York, 1989.
14. R. J. Lewis (ed.), Sax’s Dangerous Properties of Industrial Materials, 9th ed., John
Wiley & Sons, New York, 1996.
15. P. G. Urben (ed.), Bretherick’s Handbook of Reactive Chemical Hazards, 5th ed.,
Butterworth-Heinemann Boston, 1995.
16. Dow Chemical Company, Dow’s Fire and Explosion Index Hazard Classification
Guide, 7th ed., American Institute of Chemical Engineers, New York, 1994.
17. Dow Chemical Company, Dow’s Chemical Exposure Index Guide, American Institute
of Chemical Engineers, New York, 1994.
18. Center for Chemical Process Safety (CCPS), Guidelines for Hazard Evaluation Proce-
dures, 2nd ed., with Worked Examples, American Institute of Chemical Engineers,
New York, 1992.
19. G. Wells, Hazard Identification and Risk Assessment, Institution of Chemical Engi-
neers, Rugby, Warwickshire, UK, 1996.
20. Center for Chemical Process Safety (CCPS), Guidelines for Use of Vapor Cloud
Dispersion Models, 2nd ed., American Institute of Chemical Engineers, New York,
1996.
21. Center for Chemical Process Safety (CCPS), Guidelines for Evaluating the Character-
istics of Vapor Cloud Explosions, Flash Fires, and BLEVES, American Institute of
Chemical Engineers, New York, 1994.
22. Center for Chemical Process Safety (CCPS), Guidelines for Consequence Analysis of
Chemical Releases, American Institute of Chemical Engineers, New York, 1999.
23. G. E. DeVaull, J. A. King, R. J. Lantzy, and D. J. Fontaine, Understanding Atmo-
spheric Dispersion of Accidental Releases, American Institute of Chemical Engineers,
New York, 1995.
24. The Netherlands Organization for Applied Scientific Research (TNO), Methods for
the Calculation of Physical Effects, Part 1 and 2 CPR-14, 3rd ed., SdU Uitgevers,
The Hague, 1997.
25. F. P. Lees, Loss Prevention in the Process Industries, 2nd ed., Butterworth-Heine-
mann, Boston, 1996.
26. H. G. Fisher, H. S. Forrest, S. S. Grossel, J. E. Huff, A. R. Muller, J. A. Noronha, D. A.
Shaw, and B. J. Tilley, Emergency Relief System Design Using DIERS Technology,
American Institute of Chemical Engineers, New York, 1992.
27. M. Mannan, D. B. Pfenning, and C. D. Zinn, ‘‘Sour Gas Pipeline—1: Risk-Analysis
Procedures Ensure System Safety,’’ Oil Gas J. 83–87 (June 3, 1991).
28. M. Mannan, D. B. Pfenning, and C. D. Zinn, ‘‘Sour Gas Pipeline—Conclusion: Line,
Weather Conditions Among Variables to Determine Public Risk,’’ Oil Gas J., 34–
35 (June 10, 1991).
29. Center for Chemical Process Safety (CCPS), Guidelines for Vapor Release Mitigation,
American Institute of Chemical Engineers, New York, 1988.
30. A. E. Summers, ‘‘Techniques for Assigning a Target Safety Integrity Level,’’ ISA
Trans., 37, 95–104 (1998).
31. IEC 61508, 65A/255/CDV, ‘‘Functional Safety of Electrical/Electronic/Programma-
ble Electronic Safety Related Systems, Parts 1, 3, 4, and 5,’’ International Electrotech-
nical Commission, Final Standard, December 1998.
32. IEC 61508, 65A/255/CDV, ‘‘Functional Safety of Electrical/Electronic/Programma-
ble Electronic Safety Related Systems, Parts 2, 6, and 7,’’ International Electrotechni-
cal Commission, Final Draft International Standard, January 1999.
33. ‘‘Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Tech-
niques, Part 1: Introduction,’’ TR84.0.02, Draft, Version 4, March 1998.
34. ‘‘Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Tech-

Fundamentals of Process Safety and Risk Management

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Fundamentals of Process Safety and Risk Management

Загружено:

Авторское право:

Доступные форматы

Process Safety and Risk Management 49

Fundamentals of Process Safety

Accident Process and Multiple Barrier Concept

Most chemical plant accidents follow a typical pattern. It is important to study

The Accident Process

Most chemical accidents follow a three-step process, as described by Crowl and

• Initiation: the event, which starts the accident process

The following is an example of the process:

• A seal on a sulfuric acid pump leaked, requiring replacement (initiating event).

Multiple Barrier Concept (Layers of Protection)

Chemical processes traditionally rely on multiple layers of protections, or barri-

TABLE 1 Summary Comparison of OSHA Elements with CCPS Elements

Safety’s (CCPS) chemical process safety management elements is given in Table 1.

The Process Safety Management Program

The Risk Management Program

Hazard and Risk

A hazard is a physical or chemical characteristic of a material or process which

• Chlorine is a toxic gas.

Risk is a measure of human injury, environmental damage, or property loss ex-

Risk ⫽ f (incident, consequence, likelihood)

• Average risk of fatality from a process accident to an employee in the plant

Hazard Identiﬁcation and Hazard Evaluation

The objective of hazard identiﬁcation is to fully understand the hazards of a chemi-

• Materials; for example, toxicity, reactivity

Hazard identiﬁcation is based on a complete knowledge of the properties of the

The interaction matrix (Fig. 2) is intended to identify chemical reaction hazards

FIG. 2 Example interaction matrix.

Chemistry Hazard Analysis

Hazard Evaluation: Selection of Procedure

A number of different hazard evaluation techniques are in common use in the

What-If Analysis is a brainstorming technique in which a team with expertise on

TABLE 3 Process Hazard Evaluation Techniques

Process Hazard Analysis Technique

TABLE 4 Example of the Results of a What-If Analysis for a Batch Process

Hazard and Operability Study

combination, and existing safeguards. It then qualitatively judges the effectiveness

TABLE 5 Example of Partial Results of a HAZOP

Deviation Causes Consequences Safeguards Recommendations

FIG. 3 Top levels of a fault tree for a ﬁre.

Failure Mode and Effect Analysis

FIG. 4 Example event tree.

TABLE 6 Example of Partial Results of a Failure Mode and Effects Analysis

Item and Description Failure mode Effects Safeguards Recommendations

Summary of Hazard Identiﬁcation and Evaluation

As mentioned earlier, risk is deﬁned as a function of incident occurrence, fre-

Vapor Cloud Dispersion

• Characteristics of the release, including rate, total quantity released, location of

• Atmospheric conditions, including wind speed, atmospheric stability, tempera-

• Neutrally buoyant gases (having a density close to the density of air)

Two major types of releases must also be considered:

• Instantaneous (puff releases)

Incident consequence analysis may require consideration of one or more of several

• Pool ﬁre: a burning pool of a ﬂammable or combustible liquid

• Physical explosions: the failure of a vessel containing material under pressure

The CCPS [20,22] describes commonly used explosion models in detail.

Vapor Cloud Explosions

Vapor cloud explosions are modeled using three types of model:

These models are discussed in detail in Refs. 20 and 22.

Conﬁned explosions result from combustion or another rapid chemical reaction

Boiling Liquid Expanding Vapor Explosions

However many the resources we devote to the prevention of accidents, we can

Stages of Risk Assessment

• How often will injury or damage occur?

Risk of death per