Journal of Loss Prevention in the Process Industries Volume 17 Issue 3 2004 [Doi...

7/27/2019 Journal of Loss Prevention in the Process Industries Volume 17 Issue 3 2004 [Doi 10.1016%2Fj.jlp.2003.11.003]

1/7

Journal of Loss Prevention in the Process Industries 17 (2004) 179185www.elsevier.com/locate/jlp

Risk analysis as a basis for safety management system

Micaela Demichela a,, Norberto Piccinini a, Alfredo Romano b

a SAfeRCentro Studi su Sicurezza Affidabilita e Rischi, Politecnico di Torino, Corso Duca deli Abruzzi, 24I 10129, Torino, Italyb TRR S.r.l., P.zza Giovanni XXIII, 2I 24046 Osio Sotto (BG), Italy

Received 16 July 2003; received in revised form 9 November 2003; accepted 10 November 2003

Abstract

The paper shows, with a practical application, how the hazard identification and evaluation phase of the Safety Management

System (SMS) in a major risk installation (as defined by EC Directive CEE 96/82 (Seveso II) is the sizing criteria for the wholeSMS, with its procedures. Probabilistic risk assessment techniques are applied to a foaming agent production plant. The linksbetween quantitative risk analysis steps and results and SMS procedure are explicitly shown. In conclusion, it is shown how acorrect and careful risk analysis is necessary to design and implement a SMS able to pursue the policys objectives allowing aneffective revision of the policy itself.# 2003 Elsevier Ltd. All rights reserved.

Keywords: Safety management system; Quantitative risk analysis

1. Introduction

The safety in a chemical plant relies, among other

things, on the adopted managing criteria. They affect allthe plant life cycle: from plant design and construction,

during the production activity, until its possible dis-

missing. In particular, the Safety Management System

(SMS) phase Identification and evaluation of major

hazards attends to the adoption and implementation

of procedures for systematically identifying major

hazards arising from normal and abnormal operation

and the assessment of their likelihood and severity.The selection of risk analysis methods and their

results, in terms of frequency of occurrence and con-

sequences magnitude, set up the sizing criteria for thewhole SMS, with its procedures. In the following pages

the links between the accidental scenarios constituents,

identified by the risk analysis, and relevant SMS proce-

dures are explicitly shown referring to a real case

study. A summary is shown in Table 1.The aim of the paper is to show the relevant SMS

procedures depending on the risk assessment results.

How to develop them is beyond the purposes of thiswork.

2. The plant

The process is a synthesis of non-ionic tensioactivefrom poly-addition of ethylene oxide (gas phase) withphenol (liquid phase).

In the reactor, both mixing and thermal exchange areassured by an external recirculation system (Romano,2000).

The reaction is exothermic and fast: a cooling systemkeeps the temperature between 120 and 180

v

C.Under these operative conditions it is possible an

uncontrollable course of the reaction can occur due to

a possible accumulation of the reagents with the ensu-ing polymerisation of ethylene oxide. This last reactionis highly exothermic (18 kcal/mol) and fast and can be

subjected to a runaway course (Fig. 1).To avoid the runaway polymerisation both the

reagents proportions and the temperature have to bekept under control.

In particular, ethylene oxide flow rate is controlledwith respect of the alcohol flow rate through the con-trol loop 1 (TDC1, FT1 and FAH1 with reference to(Fig. 2), connected to an alarm and a non-automaticinterlock system on both feeds.

Corresponding author. Tel.: +39-011-564-46-29; fax: +39-011-564-46-45.

E-mail address: [email protected] (M. Demichela).

0950-4230/$ - see front matter # 2003 Elsevier Ltd. All rights reserved.doi:10.1016/j.jlp.2003.11.003


2/7

Pressure and temperature inside the reactor are con-tinuously monitored and an alarm signal is providedfor both low temperature (in case of reagents accumu-lation) and high temperature and pressure (in case ofrunaway reaction). A relief valve (RV) is automaticallyoperated on high pressure alarm. Furthermore a burst-ing disk (RD) is installed to avoid the reactor collapse

in case of runaway polymerisation.

3. Hazard identification and assessment

A Recursive Operability Analysis (ROA) (Piccinini,Scarrone & Ciarambino, 1994; Piccinini & Ciarambino,1997) was performed to identify the possible accident

sequences in the plant. ROA is systematic and com-plete; its recursive mechanism assures the identificationof the primary causes for each process deviation anddevelops its consequences until the major ones areidentified. Furthermore it allows direct extraction oflogic trees, (FT, ET, etc.) for subsequent quantifi-cation. This feature allows the checking of the con-gruity of the ROA itself, that would be otherwiseimpossible.

ROA forms are shown in Fig. 3, while in Fig. 4(a)and (b) the Fault Tree (FT) directly drawn down fromROA table is shown. The FT was solved with ASTRA-FT ver.1.0 from CECJRC Ispra (Contini & de Cola,1996; Contini, Wilikens, Scheer, de Cola & Cojazzi,1998), with the failure data shown in Table 2 (Lees,1996), with a mission time of one year, and a testingprogram for automatic protection devices every 6months.

4. Discussion of results

Quantitative solution of FT showed the followingresults for the Top Event (TE) Reactor collapse:

Number of mimimal cutsets, MCS: 18Unavailability of TOP event, QTOP: 2.56e008Expected Number of Failures ofTOP event, WTOP: 2.56e008Mission time (hours): 8.76e+003Truncation error: 3.30e012

Where 18 Minimal Cut Sets (MCS) of the 5th, 6th and7th order concur to the total unavailability as shown inTable 3.

Therefore quantitative analysis showed the relativeweight of each primary event identified in the ROA onthe TE expected number of occurrences (Table 4 andFig. 5).

Nomenclature

ET Event TreeETOX Ethylene oxideFAH Flow rate Alarm HighFT Flow rate Transmitter

HHP High High Pressure (Very high pressure)HHT High High Temperature (Very high pressure)MCS Minimal Cut SetNI Non-interventionPAH Pressure Alarm HighRD Bursting DiskROA Recursive Operability AnalysisRV Relief ValveSMS Safety Management SystemTAH Temperature Alarm HighTAL Temperature Alarm LowTDC Temperature Distributed Control

TE Top EventTT Temperature TransmitterTW, TWV Three Way Valve

Table 1Accidental scenario vs. Safety Management System, summary

SMS

Organization andpersonnel

Identification& evaluationof majorhazards

Operationalcontrol

Managementof change

Planning foremergencies

Monitoringperformance

Audit andreview

Accidentalscenario

Primary events X X X X XProtective means X X X X XFrequency ofoccurrence

X X X X X

Consequences X X X X XConsequencesmitigation

X X X X X X

Emergencyplanning

X X X X X X

180 M. Demichela et al. / Journal of Loss Prevention in the Process Industries 17 (2004) 179185


3/7

5. Safety management system sizing

In each plant the major objective is to prevent thoseevents that may act as an initiating event for an acci-dent. In practical terms this means to perform inspec-tions, maintenance and periodic tests on thoseelements, pieces of equipment or instruments, identifiedas critical by the hazard analysis, and on their controland protection systems.

The events identified as critical for the plant objectof this study, namely those that have the major impor-tance in the formation of the Top Event, were:

E9 PAH 70 failureE1 Bursting disk NIE7 FT-1 failure

E13 Lack of cooling water(pump failure)

E11 TT FailureE2 TAH2 NI

It is on those elements that the efforts in reducing theirfailure frequency of occurrence should be concentrated.For the SMS this corresponds to the issuing of specificprocedures and the collection and analysis of mainte-nance data.

These procedures belong to the Operational con-trol section of the SMS and must include, withinother subjects:

Critical safety devices. All the critical devices must beidentified. Their functions must be checked and theremust be clearly defined their maintenance intervals.Obviously maintenance operations must be reported.

Maintenance. This group of procedures has the aimof assuring development, updating and use of main-tenance practices and standards in order to performan effective maintenance, according to the majoraccident prevention policy.

Equipment inspection. This group of procedures hasthe aim of assuring the preparation and periodicalupdating of equipment inspection planning.

All the failure rates or the test intervals, assessed inprevious steps and assumed for the Fault Tree solution,have brought to a frequency of occurrence for the TopEvent Reactor collapse of 2.56108 occ/year.

This frequency becomes a reference value for SMS,that must at least maintain it in the time. This assump-tion obviously impacts the SMS Management ofchange section.

New plants design. Changes to existing plants orequipment. The aim of this group of procedures is toassure that, before changes to plants or services are

Fig. 1. Reaction temperature pattern.

Fig. 2. Simplified plant layout with control and safety devices.

M. Demichela et al. / Journal of Loss Prevention in the Process Industries 17 (2004) 179185 181


4/7

implemented, the safety conditions are at least main-tained both for installations and operators.

It is quite evident that, due to uncertainties affectingthe frequency assessment, it is not so meaningful to useas an absolute reference value the above 2.56108

occ/year; it is more like an order of magnitude.It is clearly more useful to make quantified compar-

isons between two possible design alternatives. As an

example, to reduce the importance of the flow ratetransmitter failure (E7) on the frequency of the TopEvent (TE), it is possible to make the control loopindependent from the alarm one, installing a dedicatedtransmitter, or to make a redundancy of the samecomponent.

The quantitative analysis shows that the first alterna-tive is more effective since it reduces the Top Eventunavailability, QTOP of the 14%. The second alternativeinstead reduces the QTOP only of the 11%.

Once the hazards have been identified and quantifiedin terms of frequency of occurrence, the accidental

scenario characterisation requires the consequenceassessment.

The areas identified as target of possible damages incase of an accident are the so called Critical manage-ment areas, where the SMS must concentrate itsattention. Based upon the results of consequencesevaluation both mitigation measures and emergencyplanning are developed. SMS must assure that thoseelements and conditions used as reference for the

emergency planning (internal and external) are at leastpreserved in time.

Emergency planning involves the following ele-ments (and relative procedures):

Internal Emergency Plan. Whose aim is to assure aready and correct emergency management, withrespect of a possible major accident, identified in ear-lier phases.

External communications. Whose aim is to keepinformed Local Authorities about the risks of theinstallation. It is on this information that Local

Fig. 3. Recursive operability analysis of plant in Fig. 2.



5/7

Fig. 4(a). Fault tree for the TE Reactor Collapse.

Fig. 4(b). Fault tree for the TE Reactor Collapse.



6/7

Authorities should develop the External EmergencyPlan.

In the end, it has to be considered that also a com-plex control system with automatic protection meansdoesnt make an installation immune from humanerrors. In the present study, in particular, the operatormissing intervention in case of alarm appears two timeswithin the primary events of major importance. Even ifthis can be also dependent on the conventional unavail-ability chosen, operators will always be a key elementin process operation, maintenance, inspections, emerg-ency response and so on.

Thus the Organisation and personnel SMS sectionresults affecting all the phases of the accidental scen-

ario, having to define the roles and responsibilities of

personnel involved in the management of major hazards

at all levels in the organisation. The identification oftraining needs of such personnel and the provision of the

training so identified. The involvement of employees and,

where appropriate, sub-contractors (Mitchison & Por-

ter, 1998).

6. Conclusion

Probabilistic risk assessment techniques have been

applied to a foaming agent production plant and the

links between one of the accidental scenarios identified

and the SMS sections have been explicitly shown.

Table 2Failure rates

Event description Failure rate [occ/106h]unavailability

Event description Failure rate [occ/106h]unavailability

Electronic control and actuation system(TDC1) 3

High/Low temperature alarm MI 0.8

Flow rate transmitter failure 109 TW valve stuck 1.5High flow rate alarm NI 2.7 Relief valve failure 0.5ETOX control valve stuck open 3.59 Temperature transmitter failure 97High pressure alarm NI 2.8 Bursting disk MI 0.012Thermostatic fluid or water pump unexpectedstop 104

Operator MI on alarm 0.015

NI = Non-intervention.

Table 3Summary of minimal cutsets vs. order

Order Number of MCS QTOT % of QTOP WTOT % of WTOP

5 8 2.55E08 99.90 2.55E08 99.90

6 8 2.26E

11 0.09 2.26E

11 0.097 2 3.01E12 0.01 3.01E12 0.01

Table 4Importance of primary events

Event Importance Description

E9 1.0000E+00 PAH 70 failureE1 1.0000E+00 Bursting disk NIEU4 1.0000E+00 Operator NI on PAH 70EU1 8.7282E01 Operator NI on TAH2E7 8.7247E01 FT-1 failureE13 6.1477E01 Lack of cooling water (pump failure)E11 5.7339E01 TT FailureE2 1.2717E01 TAH2 NIE4 8.8669E03 TWV malfunctionEU3 6.7511E04 Operator NI on FAH1E8 4.7349E04 Flow rate valve stuck openE10 3.9567E04 TDC1 malfunctionE6 3.2850E04 FAH-1 failureE5 1.7922E04 Thermostatic fluid pump failureEU2 1.1770E04 Operator NI on TAL2

NI = Non-intervention.



7/7

The paper has shown, with a practical application,how the hazard identification and evaluation section ofthe Safety Management System (SMS) in a major riskinstallation are the sizing criteria for the whole SMS,with its procedures.

Often the SMS is formulated without a quantitativerisk assessment as a support, due to its costs in terms oftime and money. But the lack of quantified terms ofcomparisons (unavailability, extensions of possibledamaged areas, etc.) makes it difficult to correctlydefine the objective of the management system itself. Inconclusion, a correct and careful risk analysis is neces-sary to formulate and implement a SMS able to pursuethe policy objectives allowing an effective revision of thepolicy itself, above all in complex systems as chemicalplants are.

References

Contini, S., de Cola, G. (1996). A top down approach to fault treeanalysis using binary decision diagrams. European Journal ofAutomation, 30(8).

Contini, S., Wilikens, M., Scheer, S., de Cola, G., Cojazzi, G. (1998).ASTRA: An Integrated Tool Set for Complex Systems Depend-ability Studies, in: Proc. Tools98, Malente (Germany).

Mitchison, N., & Porter, S. (Eds.). (1998), Guidelines on a major acci-

dent prevention policy and safety management system. as requiredby Council Directive 96/82/EC (SEVESO II).Piccinini, N., Scarrone, M., & Ciarambino, I. (1994). Probabilistic

analysis of transient events by an event tree directly extractedfrom operability analysis. J. Loss Prev. Process Ind., 7(1),2332.

Piccinini, N., & Ciarambino, I. (1997). Operability analysis devotedto the development of logic trees. Rel. Eng. Syst. Safety, 55,227241.

Lees, Frank P. (1996). Loss prevention in the process industries: haz-ard identification, assessment and control. (2nd ed.). Oxford:Butterworth-Heinemann.

Romano A. (2000). La politica di prevenzione degli incidenti rile-vanti: dallindividuazione dei pericoli alla pianificazione delleemergenze, in the Proceedings of the Conference VGR2k, Valuta-

zione e gestione del rischio negli insediamenti civili ed industriali,Pisa, 2426 Ottobre 2000.

Fig. 5. Importance of primary events.


Journal of Loss Prevention in the Process Industries Volume 17 Issue 3 2004 [Doi...

Documents

Transcript of Journal of Loss Prevention in the Process Industries Volume 17 Issue 3 2004 [Doi...