Comment is mandatory

CIC - Process Hazard Analysis

DEFINITION

The term “process hazard analysis” refers to the set of various assessments conducted on a process installation in order to specify the necessary measures to prevent major accidents and to mitigate their consequences. For the operator of a Seveso company it serves as the definitive reference to demonstrate to the competent authorities that major accident hazards have been identified and controlled. A PHA focuses essentially on scenario’s involving an undesired release of substances or energy from the process equipment, otherwise known as a loss of containment. The PHA should therefore identify in a systematic way all potential causes and consequences of loss of containment.

There are a variety of models and tools available for conducting an effective process hazard analysis. The operator should choose a method or methods that align well with company safety strategy, adapted as necessary to meet the objectives of the analysis, and taking into account the type and complexity of the process being analysed. The justification for selecting a particular method should be recorded in the documentation describing the PHA process and its outcome.

Fig. 1 Process hazard analysis is an important ingredient in implementation of the safety management system

LOSS OF CONTAINMENT - SCENARIOS AND MEASURES

The bow tie model is a useful tool for visualizing the sequence of events that may lead to a loss of containment and the sequence of events following a loss of containment that may either aggravate or reduce ensuing damages. The central point of the bow tie represents the loss of containment. In the bow tie model the initiating events represent the initial causes and the final events describe the damage to the various damage receptors.

Elaborating such a bow tie for an actual piece of equipment can easily become a very extensive and complex exercise. Indeed there are usually many causes or initiating events of various nature, such as: process upsets, degradation of primary containment (corrosion, wear and tear, etc.), maintenance or modification works performed in an unsafe manner, errors during construction (wrong type of material, external impact, etc. )

The loss of containment itself and the events following the undesired release of substances or energy are characterized by a high degree of uncertainty: location and size of the failure of the vessel or pipe, the spreading of substances, ignition in case of explosive atmosphere, domino effects, presence of damage receptors, etc.

While rendering the identification and analysis of scenario’s between initial causes and the final damage difficult, the high number of intermediate events offer many ‘opportunities’ to intervene and stop the sequence of events. In the bow tie this is represented by the measures that act as barriers between the events. This brings us to an essential principle in controlling process safety: the provision of multiple complementary measures or ‘layers of protection’, each with a specific function, serving a specific preventive or mitigating strategy. This layers of protection approach is particularly useful for structuring a systematic analysis of the control measures for scenarios.

Because of their complexity, the analysis of LOC-scenario’s is often divided up into different efforts, each focusing on different aspects. The scenario’s identified in different types of assessments can differ. For example, scenario’s in a HAZOP-study are mainly situated on the left side of the bow tie and have process upsets as initial events. Fire or explosion scenario’s, on the other hand, that are analyzed to determine the need for mitigating measures, will typically start with a loss of containment (as initial event) of even subsequent events such as the fire or the explosion itself.

Fig. 2 Bow Tie Diagramme

SYSTEMATIC IDENTIFICATION AND ANALYSIS OF SCENARIOS

A PHA should meet the following general criteria:

  • the PHA is based on a systematic approach
  • the PHA must identify all equipment with the potential to cause a major hazard (based on nature and quantity of the hazardous substances present)
  • the PHA must identify all initial events of LOC for all equipment with a potential to cause a major accident and specify the measures to prevent the LOC
  • the PHA must identify all events following the LOC’s with a potential to cause a major accident and specify all necessary measures to mitigate their consequences
  • the operator should be able to present the arguments to support his decision to consider the preventive and mitigating measures taken as being 'sufficient'
  • the PHA should be kept up to date and modified in function of modifications of the process installation
  • the PHA should be conducted before new installation or modified parts of installation are taken into service
  • the PHA should be reviewed periodically (for existing installations).

Recall the definition of the PHA: It can be a set of different assessments. The operator should choose the methods (or method) that are (or is) most appropriate for the objectives of the analysis.

Fig. 3 Layers of Protection Analysis - Conceptual Diagramme

EVALUATION OF CONTROL MEASURE STRATEGIES

In addition to the general criteria regarding the systematic character of the analysis given above, a number of criteria regarding the content of the PHA will be given in the following sections. Typically, control of process hazards can be achieved using a combination of one or more of 8 common strategies, that is, two types of preventive strategies and six types of mitigation strategies.

Essentially, preventive strategies should address two fundamentally different causes of loss of containment, as follows:

  • controlling process upsets (e.g. as a result of faulty control systems or failing equipment) and degradation
  • controlling degradation of primary containment (e.g. as a result degradation phenomena as corrosion, erosion, wear and tear, settlement, fatigue, etc.).

1The strategies here are identified because they are very commonly the defining strategies for process PHAs. Nonetheless, they should not be considered exclusive, depending on the objective of the PHA, other types of strategies maybe identified or another typology may be used. (Consider differences that might be required, for example, if the role of the PHA was to evaluate vulnerability to human factors.)

Mitigating strategies are types of responses to possible events, or a possible series of events after a loss of containment has occurred, which primarily consist of avoiding that an accident develops. The list below identifies six types of responses that are routinely considered under mitigation1. Figure 3 above integrates these strategies into a conceptual representation of protection layers.

  • Stopping or reducing the release flow, in order to limit the quantities released. Once a loss of containment has occurred, limiting the release is the first possible mitigating action.
  • Containing or directing the spread of the released chemicals
  • Mitigation of damage due to fire
  • Mitigation of damage due to an explosion
  • Mitigation of damage due to a toxic release
  • Avoiding ignition sources. In cases in which inflammable liquids or gases can be released, an explosive atmosphere might occur and an explosion scenario is a potential risk

In conducting the process hazard analysis, the operator should demonstrate that each of the strategies has been considered systematically (for as far as these strategies are relevant given the type of hazardous substances present in the installation). In industrial practice these strategies are often not treated in one single analysis, but in multiple, more or less independent analyses.

The specific format of the PHA is not however in the scope of this document. Rather, it offers a framework for evaluating the integrity of the PHA process itself. Each control measure strategy consists of a number of optional measures for achieving the strategy’s objectives. Depending on the objective of the PHA, the analysis will study the adequacy of existing measures, or define additional control measures needed, or both. The type of measures in place, or under consideration, to execute the strategy, will to a large extent, define the technique used to evaluate the measure or measures. The next section describes elements of each strategy in detail and the techniques that can be used to produce the desired outcome.

Seveso inspectors expect operators to have identified the possible process upsets leading to a loss of containment in a systematic way. Every part of the installation containing hazardous substances should be addressed in the identification process. Whenever active measures are required to prevent a loss of containment, their reliability should be evaluated.

ANALYSING INDIVIDUAL CONTROL MEASURE STRATEGIES

CONTROLLING PROCESS UPSETS

Common considerations in evaluating control measures for process upsets include:

  • Process upsets are typically the result of faulty equipment (e.g., control systems, pumps, etc.) or error of operational personnel. As a result of these upsets, process parameters (pressure, temperature, concentration, etc.) can exceed the normal operating window and cause a loss of containment. The method most commonly used for identifying risks due to process upsets is HAZOP.
  • Control measures can be either passive (such as a design accommodating process conditions during the upset) or active (such as safety instrumented functions, pressure relief systems, operator actions responding to an alarm). The reliability of active measures, in contrast to passive measures, is not only driven by design but also by the quality and frequency of inspections. Typical techniques to assess reliability and a further need for risk reduction are LOPA (Layer of Protection Analysis) and risk matrices.
  • The identification process and the evaluation should be reviewed periodically. A five year cycle is appropriate in most cases.

PREVENTION OF LOSS OF CONTAINMENT DUE TO DEGRADATION

Seveso inspectors expect operators to have identified all specific types of degradation due to the normal or abnormal operational conditions (substances present, concentration, temperatures...). Operators should demonstrate that the inspection or monitoring techniques used are suitable for identifying and assessing the expected type of damage. Typical considerations include:

  • Process equipment should be resistant to loads imposed during normal operations (and in some cases to loads resulting from certain process upsets). For this purpose, all vessels and piping should be designed and constructed according to the applicable regulations and design standards.
  • Initial resistance can deteriorate as a result of various degradation phenomena (such as corrosion, erosion, hydrogen embrittlement, fatigue, creep, settlement, etc.) to a point where integrity is lost and a loss of containment occurs. Thus, as far as degradation cannot be avoided due to process and equipment conditions, the operator should show evidence that the degradation, and resulting damage to the operating envelope, are followed over time and timely corrective actions are taken before the integrity of the equipment is lost.
  • In addition to specific degradation mechanisms, inspection programs for primary containment systems should also cover common degradation phenomena (e.g. settlement of storage tanks, corrosion under isolation and supports, external atmospheric corrosion,etc.).
  • The operator should be able to demonstrate that each piece of equipment handling hazardous substances is fit for service until the next inspection.

LIMITATION OF THE SIZE OF AN ACCIDENTAL RELEASE

Seveso inspectors expect companies to have identified in a systematic way when measures are needed to stop or reduce a release from equipment with a considerable inventory of hazardous substances. In addition the need for emergency isolation for all loading and unloading operations involving hazardous substances should be identified. Typically, an inspector should look at barriers in placet o limit the release once it has occurred with consideration of the following:

  • Once a leak has occurred, various actions are possible to limit the quantities released: isolating the leak from its source (by means of emergency isolation valves, check valves, excess flow valves, breakaway couplings, etc.) or transferring the content out of a leaking system. In addition, the operator should be able to demonstrate that all such measures in place are sufficient to control the risk, and that functionality is actively maintained.
  • This method for identifying appropriate measures can include consulting relevant knowledge bases (i.e., national and international standards, etc.) for codes of good practice, development of internal criteria, or a case by case evaluation, in order to determine the best fit for the scenario, given the substances, equipment and process involved.
  • The use of emergency isolation valves and similar measures is covered in various codes of good practice, for example, codes for the safe storage and handling of specific common substances such as LPG and ammonia. Alternatively, some companies have developed internal decision criteria with regard to the use of emergency isolation valves.
  • When active measures are selected to limit the release, the question of timely detection of the leak should be addressed. In order for active measures to be effective, leaks should be detected reliably and quickly.

Figure 4. Typical Storage Tank Control Measures are Bunds and Shut Off Valves (from Public Resource.Org)

CONTROL OF SPREADING OF SUBSTANCES ACCIDENTALLY RELEASED

Seveso inspectors expect operators to have identified the need for measures to control spreading in a systematic way. This identification process can involve applying regulations and permits requirements, consulting applicable codes, and the analyses of a number of representative scenarios dealing with the release and spreading of hazardous substances. An evaluation of the potential for spreading should take account of the following points:

  • Once released, substances will tend to spread and disperse creating hazardous situations and expanding the area at risk.
  • Spreading of toxic gases or vapour can be restricted by placing equipment inside closed buildings (specifically designed for this purpose) or by fighting outdoor releases with water curtains or water spraying systems.
  • The spreading of flammable or toxic liquids increases evaporation and spreads the risk of toxic or thermal exposure to a larger area.
  • Usually it is favourable to enhance dilution of inflammable vapors or gases by such means as water spraying or, in enclosed spaces, by ensuring natural or forced ventilation.
  • Special consideration should be given to the spreading of fire water to limit runoff into nearby water bodies.

PREVENTION OF IGNITION OF EXPLOSIVE ATMOSPHERES

Seveso inspectors should expect companies to comply with specific regulations directed at controlling this phenomenon. In particular:

  • The European Directive 1999/92/EC on he minimum requirements for improving the safety and health protection of workers potentially at risk from explosive atmospheres requires the employer to classify places where explosive atmospheres may occur into zones.
  • Directive 94/9/EC further defines equipment of certain categories that should be used in explosive atmosphere zones, except in the case where the use of alternatives is justified by a (documented) risk assessment. The identification of zones is described in numerous codes and guidelines.

However, inspectors should also be aware of the following potential risks that are not covered by legislation but that should be considered in a process hazard analysis:

  • Classification into zones and the use of exproof material only refers to the occurrence of explosive atmospheres in ‘normal operation’ (the situation when installations are used within their design parameters). Zoning cannot be considered a measure for preventing ignition in case the explosive clouds can extend beyond the classified areas.
  • Operators are also expected to take measures to avoid ignition of explosive atmospheres inside process equipment. Special attention should be given to static electricity originating from flowing liquids and powders.

MITIGATING DAMAGE DUE TO FIRE

Seveso inspectors expect an operator with a substantial fire hazard on site to have identified the need for passive or active fire protection in a systematic way. The operator should also have policies in place to protect people fromin place to protect people from the impacts of fire. As such, a typical evaluation of a fire scenario would at minimum consider the following elements:

  • Fire can cause damage to and failure of vessels and piping, the collapse of steel structures supporting equipment and piping and the destruction of wiring used for energy or electronic signals. This may lead to a further escalation of the calamity. For this reason, possible measures to limit damage to equipment include spacing, the use of barriers (fire walls), the use of fire resistant gasket and valves, the provision of fire proofing and water cooling systems.
  • Damage to people can be avoided by a timely detection of fire and a subsequent (safe) evacuation. To a certain extent protection can be offered by fire resistant clothing.
  • The operator should also be able to specify the design specifications of the measure, for example, the level or rating of fire resistance for passive protection and the flow rate per protected surface area for water cooling systems, to meet criteria for fire mitigation as indicated by the scenario. Appropriate specifications for different situations can usually be found in existing regulations, guidelines, and codes.
  • Since fire protection only gives a temporary protection, the operator should also be able to demonstrate that the site has the means to detect, fight and stop the fire in time.

MITIGATING DAMAGE DUE TO EXPLOSION

Seveso inspectors expect companies to have identified the need for measures to mitigate the effects of an explosion. This includes more precisely the need for:

  • Explosion relief
  • Protection of buildings against external explosion

Explosion relief can be provided for explosion inside process equipment (e.g. weak seem roof in atmospheric storage tank, explosion panels on silo’s) or inside buildings or rooms where a substantial risk of explosion is present. The following strategies should be applied to evaluate the sufficiency of measures for mitigating explosion damage:

  • For each equipment with an internal risk of explosion the need for explosion relief should have been assessed
  • For each building or room containing process equipment containing substances that can create an explosive atmosphere upon (accidental) release, the need for explosion relief should have been assessed
  • For each building at risk one or more explosion scenarios should be elaborated. The blast effect of the explosion should be determined (the overpressure generated) as well as the damage to the building and its occupants. In case there is any substantial damage to be expected, the operator should justify why it is acceptable or take risk reducing measures.
  • To relieve pressure, measures should be applied to relieve the pressure wave (and in some cases the projection of fragments as well) towards a safe direction through the use of a partially open structure or by providing explosion panels in combination with explosion proof walls shielding vulnerable areas. This strategy is typically applied for rooms inside buildings where explosive atmospheres can occur or that are housing equipment with specific explosion risks (e.g. highly exothermic reactions). It is also typically applied in storage of explosives.
  • To protect buildings, measures should be applied that provide protection from the impact of a pressure wave originating from outside the building. Normally, the application of appropriate safety distances or pressure resistant construction can achieve this objective. In addition, for existing buildings, various types of structural reinforcement are possible.

MITIGATION OF DAMAGE DUE TO TOXIC RELEASE

Seveso inspectors expect the operator to have identified the need for mitigating measures in case of a toxic cloud in a systematic way. This involves the identification of the areas where a toxic atmosphere may be expected as a result of an accidental release of toxic substances. One can distinguish between two situations.

  1. The occurrence of a toxic cloud threatening people present in certain areas and buildings on site.
  2. An individual person is exposed to a (local) release during a manual operation (such as disconnecting flexible hoses, taking samples, draining and filling, etc.).

There are a number of measures that can be applied to prevent exposure to toxic clouds, including.

  • In specific areas at risk, it is recommended to limit occupancy.
  • Sensors detecting elevatec concentrations of particular gases may be used to trigger evacuation or sheltering in safe havens.
  • Ingress of toxic clouds in buildings may be avoided by providing a sensor that shuts down air intake from outside.
  • Manual operations involving a risk of exposure should be identified and the appropriate personal protective equipment should be specified and worn by persons who perform the manual work involved for the duration of the task.

 

QUESTIONS FOR SEVESO INSPECTORS

This questionnaire relates to internal audits to check compliance with the SMS, so this means periodic checks whether the procedures of the SMS are being correctly applied. Indentation is used to explore some issues in more detail (if the inspector wishes to do so). Most questions are closed and should be answered positively. Negative answers can only be accepted if a company can demonstrate it has an alternative solution in place or if the question is not relevant or applicable.

PHA Documentation

  1. Does the operator dispose of a PHA (one or more controlled documents) describing the risks of major accidents and the measures to prevent major accidents and to mitigate any consequences.
  2. Has the PHA been kept up to date and modified in function of modifications of the process installation?
  3. Has the PHA been conducted before new installations or modified parts of installations have been taken into service?
  4. Had the PHA been reviewed periodically (for existing installations)?
  5. Has the PHA identified all equipment with a potential to cause a major hazard (based on nature and quantity of the hazardous substances present)?
  6. Has the PHA identified all initial events of loss of containment (LOC) for all equipment with a potential to cause a major accident and specified the measures to prevent the LOC?
  7. Select one or a few examples of equipment and LOC-scenarios and follow the PHA up more closely. When and how was the PHA done, which were the results, have the proposed measured been implemented etc. Start with one of the most serious accident scenarios.
  8. Has the PHA identified all events following the LOC’s with a potential to cause a major accident and specified all necessary measures to mitigate their consequences?
  9. Can the operator present the arguments to support his decision to consider the preventive and mitigating measures taken as being 'sufficient'?
  10. To which extent have the risks been reduced in the light of the PHA?
  11. How many unacceptable risk remained, which have not been adequately addressed?
  12. PHA Procedures
  13. Is there a procedure describing the process hazard analysis are done (techniques used, people involved, …)?
  14. Does the analysis method/s chosen for analyzing the process hazards meet the objectives and do they take into account the type and complexity of the process being analyzed?
  15. Is the justification for selecting a particular method recorded in the documentation describing the PHA process and its outcome and for which competencies that take part in the PHA work?
  16. Is the PHA is based on a systematic approach? The operator should demonstrate that each of the strategies have been considered systematically (as far as these strategies are relevant given the type of hazardous substances present in the installation).
  17. Does the operator take into account the available information on best practices when analysing the process hazards?
  18. Does the operator take into account the experiences from incidents and lessons-learned when analysing the process hazards?

Control of process upsets

  1. Has the operator identified all the possible process upsets leading to a loss of containment in a systematic way?
  2. Did the operator evaluate these risks and did he specify measures to reduce the likelihood that these process upsets lead to a loss of containment?

Control of degradation

  1. Has the operator identified all specific types of degradation due to the normal or abnormal operational conditions (substances present, concentration, temperatures …) in a systematic way?
  2. For each process equipment containing hazardous substances, are the degradation phenomena identified and documented?
  3. Is there an inspection plan for each process equipment (indicating the type of inspections and the intervals)?
  4. For each piping system containing hazardous substances, are the degradation phenomena identified and documented?
  5. Can the operator demonstrate that each piece of equipment handling hazardous substances is fit for service until the next inspection? Or rather that the process will remain within the safe operation window. This might also need input from the maintenance department.

Limitation of the Size of an Accidental Release

  1. Did the operator consider in a systematic way the need for measures to detect accidental releases in an early stage?
  2. Did the operator examine in a systematic way the need for measures to limit the size of an accidental release (such as emergency isolation systems, emergency transfer, depressurization,...).

Control of Spreading of Substances Accidentally Released

  1. Did the operator examine in a systematic way the need for measures to control the spreading of hazardous liquids in case they are accidentally released (such as containment bunds, draining systems).
  2. Did the operator examine in a systematic way the need for measures to control the spreading of toxic or inflammable vapours and gases in case they are accidentally released?
  3. Did the operator take the necessary measures to avoid environmental pollution due to firefighting water run off?

Prevention of Ignition of Explosive Atmospheres

  1. Did the operator identify zones with an explosive risk during normal operation (according to the European ‘Atex’ Directive 1999/92/EC on the minimum requirements for improving the safety and health protection of workers potentially at risk from explosive atmospheres).
  2. Can the operator demonstrate that in the zones classified according to the Atex directive explosion proof equipment is used?
  3. Did the operator identify equipment where an internal explosive atmosphere is present or can be present? Did the company define measures to avoid ignition of any explosive atmospheres inside process equipment?
  4. Did the operator identify the risks of explosive atmospheres due to the accidental release (in abnormal conditions) of inflammable substances. Did the operator examine the need for avoiding ignition of explosive atmospheres due to such accidental releases?

Mitigating Damage Due to Fire

  1. Did the operator evaluate in a systematic way the need for passive and active fire protection to limit damage to the process equipment and process structures in case of a fire?
  2. Did the operator evaluate in a systematic way the need for measures to limit the spreading of fire in in buildings used for storing hazardous chemical or housing process installations?
  3. Did the operator identify the need for fire detection measures?
  4. Did the operator identify the need for fire fighting measures?

Mitigating Damage Due to Explosion

  1. Did the operator identify in a systematic way the need for measures to protect buildings from damage due to (external) explosions?
  2. Did the operator evaluate in a systematic way the need for explosion relief in buildings with a risk of an explosive atmosphere inside?
  3. Did the operator identify in a systematic way the need for explosion relief for equipment with a risk of internal explosions?

Mitigating Damage Due to a Toxic Release

  1. Did the operator identify the need for protecting people on site in case of a toxic cloud?
  2. Did the operator identify the need for protecting operators during manual operations involving toxic substances?
  3. Did the operator take measures to prevent people from entering building or room in case a hazardous atmosphere has developed inside (due to a toxic leak).

PDF Versions for Printing

Common Inspection Criteria website