TABLE OF CONTENTS
1.Introduction ..........................................................................................6 1.1.SafetyPrograms...............................................................................7 1.2. Engineering Ethics.....................................................................8 1.2.1. Fundamental principles........................................................8 1.2.2. Fundamental canons.............................................................8 2.HISTORY..........................................................................................9
1
2.1. List of Industrial disasters................................................................9 2.2. DISASTER STATISTICS.................................................................10 2.2.1. Four Major disasters:..............................................................11 2.2.1.1. Flixborough accident..................................................11 2.2.1.2. Bhopal Gas Tragedy......................................................12 2.2.1.3. The Seveso disaster........................................................14 2.2.1.4. The Texas Tragedy..........................................................15 3.Accident and Loss Statistics.........................................................................16 4.Process safety................................................................................................20 4.1 The Process of risk analysis.....................................................................20 4.2 Definition of QRA....................................................................................22 4.3 Misconceptions about QRA......................................................................23 4.4 Criteria for electing to use QRA................................................................24 5.Legislation and Law.........................................................................................30 5.1. What health and safety law requires.......................................................30 5.2. Action on health and safety: Options.......................................................30 5.2.1. Guidance....................................................................................31 5.2.2. Approved Codes of Practice........................................................31 5.2.3. Regulations................................................................................32 5.3. How regulations apply............................................................................32 5.4. What next? .........................................................................................33 5.5. Some important pieces of health and safety .........................................33 6. Recent Developments..................................................................................35 6.1. 25 Years after the Bhopal Gas Disaster...............................................35
2
6.1.1. Changes made in USA:..................................................................35 6.1.2. Changes Made in India:.................................................................35 6.2. Recommendations to improve chemical process safety management in India:..................................................................................................................36 7. References.......................................................................................................37
LIST OF FIGURES
Figure 1.1 The ingredients of a successful safety program.................................7 Figure 2.2.1.1. A failure of a temporary pipe caused Flixborough accident...11 Figure 2.2.1.2. Reaction of the methyl isocyanate route used at Bhopal.........13 Figure 2.2.1.4. Polyethylene plant settling leg and product take off system...15
3
Figure 4.1.(a) Elements of risk management.....................................................21 Figure 4.1.(b) Elements of risk analysis............................................................21 Figure 4.2. The process of risk analysis.............................................................22 Figure 4.4. Decision criteria for selecting QRA................................................26 Figure 4.4. Decision criteria for selecting QRA (cont.)....................................27
LIST OF TABLES
Table 2.2. Disaster Statistics..............................................................................10 Table 3.1 Accident Statistics for Selected Industries........................................18 Table 3.2. Fatality Statistics for Common Nonindustrial Activities..................18 Table 4.4. Classical Limitations of QRA........................................................23
Chapter 1 Introduction
In 1987, Robert M. Solow, an economist at the Massachusetts Institute of Technology, received the Nobel Prize in economics for his work in determining the sources of economic growth. Professor Solow concluded that the bulk of an economys growth is the result of technological advances. It is reasonable to conclude that the growth of an industry is also dependent on technological advances. This is especially true in the chemical industry, which is entering an era of more complex processes: higher pressure, more reactive chemicals, and
4
exotic chemistry. More complex processes require more complex safety technology. Many industrialists even believe that the development and application of safety technology is actually a constraint on the growth of the chemical industry. As chemical process technology becomes more complex, chemical engineers will need a more detailed and fundamental understanding of safety. H.H. Fawcett said, To know is to survive and to ignore fundamentals is to court disaster.Since 1950, signicant technological advances have been made in chemical process safety. Today, safety is equal in importance to production and has developed into a scientic discipline that includes many highly technical and complex theories and practices. Examples of the technology of safety include hydrodynamic models representing two-phase ow through a vessel relief dispersion models representing the spread of toxic vapour through a plant after a release And mathematical techniques to determine the various ways that processes can fail and the probability of failure. Recent advances in chemical plant safety emphasize the use of appropriate technological tools to provide information for making safety decisions with respect to plant design and operation. The word safety used to mean the older strategy of accident prevention through the use of hard hats, safety shoes, and a variety of rules and regulations. The main emphasis was on worker safety. Much more recently, safety has been replaced by loss prevention. This term includes hazard identication, technical evaluation, and the design of new engineering features to prevent loss. The subject of this text is loss prevention, but for convenience, the words safety and loss prevention will be used synonymously throughout. Safety, hazard, and risk are frequently-used terms in chemical process safety. Their denitions are Safety or loss prevention: the prevention of accidents through the use of appropriate technologies to identify the hazards of a chemical plant and eliminate them before an accident occurs. Hazard: a chemical or physical condition that has the potential to cause damage to people, property, or the environment. Risk: a measure of human injury, environmental damage, or economic loss in terms of both the incident likelihood and the magnitude of the loss or injury. Chemical plants contain a large variety of hazards. First, there are the usual mechanical hazards that cause worker injuries from tripping, falling, or moving equipment. Second, there are chemical hazards. These include re and explosion hazards, reactivity hazards, and toxic hazards. As will be shown later, chemical plants are the safest of all manufacturing facilities. However, the potential always exists for an accident of catastrophic proportions.
Fig. 1.1 The ingredients of a successful safety program. First, the program needs a system (1) to record what needs to be done to have an outstanding safety program, (2) to do what needs to be done, and (3) to record that the required tasks are done. Second, the participants must have a positive attitude. This includes the willingness to do some of the thankless work that is required for success. Third, the participants must understand and use the fundamentals of chemical process safety in the design, construction, and operation of their plants. Fourth, everyone must learn from the experience of history or be doomed to repeat it. It is especially recommended that employees (1) read and understand case histories of past accidents and (2) ask people in their own and other organizations for their experience and advice. Fifth, everyone should recognize that safety takes time. This includes time to study, time to do the work, time to record results (for history), time to share experiences, and time to train or be trained. Sixth, everyone (you) should take the responsibility to contribute to the safety program. A safety program must have the commitment from all levels within the organization. Safety must be given importance equal to production. The most effective means of implementing a safety program is to make it everyones responsibility in a chemical process plant. The older concept of identifying a few employees to be responsible for safety is inadequate by todays standards. All employees have the responsibility to be knowledgeable about safety and to practice safety. It is important to recognize the distinction between a good and an outstanding safety program. A good safety program identies and eliminates existing safety hazards.
An outstanding safety program has management systems that prevent the existence of safety hazards. A good safety program eliminates the existing hazards as they are identied, whereas an outstanding safety program prevents the existence of a hazard in the rst place. The commonly used management systems directed toward eliminating the existence of hazards include safety reviews, safety audits, hazard identication techniques, checklists, and proper application of technical knowledge.
1.2.2 Fundamental canons 1. Engineers shall hold paramount the safety, health, and welfare of the public in the performance of their professional duties. 2. Engineers shall perform services only in areas of their competence. 3. Engineers shall issue public statements only in an objective and truthful manner. 4. Engineers shall act in professional matters for each employer or client as faithful agents or trustees, and shall avoid conicts of interest. 5. Engineers shall build their professional reputations on the merits of their services.
Chapter 2 HISTORY
2.1 List of Industrial disasters:
September 21, 1921: Oppau explosion in Germany. Occurred when a tower silo storing 4,500 tonnes of a mixture of ammonium sulfate and ammonium nitrate
fertilizer exploded at a BASF plant in Oppau, now part of Ludwigshafen, Germany, killing 500600 people and injuring about 2,000 more. 1932-1968: The Minamata disaster was caused by the dumping of mercury compounds in Minamata Bay, Japan. The Chisso Corporation, a fertilizer and later petrochemical company, was found responsible for polluting the bay for 37 years. It is estimated that over 3,000 people suffered various deformities, severe mercury poisoning symptoms or death from what became known as Minamata disease. April 16, 1947: Texas City Disaster, Texas. At 9:15 AM an explosion occurred aboard a docked ship named the Grandcamp. The explosion, and subsequent fires and explosions, is referred to as the worst industrial disaster in America. A minimum of 578 people lost their lives and another 3,500 were injured as the blast shattered windows from as far away as 25 mi (40 km). Large steel pieces were thrown more than a mile from the dock. The origin of the explosion was fire in the cargo on board the ship. Detonation of 3,200 tons of ammonium nitrate fertilizer aboard the Grandcamp led to further explosions and fires. The fertilizer shipment was to aid the struggling farmers of Europe recovering from World War II. Although this industrial disaster was one of the largest involving ammonium nitrate, many others have been reported including a recent one in North Korea. 1948: A chemical tank wagon explosion within the BASF's Ludwigshafen, Germany site caused 207 fatalities. June 1, 1974: Flixborough disaster, England. An explosion at a chemical plant near the village of Flixborough kills 28 people and seriously injures another 36. July 10, 1976: Seveso disaster, in Seveso, Italy, in a small chemical manufacturing plant of ICMESA. Due to the release of dioxins into the atmosphere and throughout a large section of the Lombard Plain, 3,000 pets and farm animals died and, later, 70,000 animals were slaughtered to prevent dioxins from entering the food chain. In addition, 193 people in the affected areas suffered from chloracne and other symptoms. The disaster lead to the Seveso Directive, which was issued by the European Community and imposed much harsher industrial regulations. December 3, 1984: The Bhopal disaster in India is the largest industrial disaster on record. A faulty tank containing poisonous methyl isocyanate leaked at a Union Carbide plant. About 20,000 people died and about 570,000 suffered bodily damage.[1] The disaster caused the region's human and animal populations severe health problems to the present. November 1, 1986: The Sandoz disaster in Schweizerhalle, Switzerland, releasing tons of toxic agrochemicals into the Rhine. June 28, 1988: Auburn, Indiana, improper mixing of chemicals kills four workers at a local metal-plating plant in the worst confined-space industrial accident in U.S. history; a fifth victim died two days later.[2] October 23, 1989: Phillips Disaster. Explosion and fire killed 23 and injured 314 in Pasadena, Texas. Registered 3.5 on the Richter scale.
2.2 DISASTERS
Number of Origin of accident Bulk cargo handling terminal Explosion Year Date Location Products involved Deaths 1997 1983 02.01 29.09 Mumbai Dhulwari Sulphur Gasoline 41 >100 .. Injured Evacuated
29.04 03.11 01.11 13.11 09.11 03.12 05.05 05.11 22.12 17.01 24.06 21.01 02.12 02.07 03.05 14.09 14.05 04.12 09.08 02.01 02.01 12.03 02.12 02.11
New Delhi Dhurabari Padaval New Delhi Bombay Bhopal Britannia Chowk Nagothane Jhurkully Bhatinda Bhopal Bhopal Calcutta Lucknow Mandir Asod Vishakapatnam Cochin New Delhi Tamil Nadu Thane District New Bombay Madras Maharashtra Medran India
Chemicals Oil Gasoline Toxic cloud (chemicals) Oil Methyl isocyanate Chlorine Ethane and propane Sulphur dioxide Ammonia Ammonia Ammonia Chlorine Ammonia gas Explosives
43 76 >43
20 >60 82 500 ..
Fire at a chemical store 1994 Fire in refinery Leakage Leakage Leakage Leakage Leakage Leakage leakage (transport accident) Leakage from a pipeline Leakage in an Ice Factory Plant explosion Refinery fire Release Release Transport Transport accident Transport accident Transport accident Transport accident Transport accident (leakage) 1988 1984 1989 1990 1988 1989 1987 1997 1991 1990 1980 1997 1985 1985 1985 1994 1991 1995 1995 1991 1985
35 2800 32 -
.. 200 000 ..
.. .. 200 000
400 200 200 50 34 .. 31 200 340 .. 298 150 23 2 000 93 1 25 150 150000 .. >10 ..
Hexacyclo-pentadiene Sulphuric acid Gasoline Chlorine gas Ammonia gas Fuel Ammonia gas Inflammable liquid Chlorine
1 60 4 1 ~100
Fig. 2.2.1.1 A failure of a temporary pipe section replacing reactor 5 caused the Flixborough accident.
The process where the accident occurred consisted of six reactors in series. In these reactors cyclohexane was oxidized to cyclohexanone and then to cyclohexanol using injected air in the presence of a catalyst. The liquid reaction mass was gravity-fed through the series of reactors. Each reactor normally contained about 20 tons of cyclohexane. Several months before the accident occurred, reactor 5 in the series was found to be leaking. Inspection showed a vertical crack in its stainless steel structure. The decision was made to remove the reactor for repairs. An additional decision was made to continue operating by connecting reactor 4 directly to reactor 6 in the series. The loss of the reactor would reduce the yield but would enable continued production because unreacted cyclohexane is separated and recycled at a later stage.The feed pipes connecting the reactors were 28 inches in diameter. Because only 20-inchpipe stock was available at the plant, the connections to reactor 4 and reactor 6 were made using exible bellows-type piping, as shown in Figure 1-10. It is hypothesized that the bypass pipesection ruptured because of inadequate support and overexing of the pipe section as a result of internal reactor pressures. Upon rupture of the bypass, an estimated 30 tons of cyclohexane volatilized and formed a large vapour cloud. The cloud was ignited by an unknown source an estimated 45 seconds after the release. The resulting explosion levelled the entire plant facility, including the administrative ofces . Twenty-eight people died, and 36 others were injured. Eighteen of these fatalities occurred in the main control room when
10
the ceiling collapsed. Loss of life would have been substantially greater had the accident occurred on a weekday when the administrative ofces were lled with employees. Damage extended to 1821 nearby houses and 167 shops and factories. Fifty-three civilians were reported injured. The resulting re in the plant burned for over 10 days. This acident could have been prevented by following proper safety procedures. First, the bypass line was installed without a safety review or adequate supervision by experienced engineering personnel. The bypass was sketched on the oor of the machine shop using chalk! Second, the plant site contained excessively large inventories of dangerous compounds. This included 330,000 gallons of cyclohexane, 66,000 gallons of naphtha, 11,000 gallons of toluene,26,400 gallons of benzene, and 450 gallons of gasoline. These inventories contributed to the res after the initial blast. Finally, the bypass modication was substandard in design. As a rule, any modications should be of the same quality as the construction of the remainder of the plant.
Fig. 2.2.1.2. The upper reaction is the methyl isocyanate route used at Bhopal. The lower reaction suggests an alternative reaction scheme using a less hazardous intermediate.
The reaction scheme used at Bhopal is shown at the top of Figure 2.2.1.2 and includes the dangerous intermediate MIC. An alternative reaction scheme is shown at the bottom of the gure and involves a less dangerous chloroformate intermediate. Another solution is to redesign the process to reduce the inventory of hazardous MIC. One such design produces and consumes the MIC in a highly localized area of the process, with an inventory of MIC of less than20 pounds.
abactericide, with trichlorophenol produced as an intermediate. During normal operation, a small amount of TCDD (2,3,7,8-tetrachlorodibenzoparadioxin) is produced in the reactor as an undesirable side-product. TCDD is perhaps the most potent toxin known to humans. Animal studies have shown TCDD to be fatal in doses as small as 10-9 times the body weight. Because TCDD is also insoluble in water, decontamination is difcult. Nonlethal doses of TCDD result in chloracne, an acne-like disease that can persist for several years. On July 10, 1976, the trichlorophenol reactor went out of control, resulting in a higher than normal operating temperature and increased production of TCDD. An estimated 2 kg of TCDD was released through a relief system in a white cloud over Seveso. A subsequent heavy rain washed the TCDD into the soil. Approximately 10 square miles were contaminated. Because of poor communications with local authorities, civilian evacuation was not started until several days later. By then, over 250 cases of chloracne were reported. Over600 people were evacuated, and an additional 2000 people were given blood tests. The most severely contaminated area immediately adjacent to the plant was fenced, the condition it remains in today. TCDD is so toxic and persistent that for a smaller but similar release of TCDD in Duphar, India, in 1963 the plant was nally disassembled brick by brick, encased in concrete and dumped into the ocean. Less than 200 g of TCDD was released, and the contamination was conned to the plant. Of the 50 men assigned to clean up the release, 4 eventually died from the exposure. The Seveso and Duphar accidents could have been avoided if proper containment systems had been used to contain the reactor releases. The proper application of fundamental engineering safety principles would have prevented the two accidents. First, by following proper procedures, the initiation steps would not have occurred. Second, by using proper hazard evaluation procedures, the hazards could have been identied and corrected before the accidents occurred. 2.2.1.4. The Texas Tragedy A massive explosion in Pasadena, Texas, on October 23, 1989, resulted in 23 fatalities,314 injuries, and capital losses of over $715 million. This explosion occurred in a high-density polyethylene plant after the accidental release of 85,000 pounds of a ammable mixture containing ethylene, isobutane, hexane, and hydrogen. The release formed a large gas cloud instantaneously because the system was under high pressure and temperature. The cloud was ignited about 2 minutes after the release by an unidentied ignition source. The damage resulting from the explosion made it impossible to reconstruct the actual accident scenario. However, evidence showed that the standard operating procedures were not appropriately followed. The release occurred in the polyethylene product takeoff system, as illustrated in Fig
13
Figure 2.2.1.4. Polyethylene plant settling leg and product takeoff system.
Usually the polyethylene particles (product) settle in the settling leg and are removed through the product takeoff valve. Occasionally, the product plugs the settling leg, and the plug is removed by maintenance personnel. The normal and safe procedure includes closing the DEMCO valve, removing the air lines, and locking the valve in the closed position. Then the product takeoff valve is removed to give access to the plugged leg. The accident investigation evidence showed that this safe procedures not followed; specically, the product take off valve was removed, the DEMCO valve was in the open position, and the lockout device was removed. This scenario was a serious violation of wellestablished and well-understood procedures and created the conditions that permitted the release and subsequent explosion.TheOSHAinvestigation13 found that (1) no process hazard analysis had been performed in the polyethylene plant, and as a result, many serious safety deciencies were ignored or overlooked; (2) the single-block (DEMCO) valve on the settling leg was not designed to fail to a safe closed position when the air failed; (3) rather than relying on a single-block valve, a double-block-and-bleed valving arrangement or a blind ange after the single-block valve should have been used; (4) no provision was made for the development, implementation, and enforcement of effective permit systems (for example, line opening); and (5) no permanent combustible gas detection and alarm system was located in the region of the reactors.
14
(Number of injuries and illnesses x 200,000)/( Total hours worked by all employees during period covered)
An incidence rate can also be based on lost workdays instead of injuries and illnesses. For this case OSHA incidence rate (based on lost workdays) = (Number of lost workdays x 200,000)/( Total hours worked by all employees during period covered )
The FAR is used mostly by the British chemical industry. This statistic is used here because there are some useful and interesting FAR data available in the open literature. The FAR
15
reports the number of fatalities based on 1000 employees working their entire lifetime. The employees are assumed to work a total of 50 years. Thus the FAR is based on 108working hours. The resulting equation is the denition of a lost workday is given in Table 1-2. The OSHA incidence rate provides information on all types of work-related injuries and illnesses, including fatalities. This provides a better representation of worker accidents than systems based on fatalities alone. For instance, a plant might experience many small accidents with resulting injuries but no fatalities. On the other hand, fatality data cannot be extracted from the OSHA incidence rate without additional information.
FAR = (No. of fatalities x 108 )/(Total hours worked by all employees during period covered) The last method considered is the fatality rate or deaths per person per year. This system is independent of the number of hours actually worked and reports only the number of fatalities expected per person per year. This approach is useful for performing calculations on the general population, where the number of exposed hours is poorly dened. The applicable equation is Fatality rate = (Number of fatalities per year)/(Total number of people in applicable population)
Both the OSHA incidence rate and the FAR depend on the number of exposed hours. An employee working a ten-hour shift is at greater total risk than one working an eight-hour shift. A FAR can be converted to a fatality rate (or vice versa) if the number of exposed hours is known. The OSHA incidence rate cannot be readily converted to a FAR or fatality rate because it contains both injury and fatality information.
16
OSHA incident rate (cases involving days away from work and deaths) Industry Chemicals and allied products Motor vehicles Steel Paper Coal mining Food Construction Agricultural Meat products Trucking All manufacturing 1985 0.49 1.08 1.54 2.06 2.22 3.28 3.88 4.53 5.27 7.28 1998 0.35 6.07 1.28 0.81 0.26 1.35 0.6 0.89 0.96 2.1 1.68 1986 4 1 1.83 40 67 10
FAR (deaths)
7.2 5 3.7
1.2
Activity
Voluntary activity Staying at home Traveling by Car Bicycle Air Motorcycle Canoeing Rock climbing Smoking (20 cigarettes/day) Involuntary activity Struck by meteorite Struck by lightning (U.K.) Fire (U.K.) Run over by vehicle
17
Recognizing that the chemical industry is safe, why is there so much concern about chemical plant safety? The concern has to do with the industrys potential for many deaths, as, for example, in the Bhopal, India, tragedy. Accident statistics do not include information on the total number of deaths from a single incident. Accident statistics can be somewhat misleading in this respect. For example, consider two separate chemical plants. Both plants have a probability of explosion and complete devastation once every 1000 years. The rst plant employs a single operator. When the plant explodes, the operator is the sole fatality. The second plant employs 10 operators. When this plant explodes all 10 operators succumb. In both cases the FAR and OSHA incidence rate are the same; the second accident kills more people, but there are a correspondingly larger number of exposed hours. In both cases the risk taken by an individual operator is the same. It is human nature to perceive the accident with the greater loss of life as the greater tragedy. The potential for large loss of life gives the perception that the chemical industry is unsafe.
18
With the advent of this new safety analysis technology and the need for providing better input to risk management and safety improvement decisions, many CPI safety professionals are calling for increased use of QRA. And, given the contemporary technical and social environment, it is imperative that management personnel understand the strengths and weaknesses of QRA technology.
The effort needed to develop this understanding will vary depending upon the foundation of information you have for understanding the significance of potential accidents. If you have a great deal of pertinent, closely related experience with the activity you wish to know the risk of, then very little formal analysis may be needed. However, even minor changes can radically increase the risk of an accident. History is replete with examples of design improvements or minor extrapolations that pushed a proven design beyond safe
19
limits. If, on the other hand, there is no relevant experience base for extrapolation, you will have to rely on analytical techniques or on your own intuition for answering risk analysis questions. However, no risk analysis technique can provide meaningful results if you do not have fundamental knowledge of process hazards.
If your risk understanding is inadequate, we can use the process of risk analysis to acquire the understanding you need. The extent of risk analysis and the degree of risk understanding that are needed may vary. Sometimes, simply knowing what could go wrong (hazard identification) may be sufficient for your decision, and no elaborate quantification of likelihoods or effects would be needed. Occasionally, we may have sufficient understanding about what can go wrong and what the effects of an accident could be; however, you may still need information on how likely the accident is. In other cases the quantification of potential impacts alone will be adequate, and analysis of the likelihoods is unnecessary. In practice, few decisions require explicit quantification of both frequency and consequence.
2. Estimating the risk to workers or the public from episodic events involving a onetime exposure to potentially harmful substances or activities
In this guide, we will focus on the use of QRA in the safety assessment of acute hazards and episodic events only.
Unfortunately, even if everyone agrees on a tolerable risk value, there are many other subjective factors that influence our understanding (and tolerance) of risk. If 1 fatality per year were tolerable from causes such as falls, electrocutions, or asphyxiations, would 100 fatalities be equally tolerable from catastrophic explosions predicted to occur, on average, once every 100 years? In both cases, QRA results would predict an average risk of one fatality per year. Are worker injuries more tolerable than public injuries? Are injuries to adults more tolerable than injuries to children? Typical QRA results simply report risk as injuries per year. Yet, there are many other subjective factors that influence a decision maker beyond the objective numeric results of a QRA. No matter how accurate the QRA results are, the conscious decision to accept risk (actually, the decision is whether to spend more money to further reduce the risk) is always difficult when near the risk tolerance threshold. If the risk is clearly above tolerable thresholds (e.g., the risk of fire in a flammable storage area if uncontrolled welding operations are performed), then the decision to spend money to reduce that risk (e.g., to install a fire suppression system, to train a fire brigade, or to implement a hot work permit system) is relatively easy. Similarly, if the risk is clearly small (e.g., the risk of a meteorite puncturing a tank), then the decision to pend no money on meteorite shields is equally easy. However, should a high-high pressure alarm be installed in addition to the existing high pressure alarm and relief valve? The QRA results show that the change would reduce risk, but the manager must decide whether the benefit is worth the cost. QRA results can guide decision makers in their quest for continuous improvement in risk reduction, but zero risk is an unattainable goal. Any activity involves some risk. Even if it were hypothetically possible to eliminate the risk of every accident scenario in a QRA, some risk would still remain because no QRA examines every possible accident scenario. At best a QRA identifies the dominant contributors to risk from the system as it existed at the time of the analysis. Once those are eliminated, other minor risk contributors (including many that were left out of the original QRA because they were negligible contributors, as well as new risks introduced by changes to eliminate the original risks) remain as the new dominant risk contributors. The availability of resources to perform the analysis is the primary constraint on the completeness of QRAs. Managers must balance the value of QRA results in their decision making against the cost of obtaining these results. It has been shown repeatedly that, when properly scoped and executed, QRA is very cost-effective. In the past, QRA has been used with little regard for minimizing analysis cost versus benefit (e.g., in the nuclear power industry). But QRA can be cost-effective when appropriately preceded by qualitative evaluations and risk screening methods that reduce the size and complexity of the QRA study. The accuracy of QRA results is also dependent on the analysis resources. Obviously, more complete QRA models can produce more accurate results. But even the best model is worthless if the input data are speculative or erroneous. Fortunately, the scarcity of processspecific data for some applications may not be an insurmountable problem.Also, the American Institute of Chemical Engineers (AICHE) has sponsored a project to expand and improve the quality of component failure data for chemical industry use. And many process facilities have considerable equipment operating experience in maintenance files, operating logs, and the minds of operators and maintenance personnel. These data can be collected and combined with industry wide data to help achieve reasonable QRA objectives. However, care must be exercised to select data most representative of your specific system from the wide range available from various sources. Even data from your own plant may have to be modified (sometimes by a factor of 10 or more) to reflect your plants current operating environment and maintenance practices.
22
23
24
If sufficient experience does not exist, you should consider whether the consequence potential (Step 4) or the expected frequency of accidents (Step 5) is great. Consideration of consequence potential should include personnel exposure, public demographics, equipment density, and so forth in relation to the intrinsic hazard posed by the material of concern. In
25
Step 5 you may perceive that the expected frequency of accidents alone is important enough to justify a QRA. However, even though your company may not have much relevant experience with the activity of interest, if the consequence potential of these accidents is not great, you may conclude that the expected frequency of the potential accidents is low enough for you to make your decisions comfortably using qualitative information alone. Once a decision to use QRA has been made, you must decide whether frequency and/or consequence information is required (Steps 6 and 7). In some cases we may simply need frequency information to make your decision. For example, suppose you wish to evaluate the adequacy of operating procedures and safety systems associated with a chemical reactor. The main hazard of concern is that the reactor could experience a violent runaway exothermic reaction. You believe that you know enough about the severe consequences of a runaway and nothing more will be gained by quantifying the consequences of potential runaways. Instead, you decide to estimate the expected frequency of reactor upsets and safety system failures that could lead to reactor runaways. You use this estimate to identify weaknesses in the reactor operating procedures and protection system and to determine the most efficient ways to reduce the frequency, and therefore the risk, of reactor accidents. In other cases the opposite may be trueyou may decide it is more fruitful for you to base your decision on the results of a consequence analysis alone. For example, suppose you wish to evaluate and select the best combination of design and release mitigation features for a proposed facility for storing a highly toxic and reactive material. You may believe that your design team has already established the best engineering approach for preventing accidents. But, you are still concerned about the safety/health effects of a release and what emergency response capabilities you should establish. You have your QRA analysts quantify the possible effects of a release, assuming a worst-case release occurs, to provide you with information on which to base your selection of emergency response capabilities. Whenever possible, relative comparisons of risk should be made (Step 8). Comparing relative risk estimates for alternative strategies avoids many of the problems associated with interpreting and defending absolute estimates. Table 9 contains examples of typical conclusions you can reach using relative risk estimates. In some cases, however, absolute estimates may be required to satisfy your needs. Table 10 contains a list of examples of typical conclusions possible using absolute risk estimates. Once the QRA results are available, we must evaluate the information and determine whether it fully satisfies your needs (Step 9). If so, the results should be put into an appropriate format for communication to other parties.
26
TABLE 4.4. Classical Limitations of QRA Issue Completeness Description There can never be a guarantee that all accident situations, causes, and effects have been considered. Probabilistic failure models cannot be verified. Physical phenomena are observed in experiments and used in model correlations, but models are, at best, approximations of specific accident conditions. The lack of specific data on component failure characteristics, chemical and physical properties, and phenomena severely limit accuracy and can produce large uncertainties. Various aspects of QRA are highly subjectivethe results are very sensitive to the analysts assumptions. The same problem, using identical data and models, may generate widely varying answers when analyzed by different experts. The inherent nature of QRA makes the results difficult to understand
Model Validity
Accuracy/Uncertainty
Reproducibility
27
help
them
HSC/E consult fully with people affected by their legislative proposals, and adopt various approaches based on assessing and controlling risk (What health and safety law requires). Among the things that can prompt action from HSC/E are: changes in technologies, industries or risks; evidence of accidents and ill health, plus public concern; European Directives Where HSC/E consider action is necessary to supplement existing arrangements, their three main options are: guidance; Approved Codes of Practice; and regulations. HSC/E try to take whichever option, or options, allows employers most flexibility and costs them least, while providing proper safeguards for employees and the public. 5.2.1 Guidance HSE publishes guidance on a range of subjects (please see the end of this guide). Guidance be specific to the health and safety problems of an industry or of a particular process used in a number of industries. The main purposes of guidance are: to interpret -- helping people to understand what the law says -- including for requirements based on EC Directives fit with those under the Health and Safety at Work Act; to help people comply with the law; to give technical advice. Following guidance is not compulsory and employers are free to take other action. But if they do follow guidance they will normally be doing enough to comply with the law. (Please also see the sections below on Approved Codes of Practice and regulations, which explain other ways in which employers are helped to know whether they are doing what the law requires.) HSC/E aim to keep guidance up-to-date, because as technology change, risks and the measur needed to address them change too. 5.2.2 Approved Codes of Practice Approved Codes ofPractice offer practical examples of good practice. They give advice on to comply with the law by, for example, providing a guide to what is reasonably practicable. For example, if regulations use words like suitable and sufficient, an Approved code of
29
example
Practice can illustrate what this requires in particular circumstances . Approved Codes of Practice have a special legal status. If employers are prosecuted for a breach of health and safety law, and it is proved that they have not followed the relevant provisions of the Approved Code of Practice , a court can find them at fault unless they can show that they have complied with the law in some other way . HSC consulted in 1995 on the role of Approved Codes of Practice in the health and safety system and concluded that they could still be used in support of legal duties in specific circumstances. 5.2.3 Regulations Regulations are law, approved by Parliament. These are usually made under the Health and Safety at Work Act, following proposals from HSC. This applies to regulations based on EC Directives as well as homegrown ones . The Health and Safety at Work Act, and general duties in the Management Regulations , are goal-setting (see What form do they take? ) and leave employers freedom to decide how to control risks which they identify. Guidance and Approved Codes of Practice give advice . But some risks are so great, or the proper controlmeasures so costly, that it would not be appropriate to leave employers is creation in deciding what to do about them . Regulations identify these risks and set out specific action that must be taken. Often these requirements are absolute to do something without qualification by whether it is reasonably practicable.
30
providing information and advice to employers and others with responsibilities Health and Safety at Work Act; guidance to enforcers, both HSE inspectors and those of local authorities; the day-to-day contact which inspectors have with people at work.
under the
HSC directly canvasses the views of small businesses . It also seeks views in detail from representatives of small businesses about the impact on them of proposed legislation.
8 The Health and Safety Information for Employees Regulations 1989: require employ ers to display a poster telling employees what they need to know about Health and safety.
31
9 Employers Liability (Compulsory Insurance) Act 1969: require employers to take out insurance against accidents and ill health to their employees. 10 Reporting of Injuries , Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR ) : require employers to notify certain occupational injuries , diseases and dangerous events. 11 Noise at Work Regulations 1989 : require employers to take action to protect employees from hearing damage. 12 Electricity at Work Regulations 1989: require people in control of electrical systems to ensure they are safe to use and maintained in a safe condition. 13 Control of Substances Hazardous to Health Regulations 2002 (COSHH): require employers to assess the risks from hazardous substances and take appropriate precautions. In addition, specific regulations cover particular areas, for example asbestos and lead, and: 14 Chemicals (Hazard Information and Packaging for Supply) Regulations 2002: require suppliers to classify, label and package dangerous chemicals and provide safety data sheets for them. 15 Construction ( Design and Management ) Regulations 1994 : cover safe systems of work on construction sites. 16 Gas Safety ( Installation and Use ) Regulations 1994 : cover safe installation, maintenance and use of gas systems and appliances in domestic and commercial premises. 17 Control of Major Accident Hazards Regulations 1999: require those who manufactur store or transport dangerous chemicals or explosives in certain quantities to notify the relevant authority. 18 Dangerous Substances and Explosive Atmospheres Regulations 2002 : require employers and the selfemployed to carry out a risk assessment of work activities involving dangerous substances.
32
33
34
Chapter 7 References
Frank P. Less Loss Prevention in the Process Industries (Volume 1), Butterworth-Heinemann. Frank P. Less Loss Prevention in the Process Industries (Volume 2), Butterworth-Heinemann. Frank P. Less Loss Prevention in the Process Industries (Volume 3), Butterworth-Heinemann. J. S. Arendt, D. K. Lorenzo - Evaluating process safety in chemical industry, A CCPS concept book. Wikipedia.org
35