Most chemical plant accidents follow a typical pattern. It is important to study these patterns in order to be able to develop management systems to prevent these accidents. Also, many accidents occur as a result of the failure of multiple systems or ‘‘barriers.’’ In fact, it can be argued that many of these accidents may not have occurred, had at least one of the ‘‘barriers’’ not failed. Thus, it is important to study the concept of multiple barriers and its role in preventing process plant accidents.
The Accident Process
Most chemical accidents follow a three-step process, as described by Crowl and Louvar [2]:
•
Initiation: the event, which starts the accident process•
Propagation: the event, series of events, or condition which allows the accident process to continue, or which expands the magnitude of the accident•
Termination: the event or events, which stop the accident The following is an example of the process:•
A seal on a sulfuric acid pump leaked, requiring replacement (initiating event).•
The pump was drained and washed, but some time passed before maintenance began (propagating event).•
An isolation valve between the pump and the sulfuric acid supply was leaking (propagating event).•
The mechanic wore most of the required personal protective equipment, but failed to wear rubber boots (propagating event).•
When the mechanic began to work on the pump, he was splashed on the foot when a small amount of sulfuric acid was released, resulting in an acid burn (terminating event—all of the acid in the pump was released).To prevent accidents, we must modify this accident process. This can be done by eliminating or reducing the likelihood of initiating events or propagating events, reducing the ability of propagating events to increase the magnitude of the accident, or by providing terminating events to interrupt the accident sequence before unac- ceptable consequences can occur. For the example described, some corrective ac- tions might include the following:
•
Using a pump with an improved design, which would require less frequent seal repair (reducing the likelihood of the initiating event)•
Providing a double block between the sulfuric acid supply and the pump, and improving procedures and training to ensure timely washing of equipment and use of protective equipment (reducing likelihood of propagating events)•
Training the mechanic to assume the pump contains sulfuric acid and to drain it to a safe place before he begins his work (provide a safe terminating event by safely removing the acid)Multiple Barrier Concept (Layers of Protection)
Chemical processes traditionally rely on multiple layers of protections, or barri- ers, between a hazardous agent and the people, environment, and property which might be adversely impacted by an incident. This concept is illustrated in Fig. 1
FIG. 1 Typical layers of protection for a chemical process. (Based on Fig. 2.2 of Ref. 3.)
[3]. The layers of protection might include the basic process design, basic process controls and operating procedures, critical alarms and process shutdown proce- dures, safety interlocks, emergency equipment such as rupture disks and pressure relief valves, physical containment systems such as catch tanks and spill con- tainment dikes, emergency response equipment and services such as sprinkler sys-
tems and fire-fighting equipment and personnel, and personnel evacuation proce- dures.
Multiple barriers are generally required because no barrier will be perfect— all are subject to potential failure. An inherently safer process (discussed elsewhere in this article) will reduce or eliminate the hazard and will require fewer or less robust layers of protection—and, if the hazard is sufficiently small, there may be no need for additional protective layers at all. This is highly desirable because the layers of protection may require significant initial capital investment and ongoing operating costs to ensure their continued effectiveness. Also, although the layers of protection may be highly reliable and the risk of an accident may be small, it can never be zero—there is always a possibility that all of the layers of protection will fail simultaneously and the accident will occur.
The number and required reliability of the barriers or layers of protection must be established through the use of the various hazard and risk analysis techniques described in the following sections. This requires a complete understanding of the hazards of the process and plant-hazard identification, and an understanding of the mechanisms or scenarios by which those hazards might result in harm to people, the environment, or property—hazard analysis or hazard evaluation.
Regulations
During the past 15 years, a number of chemical or related incidents in the petro- chemical industry have adversely affected surrounding communities. A few of these incidents, such as the vapor cloud explosion in Flixborough in 1974, the liquefied petroleum gas explosion in Mexico City in 1984, the toxic material re- lease in Bhopal in 1984, and the fire and radiation release in Chernobyl, were reported worldwide. Both governmental agencies and trade organizations re- sponded by developing standards and regulations to improve process safety. The American Petroleum Institute (API) and the American Chemistry Council (ACC) started to work with their members to develop organizational guidelines. The U.S. Department of Labor directed the Occupational Safety and Hazard Administration (OSHA) to develop federal standards for managing process safety.
A consensus started to emerge in 1990. Although the language, application, and extent of each document differed, the contents and objectives were almost the same. The API published Recommended Practice 750: Management of Process Hazards [4] in January 1990. OSHA published the proposed federal process safety rule [5] in July 1990. In October 1990, the ACC published its Resource Guide for Implementing the Process Safety Management Code of Practices [6]. In addition, the Clean Air Act Amendments of 1990 directed OSHA and the Environmental Protection Agency (EPA) to develop process safety management regulations to protect workers and the environment. The final OSHA rule on Process Safety Man- agement of Hazardous Chemicals (29 CFR 1910.119) was published in the Federal Register [7] on February 24, 1992. A matrix showing the relevance of OSHA Process Safety Management (PSM) elements to the Center for Chemical Process
TABLE 1 Summary Comparison of OSHA Elements with CCPS Elements CCPS 12 elements of chemical process
safety management Relevant paragraphs of OSHAs PSM rule
1. Accountability: Objectives and Goals
2. Process Knowledge and Documenta- Process Safety Information § 1910.119 (d)
tion
3. Capital Project Review and Design Pre-Startup Safety Review § 1910.119 (i)
Procedures (for new and existing plants, expansions, and acquisi- tions)
Mechanical Integrity § 1910.119 ( j)
4. Process Risk Management Process Hazard Analysis § 1910.119 (e)
Pre-Startup Safety Review § 1910.119 (i)
5. Management of Change Management of Change § 1910.119 (l)
6. Process and Equipment Integrity Process Hazard Analysis § 1910.119 (e)
Operating Procedures § 1910.119 (f ) Mechanical Integrity § 1910.119 ( j)
7. Human Factors Process Hazard Analysis § 1910.119 (e)
Operating Procedures § 1910.119 (f )
8. Training and Performance Operating Procedures § 1910.119 (f )
Training § 1910.119 (g)
Pre-Startup Safety Review § 1910.119 (i) Emergency Planning and Response
§ 1910.119 (n)
9. Incident Investigation Incident Investigation § 1910.119 (m)
10. Standards, Codes, and Laws
11. Audits and Corrective Actions Compliance Audits § 1910.119 (o)
12. Enhancement of Process Safety Knowledge
Safety’s (CCPS) chemical process safety management elements is given in Table 1. EPA published the Risk Management Program in June 1996.
The international chemical and petroleum community has also been addressing process safety management through regulations and recommended practices. The Norwegian Petroleum Directorate issued rules [8] in 1981 requiring quantita- tive hazard analyses for offshore petroleum operations. In response to the 1976 chemical dioxin release in Seveso, Italy, a European Directive [9] (commonly called the Seveso Directive) on process safety management was issued in 1982. More recently, the British government has issued process safety management regulations [10] for North Sea petroleum operations, following the recommenda- tions of the widely distributed Cullen Report, which investigated the 1985 Piper Alpha offshore platform tragedy. Outside of Europe, the World Bank [11] has provided process safety management guidance for third-world projects. Similarly, the International Labor Office in Geneva has issued hazard analysis recommenda- tions [12].
The Process Safety Management Program
The 14 elements of the OSHA Process Safety Management (PSM) regulation (29 CFR 1910.119) were published in the Federal Register on February 24, 1992 [7]. The objective of the regulation is to prevent or minimize the consequences of catastrophic releases of toxic, reactive, flammable, or explosive chemicals. The regulation requires a comprehensive management program: a holistic approach that integrates technologies, procedures, and management practices.
The process safety management regulation applies to processes that involve certain specified chemicals at or above threshold quantities, processes that involve flammable liquids or gases on-site in one location, in quantities of 10,000 lbs, or more (subject to few exceptions), and processes that involve the manufacture of explosives and pyrotechnics. Hydrocarbon fuels, which may be excluded if used solely as a fuel, are included if the fuel is part of a process covered by this regula- tion. In addition, the regulation does not apply to retail facilities, oil or gas well drilling or servicing operations, or normally unoccupied remote facilities.
The process safety management regulation requires a systems approach for managing safety. Segments of the hazardous chemicals industry have for sometime practiced some or all of the required programs. The promulgation of the regulation formalized the requirements and established a minimum criterion. This is both good and bad. The regulation now requires everyone to establish the management systems and apply the technologies needed to comply with the regulation. How- ever, because of the same reason, there is a tendency to look for ‘‘paper compli- ance’’ as compared to making real improvements in safety programs and technolo- gies.
The Risk Management Program
In 1996, the EPA promulgated the regulation for Risk Management Programs for Chemical Accident Release Prevention (40 CFR 68). This federal regulation was mandated by section 112(r) of the Clean Air Act Amendments of 1990. The reg- ulation requires regulated facilities to develop and implement appropriate risk management programs to minimize the frequency and severity of chemical plant accidents. In keeping with regulatory trends, EPA required a performance-based approach toward compliance with the risk management program regulation.
The EPA regulation also requires regulated facilities to develop a Risk Manage- ment Plan (RMP). The RMP includes a description of the hazard assessment, pre- vention program, and the emergency response program. Facilities submit the RMP to the EPA and, subsequently, it is made available to governmental agencies, the state emergency response commission, the local emergency planning committees, and communicated to the public.
The risk management program regulation defines the worst-case release as the release of the largest quantity of a regulated substance from a vessel or process line failure, including administrative controls and passive mitigation that limit the total quantity involved or release rate. For gases, the worst-case release scenario assumes the quantity is released in 10 min. For liquids, the scenario assumes an
instantaneous spill and that the release rate to the air is the volatilization rate from a pool 1 cm deep unless passive mitigation systems contain the substance in a smaller area. For flammables, the scenario assumes an instantaneous release and a vapor cloud explosion using a 10% yield factor. For alternative scenarios (note: EPA used the term alternative scenario as compared to the term more-likely sce- nario used earlier in the proposed regulation), facilities may take credit for both passive and active mitigation systems.
Appendix A of the final regulation lists endpoints for toxic substances to be used in worst-case and alternative scenario assessment. The toxic endpoints are based on ERPG-2 (Emergency Response Planning Guidelines—Level 2) or level of concern data compiled by the EPA. The flammable endpoints represent vapor cloud explosion distances based on overpressure of 1 psi or radiant heat distances based on exposure to 5 kW/m2for 40 s.