FEHM PROCEDURE
3.1 INTRODUCTION
The concept of risk-based FEHM was introduced in Section 1. It recognises the input to fire risk reduction from a wide range of issues and enables selection of cost-effective site-specific strategies that are directly relevant to real needs.
The FEHM technique involves a scenario-based evaluation of credible incidents, an assessment of their potential consequences and quantification and implementation of the resources required to respond to them. (It should be realised, however, that not all possible scenarios may be foreseen, nor may excessive analysis be desirable).
As noted in section 1.7, meeting legislation alone is insufficient because this is primarily aimed at life safety and protecting the environment. In addition, incident consequences to other risk drivers should be assessed.
This section expands on the key steps in the FEHM procedure and outlines typical risk reduction options.
Finally, guidance is given on selecting appropriate FEHM policies and implementing them.
3.2 FIRE SCENARIO ANALYSIS
This forms the first step of any risk-based FEHM approach. Its purpose should be to identify fire scenarios, and assess them in terms of incident probability and consequences to build a picture of the overall risks at an installation. Depending on these risks, appropriate and justified FEHM strategies aimed at
reducing risk can be selected and implemented as part of an overall FEHM policy.
The aim should be to recognise and select credible fire scenarios on a site-specific basis. The scenarios that should be considered are outlined in Section 2, and include pool fires, jet fires, BLEVEs, VCEs, and flash fires.
The first step should be to identify hazardous substances and processes along with potential sources of ignition. Scenarios should then be described and potential consequences outlined.
As part of this, various scenario analysis tools may be used to evaluate incident probability and consequences. These can include:
— HAZAN/HAZID/HAZOP;
— QRA;
— event trees;
— fault trees;
— estimated maximum loss;
— risk matrices;
— industry databases;
— incident experience;
— fire and explosion modelling.
Use of these techniques can help to focus on the probability of potential loss of containment events and sources of ignition, as well as indicating the likely consequences of an incident in terms of asset loss, personnel safety, business interruption etc. Risk matrices and QRA techniques are particularly useful tools in assigning 'numerical' values of risk that can be compared against risk criteria.
The types of generic fire scenarios that can occur at various installations are well understood and are described in 3.2.2.
3.2.1 Identification of major fire scenarios, hazards and hazard characteristics Typical fire and explosion scenarios are discussed in section 2.5.
In addition to fire scenarios associated with plant/storage areas, other fire hazards and events such as cellulosic fires and electrical fires should be identified for probability and consequences. External fire sources that are not immediately obvious should also be considered. These may include those initiated by events such as tanker fires, collisions, vegetation fires, etc.
Each identified hazardous event might result in a range of possible scenarios. Usually, scenarios should be selected that represent the most significant consequences to personnel, production and the environment. The most appropriate way is to carry out a risk analysis aimed at identifying these, which also takes incident probability and consequences into account. Following this, it should be easier to select credible design events meriting risk reduction options and further, define the role of fire prevention and protection systems in reducing risk.
In most cases, it will be impractical to consider every possible scenario and a balance should be struck between addressing larger, less frequent scenarios that could cause more damaging consequences and smaller, potentially more frequent events that could lead to escalation or significant localised damage.
An example of a smaller, more frequent event might be fire resulting from an ignited pump seal release or a localised fire in an electrical cabinet – both of which may have significant consequences in terms of production continuity.
An example of a larger, less frequent event may be a full surface tank fire or large bund fire causing extensive damage with high consequences.
Consequently, recent risk-based legislation will often be satisfied if a range of credible scenarios is addressed as well as a smaller selection of larger, less credible but nevertheless potentially high consequence events.
In selecting and evaluating scenarios, consideration should be given to the following factors:
— installation design features;
— human factors (e.g. human error);
— failure modes;
— probability of failure/release;
— locations of releases/potential release points;
— fuel characteristics (density, flash point, composition, ignition temperature, heat output etc.);
— release characteristics (e.g. pressure, temperature etc.);
— degree of isolation/quantity of isolated inventory;
— release size;
— probability of ignition;
— ignition location;
— mitigation measures;
— potential consequences (life safety, environment, production).
A useful way of selecting scenarios is to draw up a list of installations or plant areas and examine possible generic fire or explosion events (e.g. pool fires) for probability and consequences. In other words, the question should be asked, "how probable is this scenario, and what consequences will it have?" A range of scenario analysis tools is available for this purpose (see 3.2), but to assist, a list of typical scenarios for various installations and areas is given in 3.2.2.
As well as the initial effects of fire or explosion, consideration should be given to whether and how escalation can occur and if this can affect personnel, adjacent plant and the environment. Escalation might also render fixed fire-fighting installations ineffective, and this should be addressed as part of the scenario analysis.
Escalation analysis can be carried out by using event and/or fault tree methods, HAZOP, etc. Such scenario analysis tools are useful in identifying potential escalation routes and failures, which might result in a particular level of risk. By using such techniques, additional risk reduction options can be identified to reduce either probability or consequences.
Industry databases and incident experience can also be used to estimate the probability of escalation from given fire or explosion scenarios.
3.2.2 Typical scenarios for various installations/
areas
Scenario analysis tools (see 3.2) should be used to define potential fire and/or explosion events.
It should be remembered that any fire incident is possible; however, whether it is credible or not is a decision that should be made based on incident probability and through examination of potential consequences.
Incident probabilities and consequences vary depending on the nature of the event or installation, and each scenario should be assessed on an individual basis.
For major petroleum fires to occur there would need to be a loss of containment (i.e. a release or spill) and a source of ignition. Process parameters such as temperature and pressure as well as the size and nature of any release will determine the type of fire or explosion event anticipated.
The following sub-sections set out installations/
areas that should be assessed.
3.2.2.1 Process areas
In many process areas, flammable fluids are typically at elevated temperatures and pressures. Releases may be in the form of liquid sprays, or vapour jets depending on these and other factors such as hole size, substance composition, release location and point of ignition.
Also, releases from atmospheric plant could result in product accumulation under vessels and other plant.
Scenario analysis should identify what type of event could be expected.
Some examples of typical generic fire/explosion events for process areas include:
— flammable or toxic product releases (liquid or gaseous phase);
— VCE, e.g. as a result of delayed ignition of flammable vapour;
— pool fires, e.g. because of an ignited flammable liquid spill;
— spray fires, e.g. from a pressurised flammable liquid release;
— jet fires, e.g. ignition of a pressurised vapour release.
Remote product pumps and manifolds are also potential sites for the above, and should be included in any analysis. In all cases, consequence modelling can assist in estimating the size and composition of releases as well as their consequences (e.g. flame lengths, pool size and flammable regions).
3.2.2.2 Atmospheric storage tanks
The types of scenario for atmospheric storage tanks are well understood. The type of event depends to a large degree on tank construction, safety features, product volatility and potential for loss of containment. Typical fire scenarios that should be considered include, for particular tank types:
— vent fires (fixed roof tanks or internal floating roof tanks);
— vapour space explosion (fixed roof tanks);
— contained and uncontained spill fires;
— rim seal fires (open-top floating roof tanks);
— pontoon explosion (open-top floating roof tanks);
— spill-on-roof fires (open-top floating roof tanks);
— full surface fires (fixed, internal and open-top floating roof tanks).
These events are also discussed in section 2.5.
Incident probabilities and escalation routes for these events are well-documented in industry databases such as RPI LASTFIRE. (In most cases, large events such as full surface fires result from an initiating fire such as a spill-on-roof fire or vapour space explosion).
As well as bulk storage areas (tank farms) there may be external areas for petroleum storage in intermediate bulk containers (IBCs). For guidance on safe storage, reference should be made to HSE The storage of flammable liquids in containers or equivalent.
3.2.2.3 Pressurised storage tanks
The types of scenarios associated with spheres or bullets containing pressurised LPG that should be considered include:
— combined jet/pool fire;
— vent fire, e.g. from ignition of LPG released from a pressure relief valve (PRV);
— jet fire, e.g. resulting from ignition of a release from valves or pipework;
— BLEVE.
In some cases, a pool fire will result from an initial jet fire if the tank is depressurised (due to product burn-off or emergency shutdown (ESD)). The most likely sites for jet fires would normally be from associated pipework or valves. BLEVE is a potentially high consequence event that should not be overlooked (see section 2.3.3.3).
3.2.2.4 Road tanker vehicle and rail tank wagon loading areas
Road tanker vehicle and rail tank wagon loading areas often handle a wide variety of flammable substances ranging from LPGs and hydrogen to bitumens, as well as process intermediates and other refined products.
Product transfers through loading and unloading arms or hoses are potentially hazardous operations. Most fire events occur through ignition of accidental product loss of containment due to breakout of hoses and couplings, etc.
In such cases, a pool fire could occur if the spill is ignited. Also, liquefied gases or other very volatile products may ignite close to the source of release and cause a flash fire or jet fire.
BLEVE should also be considered as a possibility if a prolonged pool or jet fire is likely close to, or under
road tanker vehicles and rail wagon tanks containing liquefied gases and other high-energy products.
3.2.2.5 Jetties
As well as spill fires resulting from accidental releases of product from loading or unloading arms, ship fire incidents should also be considered, since they may threaten jetties. A VCE is also a possibility in areas of confinement or semi-confinement, particularly where large releases of liquefied gases are considered as a potential scenario.
In addition, flash fires and/or spill fires can result at jetty 'roots' around product pipelines, especially if there is potential for loss of containment around motorised valves.
3.2.2.6 Electrical/switchgear facilities and substations Petroleum installations invariably include critical switchgear, electrical installations, substations/
transformers and associated cabling. Some of these may utilise oil-filled equipment and the risk of pool fires should be examined. For electrical installations, fires can originate from faulty equipment. Initially, fires may smoulder and go unnoticed if appropriate fire detection is not installed.
Fires can also occur within computing facilities, motor control centres (MCCs) and other critical enclosures. They can originate from the equipment themselves, mechanical media, or auxiliary equipment such as air conditioning units or cooling systems. Such fires may only cause localised damage but could have an effect on production continuity and data integrity.
3.2.2.7 Turbine enclosures
Turbine enclosures may utilise flammable substances such as oil, hydraulic fluids and fuel gas. They generally consist of the following areas and potential fire scenarios:
— control compartment – electrical fires;
— auxiliary compartment – liquid jet, gas jet and electrical fires;
— turbine compartment – liquid jet, gas jet and electrical fires, short duration gas explosion;
— generator – deep-seated electrical fires.
Each of these potential fire incidents should be reviewed as part of a risk analysis.
3.2.2.8 Buildings
Support buildings and offices are also potential fire locations and credible fire scenarios should be addressed. Fires including cellulosic (i.e. ordinarily combustible materials) as well as flammable liquids and
gases should be examined. Some examples of potential fire locations can include:
— control rooms;
— laboratories;
— warehouses/ storage areas;
— workshops;
— pump houses;
— generator enclosures;
— administration buildings;
— accommodation.
Where appropriate, factors such as the fire load, presence of flammable gases and liquids and hazardous processes such as hot work, should be taken into account to determine fire scenarios.
Fires in storage areas containing bulk storage of flammable liquids in IBCs should also be considered.
Tests have demonstrated that when ignited (e.g. by oil-soaked rags or paper under IBC valves) containers can melt dramatically in a matter of seconds and pool fires can spread over a large area. Similarly, idle pallet storage in these areas can represent a significant fire hazard.
3.2.3 Design/credible scenario selection
Credible scenarios that are selected from risk assessments as meriting further risk reduction options because of their probability or consequences can be termed 'design events'. This is illustrated in Figure 3.1 where design events can consist of one or more prevention, control and mitigation measures for identified fire hazards and scenarios.
As part of this process the role of prevention, control and mitigation measures, including those of fire prevention and protection systems should be identified.
For further guidance, see section 8.9.3. For example, the role of a gaseous fire protection system might be to control or extinguish a deep-seated electrical fire within an enclosure.
The selection of appropriate design events varies between installations but the following factors should be considered:
— Whether to include risk reduction for less frequent, catastrophic events.
— Whether risk reduction is appropriate.
— What ESD time should be used.
— Whether the fire/explosion characteristics merit risk reduction.
— What other emergency response measures can be implemented.
Fire hazard
Figure 3.1: Design/credible scenario selection In some cases, CBA should be applied to determine
whether to design and implement risk reduction options.
For example, it might be shown that the annual statistical costs associated with an incident far exceed the amortised costs of implementing a particular risk reduction option. This is explained further in 3.3.
A particularly effective way of selecting appropriate design events is to use a risk matrix approach in which potential scenarios are superimposed
on a grid. Both incident probability/frequency and consequences can be assigned numerical values to obtain an overall risk 'score'. Risk reduction measures can then be considered for incidents above a certain threshold and incident strategies can be developed.
An example of a risk matrix (used in the exploration and production sector) is shown in Figure 3.2. Such a matrix can be easily adapted for use at petroleum refineries and bulk storage installations.
Figure 3.2: Scenario risk matrix
Strategy 1 - Minor incident intervention only Strategy 2 - Dedicated fixed fire protection systems Strategy 3 - Systems/equipment plus back-up Strategy 4 - Systems/equipment plus fire brigade
} }
Either strategy dependent on facility location
Either strategy dependent on facility location Appropriate strategies for incidents
CONSEQUENCES INCREASING PROBABILITY
Life
safety
Environ-ment Business Asset
Reput-ation Has occurred
In Figure 3.2, credible scenarios are identified and appropriate strategies are matched to incident risk.
Thus, high-risk events might merit fire-fighting systems and possibly fire brigade intervention. Events that are considered lower risk (top left of the matrix) might benefit from minor intervention only (e.g. using portable fire-fighting equipment).
Decisions on which risk reduction measures are to be implemented should therefore be based on the actual risk. Having made the decisions, publications (codes of practice, design standards, specifications, guidance, etc.) on fire protection system design can be used to give guidance on implementation.
Also, once appropriate risk reduction measures have been identified (see 3.3) good fire engineering judgement and practices should be applied for design and implementation. As part of this, a framework of FSIA should be adopted (see 3.5.2).
3.2.4 Fire and explosion modelling
Typical approaches to fire and explosion modelling are described in section 2.7.
It should be noted that modelling can only give an approximate indication of the likely consequences of a
particular fire or explosion scenario. It should never be used to 'predict' the effects of an incident with certainty.
Although modelling techniques are now very advanced, interpretation requires great skill and care.
Consequently, the results should be used as 'guidance' to assist in developing appropriate response strategies (i.e. as a tool to help decide policies, rather than to decide them alone).
3.3 RISK REDUCTION OPTIONS