Journal of Loss Prevention in the Process Industries 15 (2002) 129146 www.elsevier.

com/locate/jlp

Design and evaluation of safety measures using a newly proposed methodology SCAP
Faisal I. Khan
a

a,*

, Tahir Husain a, S.A. Abbasi

Faculty of Engineering and Applied Science, Memorial University of Newfoundland, St Johns, Canada A1B 3X5 b Centre for Pollution Control and Energy Technology, Pondicherry University, Pondicherry 605 014, India

Abstract An increase in the number of accidents in the process industries and the concomitant damage potential is a cause of concern in many countries. In order to control the alarming risk posed by these industries, the United States government has asked each manufacturing facility to carry out a worst-case disaster study and to develop alternatives to control this high risk. Other developed and developing countries such as Canada and India have taken similar measures. Recently Khan and Abbasi (J. Loss Prevent. Process Ind. (2001a) in press) have proposed a maximum credible accident analysis with a maximum credible accident scenario approach, which scores over a worst-case scenario approach for being realistic and reliable. In another effort, Khan and Abbasi (J. Hazard. Mater. (2001b) in press) have developed an efcient and effective algorithm for probabilistic fault tree analysis. These two approaches have been combined to yield a new methodology for a more realistic, reliable, and efcient safety evaluation and the design of risk control measures. The methodology is named SCAP: Safety, Credible Accident, Probabilistic fault tree analysis. The methodology is comprised of four steps of which the last step is a feedback loop. This paper recapitulates this methodology and demonstrates its application to ethylene oxide (EO) plants. The application of SCAP to EO plants identies ve units as risky and needing more safety measures. Further, this study recommends safety measures and demonstrates through SCAP that their implementation lower the risk to an acceptable level. 2002 Elsevier Science Ltd. All rights reserved.
Keywords: Risk assessment; Safety measures; Industrial hazards; Worst-case scenario; Maximum credible accident analysis

1. Introduction Petroleum reneries and petrochemical industries handle large quantities of highly hazardous chemicals often at extreme conditions of temperature and pressure. Any mis-operation is prone to be a source of disaster causing heavy nancial losses as well as casualties. This is evident from the case studies highlighted below: Ahmadi, 2000: On 25 June 2000, at 4:24 a.m. an accident ripped through a unit at the Ahmadi renery and caused heavy material damage. It was reported that four people were killed and 49 injured. Ahmadi, the biggest renery in Kuwait has a rening capacity of 444,000 barrels per day. It was built in 1948, subsequently reno-

* Corresponding author. Tel.: +1 709 737 7652; fax: +1 709 737 4042. E-mail address: fkhan@engr.mun.ca (F.I. Khan).

vated in 1984 and in 1986, and has 1450 employees (CNN, 2000a; BBC, 2000). The accident was caused by the ignition of a vapor cloud which formed due to a leak of liqueed petroleum gas from one of the transporting lines. The explosion was so intense that its effects were observed over kilometers. A building located 500 m from the scene of the accident was badly damaged; the administration building located 2 km from the point of the accident also suffered damage. Two fuel production units and one major distillation unit were completely damaged while another distillation unit suffered heavy damage. The full details of the accident have not yet been made public. Shuaiba, 2000: In early June 2000, an accident occurred in Kuwaits Shuaiba renery, killing two people and injuring many. The accident occurred during the start-up operation of the jet fuel unit. The preliminary enquiry reported a deciency in the operation and training side and insufcient preparation to handle such incidents (CNN, 2000b).

0950-4230/02/$ - see front matter 2002 Elsevier Science Ltd. All rights reserved. PII: S 0 9 5 0 - 4 2 3 0 ( 0 1 ) 0 0 0 2 6 - 2

130

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Washington, 1999: In June 1999, a pipeline transporting gasoline from a renery to the coast of Seattle, Portland and Oregon ruptured spewing 229,000 gallons of gasoline. The released gasoline ignited into a wall of re hundreds of feet high, running down a creek and through a wooded park. The re incinerated everything in its path and killed three people. The United States Department of Transport has imposed a $3.05 million ne to the owner of the pipeline (CNN, 1999a). Tennessee, 1999: On 30 June 1999, two people were killed and one seriously injured in an explosion which occurred in an oil storage tank during repair work. At the time of the accident only three people were present on the site; otherwise, the number of casualties would have been higher (CNN, 1999b). Nigeria, 1998: On 18 October 1998, two deadly pipeline explosions set off res that ripped through several villages in southern Nigeria. This aboveground pipeline linked an oil renery in the coastal city of Warri with the northern city of Kaduna. About 200 people died from severe burn and suffocation. Although it has not been conrmed, this accident is believed to have been an act of sabotage (CNN, 1998). Texas, 1997: On 22 June 1997, at 7:12 a.m. an accident was reported in the Shell Oil Company plant at Houston. The plant, which produces ethylene and propylene as feedstock for other chemical industries, employed about 2,400 people. The accident was caused by an explosion, which was subsequently followed by a re. One person was injured and heavy material loss was reported. At the time of the accident only a few people were at the site; otherwise, casualties would have been higher (CNN, 1997). Vishakhapatnam, 1997: On 14 September 1997, a huge re and explosions devastated the terminals and storage tanks at the Hindustan Petroleum Corporation Limited renery at Vishakhapatnam, India. More than 55 people were killed and dozens more seriously injured (Khan & Abbasi, 1998a, 1999a,). The death toll could have been much higher had the re started one half hour later, when the rst shift workers were due to arrive. Even more signicantly, as the accident occurred on Sunday, a holiday, the administrative personnel, several hundred, were also not on duty. Assets of more than 60 million rupees were damaged in this accident (Khan & Abbasi, 1998a, 1999a). Sparks, 1998: On 7 January 1998, two explosions in rapid succession destroyed the Sierra Chemical Company (Sierra) Kean Canyon plant near Mustang, Nevada, killing four workers and injuring six others. The Kean Canyon plant manufactured explosive boosters for the mining industry. When initiated by a blasting cap or detonation cord, boosters provide the added energy necessary to detonate less sensitive blasting agents or other high explosives. The boosters manufactured at the Kean Canyon plant consisted of a base mix and a second

explosive mix, called Pentolite, both of which were poured into cardboard cylinders. The primary explosives used in the base mix were TNT (2,4,6-trinitrotoluene), PETN (pentaerythritol tetranitrate), and Comp-B, a mixture of TNT and RDX (hexahydro-1,3,5-trinitro-1,3,5triazine). Pentolite is a mix of TNT and PETN. The investigation team determined that the rst explosion occurred in the plants Booster Room 2 and was followed seconds later by an explosion in the PETN building. There was no physical evidence or eyewitness to conclusively pinpoint the cause of the explosion in Booster Room 2; however, the investigation team identied four credible scenarios. The investigation team also recommended a comprehensive process safety management program that was ineffective earlier (CSB, 1999). Helena, 1997: On 8 May 1997, an explosion and re in a building containing 200,000 pounds of pesticides killed three reghters and injured sixteen people. The pesticides, their combustion products, and even chemicals formed during reghting activities, formed a highly toxic cloud which forced an evacuation of the regional hospital, along with residents within three mile radius (Lees, 1996; Khan & Abbasi, 1999c). Houston, 1989: On 23 October 1989, a release occurred in a polyethylene plant at the Phillips Companys chemical complex at Pasadena near Houston, Texas. A vapor cloud formed and ignited, giving rise to a massive vapor cloud explosion. A series of further explosions and a re followed the initial explosion. Twenty-two people were killed on the spot, one later died from injuries sustained in the explosion, and more than 130 were injured (Lees, 1996; Khan & Abbasi, 1999c, 2001c). Antwerp, 1987: On 3 July 1987, an explosion occurred inside an ethylene oxide purication column in a factory at Antwerp, Belgium. The explosion was due to the decomposition of ethylene oxide. It was accompanied by a reball, which started a number of secondary res. These, together with blasts and missiles, caused extensive damage, and fourteen people were injured (Khan & Abbasi, 1998a, 1999c). These accidents are representative examples from a comprehensive list comprised of hundreds of such accidents.

2. Cause of concern A recent study in the United States claims that from 1993 to 1995 over 23,000 accidents related to the release of toxic clouds have occurred. Further to this approx. 25% of the manufacturing facilities that involve extraordinary hazardous chemicals could potentially create a zone of injury and death extending more than ve miles from the facility. More than 20% of these facilities create vulnerable zones of more than ten miles or greater. The

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

131

National Environmental Law Committee of the United States has analyzed the worst-case disaster potential by industry sector and has found that the chemical and petrochemical sectors are the most vulnerable. Despite state-of-the-art control facilities, an increase in the number of such incidents as well as their concomitant damage potential is a major source of concern. In order to control the alarming risk posed by these industries, the United States government has asked each manufacturing facility to carry out a worst-case disaster study and to develop alternatives to control this high risk (Laplante, 1998; Perrow, 2000). The frequency of accidents and the attendant damage potential is considerably higher in other countries than in the United States. Consequently, these industries not only suffer heavy nancial losses but also lose credibility. It is therefore urgent to analyze possible accidents and their basic causes, and to develop strategies/plans to avert such situations. A preliminary study provided the following observations: 1. Most of the accidents have occurred, despite active safety measures on the unit. The main reasons for such accidents are that safety measures are not designed considering the probable accident scenarios, and safety measures effectiveness are not been reviewed periodically. 2. Disaster management or contingency plans are either improper or ineffective. Most disaster management plans (DMP) are designed through subjective decision making without a quantitative or scientic approach. These programs are hardly tested and in cases where they are tested, it is done as a formality and for limited known accident scenarios. These observations highlight a need for systematic, comprehensive yet rapid methodology for risk assessment and safety evaluation. These authors agree that there has been substantial work on the development of methodologies for effective and reliable risk assessment. There are good methodologies and tools available to conduct detailed risk assessments: quantitative risk analysis, probabilistic safety analysis, worst-case methodology for risk assessment, and optimal risk analysis. A critical review of these methodologies is presented by Khan and Abbasi (1998a, 1998c, 2001c) and Papazoglou, Nivoliantiou, and Christou (1992). Khan and Abbasi (2001b) have recently introduced a new methodology by integrating Analytical Simulation (a new methodology for fault tree analysis proposed by Khan & Abbasi, 2001b) and maximum credible accident analysis (a methodology proposed for rapid risk assessment by Khan & Abbasi, 1997a,b, 1998a,d, 2000, 2001c). The methodology intended to identify the presence of hazards in an industry, quanties the hazard,

forecasts the impact of likely accidents in and around the industry, suggests safety measures, and then loops back to reassess the hazards by incorporating the suggested safety measures. In this manner, it enables one to work out exactly what safety measures, of what sophistication, can decrease the hazard to an acceptable level. For an operating plant, it enables the assessment of whether the existing safety measures are sufcient or need further attention. It is also able to distinguish the units that cannot be made safe even after the installation of all conventional safety measures. This technique thus isolates units, which require special emergency preparedness, and disaster management plans. We have given the acronym SCAP to this technique: Safety, Credible Accidents, and Probabilistic fault tree analysis.

3. SCAP methodology The steps involved in the SCAP methodology are depicted in Fig. 1. The features of each the step is summarized below. 3.1. Step 1: Hazard identication and ranking using SWeHI This step utilizes the Safety Weighted Hazard Index (SWeHI) system developed earlier by us (Khan, Husain, & Abbasi, 2001) for hazard identication and ranking. The SWeHI system enables computation of a re and explosion damage index (B1), a toxic damage index (B2) and a safety performance index (SPI). SWeHI aims at providing a single frame view of the industry, or the desired process unit, vis-a-vis the hazards posed by it under a given set of external forcing factors (ranging from meteorology to social upheavals). It simultaneously integrates this information with the safety measures as they are and as they ought to be. In quantitative terms, SPI represents the radius of the area under hazard (50% probability of fatality/damage) due to the given unit/plant considering the chemicals, operating conditions, environmental setting etc involved at that instant. In mathematical terms it is represented as: SPIB/A where, B is the quantitative measure of the damage that may be caused by a unit/plant, and is measured in terms of area under 50% probability of damage. A represents the credits due to control measures and safety arrangements made to counter the undesirable situations. B has two components: B1 addresses damage due to re and explosion, while B2 considers damage due to toxic release and dispersion. The SPI represents the damage radii when safety measures are duly taken into consideration. The higher the value of SPI, the more vulnerable is the unit to the likely hazards.

132

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Fig. 1.

The SCAP algorithm.

The distinguishing features of the SWeHI system are: 1. It considers the impact of various process operations and associated parameters for hazard identication; 2. It provides quantitative results of good reliability; 3. Most of the penalties used in computing hazard potential index B and hazard control index A in SPI are derived from the tried and tested models of thermodynamics (CCPS, 1989; API, 1990; Greenbook, 1992). A few penalties for B1 and B2 have been quantied with the help of empirical models and hazard ranking procedures such as National Fire Protection Agency (NFPA). In other words adequate depth and rigor has gone into the formulation of SWeHI; 4. It scores over the Dow Fire and Explosion Index, Mond Toxicity Index, IFAL, etc. and these authors HIRA-based indices, re and explosion damage index (FEDI) and toxic damage index (TDI) (Khan & Abbasi, 1998b), in terms of its ability to weigh the hazards against the effectiveness of the safety measures and provide a single score for the trade-off;

5. It does not need case-to-case calibration, as its magnitude directly signies the level of hazard; 6. It may be used for a rapid reconnaissance of risk.

3.1.1. Quantication of B1 For the purpose of quantifying B1, the various units of an industry are classied by ve different units (similar to HIRA systemKhan & Abbasi, 1998b): (i) storage units, (ii) units involving physical operations such as heat transfer, mass transfer, phase change, pumping and compression, (iii) units involving chemical reactions, (iv) transportation units, (v) other hazardous units such as furnaces, boilers, direct-red heat exchangers, etc. The estimation of B1 involves the following steps: 1. Classication of the various units in an industry into the ve categories mentioned above 2. Evaluation of energy factors 3. Assignment of penalties

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

133

4. Estimation of damage potential 5. Quantication of B1

3.3. Step 2: Quantitative hazard assessment maximum credible accident analysis Maximum credible accident analysis (MCAA) is comprised of two sub-steps: 1. Accident scenario forecasting 2. Damage estimation for previously envisaged accident scenario. Forecasting likely accident scenarios is the most important step in this exercise. The number of accident scenarios can be envisaged in a unit; however, it is not possible for the analyst to analyze all possible accident scenarios. There needs to be a system to shortlist the important scenarios. Recently, Khan and Abbasi (2001a) have developed an approach called maximum credible accident scenarios (MCAS). This approach centers on the theme of the credibility, which is dened as a combination of impact area and the probability of occurrence, and is estimated as: C(AA2BB2)1/2 where AA and BB represent the credibility factor estimated for assets damage and population damage effects, respectively. For details refer to Khan and Abbasi (2001a). A computer-automated tool, MAXCRED (Khan & Abbasi, 1999b) and its higher version MAXCRED-III (Khan & Abbasi, 1999e), that performs maximum credible accident analysis have been developed. The package enables the simulation of accidents and an estimation of their damage potential. MAXCRED-III has been developed to provide a more versatile and accurate tool for rapid risk assessment than is possible with existing packages. An earlier version of MAXCRED-III has signicantly greater capabilities than other commercial packages, whereas the more sophisticated MAXCREDIII incorporates a domino/cascading effect, and the implementation of advanced concepts of software engineering (Khan & Abbasi, 1999e). MAXCRED-III has ve main modules (options): scenario generation, consequence analysis, domino, documentation, and graphics. In the scenario generation module accident scenarios are generated for the unit under study. This step, based on the MCAS approach, is an important input for subsequent steps. The more realistic the accident scenario, the more accurate is the forecast of the type of accident, its consequences, and associated risks; and, consequently, the more appropriate and effective are the strategies for averting and managing crisis. The consequence analysis module involves the assessment of likely consequences if an accident scenario does materialize. The consequences are quantied in terms of damage radii (the radii of the area where the damage

3.1.2. Quantication of B2 B2 is measured in terms of the radius of the area (in meters) affected lethally by toxic load (50% probability of causing fatality). This index is derived using transport phenomena and empirical models based on the quantity of chemical(s) involved in the unit, the physical state of the chemical(s), the toxicity of the chemical(s), the operating conditions, and the site characteristics (Fowcett, 1993; Tyler, Thomas, Doran, & Grieg, 1994). The dispersion is assumed to occur under slightly stable atmospheric conditions. We have opted for slightly stable atmospheric conditions as these represent a median of high instability and high stability. Furthermore such conditions are often prevalent during accidentsas happened at Bhopal, Basel, Panipat, and other places (Cristen, Bhnenblust, & Seitz, 1994; Lees, 1996; Khan & Abbasi, 1997c, 1998a, 1999c). The estimation of B2 is done with one core factor, named G factor and several penalties. The G factor takes into account the following: 1. during the accidental release of super-heated liquid (liquid stored or processed above its normal boiling point) from the unit, a part of the liquid would ash to vapor and the remaining part would form a liquid pool which would subsequently evaporate; 2. the release of gases would directly lead to dispersion in the atmosphere and cause a build-up of lethal toxic load; 3. liqueed gases would a have two-phase release, followed by dispersion and a build-up of toxic load; 4. pyrophilic solids would give toxic vapors which would generate a toxic load in the air.

3.2. Quantication of A Factor A incorporate the quantication of the various control measures adopted by the industry as well as the safe operation practices implemented in a unit/process. A is quantied as: A0.15(1cr1)(1cr2)(1cr3)(1cr3)(1 cr4)(1cr5)(1cr6)(1cr7)(1cr8) where cr1 to cr8 represents credit factors for emergency resource planning, disaster management plans, other damage control measures, process control systems, detecting devices, emergency control measures, human error, and equipment reliability, respectively.

134

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

would readily occur), damage to property (shattering of window-panes, caving in of buildings) and toxic effects (chronic/acute toxicity, mortality). The assessment of consequences involves a wide variety of mathematical models. For example, source models are used to predict the rate of release of hazardous materials, the degree of ashing, and the rate of evaporation. Models for explosions and res are used to predict the characteristics of explosions and res. Impact intensity models are used to predict damage zones due to res, explosions and toxic load. Toxic gas models are also used to predict the human response to different levels of exposures to toxic chemicals. Several types of explosion and re models such as conned vapor cloud explosion (CVCE), vapor cloud explosion (VCE), boiling liquid vapor cloud explosion (BLEVE), pool re, ash re, jet re, and reball, are included. Likewise, models for both liquid and two-phase release have been incorporated. A special feature of MAXCRED-III is that it is able to handle the dispersion of heavy (heavier-than-air) gases as well as lighter-as-air and light-than-air gases. The domino module analyzes the damage potential of the primary event at the point of location of the secondary unit, and checks for the likelihood of the occurrence of the secondary accident. If the probability of the secondary accident is sufciently high, then the appropriate accident scenarios are developed and analyzed for consequences. The graphics module enables the visualization of risk contours in the context of the accident sites. This option has two facilities: (i) site drawing, and (ii) contour drawing. The site drawing option enables the user to draw any industrial site layout using freehand drawing or any already dened drawing tool. The contour drawing option has the facility for drawing various damage/risk contours over the accident site. These contours can be drawn in different shapes and sizes according to the requirement of the user. The documentation module of MAXCRED-III mainly deals with the handling of different les: data le, scenario le, output le and ow of information. This object works as an information manager: it provides the necessary information to each module and sub-module to carry out the desired operations, and stores the results in different les. 3.4. Step 3: Probabilistic hazard assessment analytical simulation methodology (ASM) In this step, fault trees of the previously forecasted accident scenarios are constructed. In order to develop probabilistic fault trees and analyze them swiftly, these authors have developed an analytical simulation methodology (Khan & Abbasi, 2001b). A completely automated tool called PROFAT (PRObabilistic FAult Tree analysis) (Khan & Abbasi, 1999d) has also been

developed to perform analytical simulation. The analytical simulation methodology (ASM) is comprised of the following steps:

1. A logical dependency between the causes leading to the top event (accident scenario) is developed and represented in terms of a fault tree. Such a fault tree can be developed for an individual unit or a combination of units, depending upon the convenience of the user. 2. The developed fault tree as above is transformed to a Boolean matrix. If the dimension of the Boolean matrix happens to exceed the processing ability of the users computer, a structural moduling technique may be applied (Shafaghi, 1988; Yllera, 1988). This technique proposes moduling of the fault tree into a number of smaller sub-modules with a dependency relationship between them. This reduces the memory allocation problem as well as speeds up the computation (Bossche, 1991). 3. The Boolean matrix is then solved for minimum cutsets using analytical method (Khoda & Henley, 1988; Papazoglou et al., 1992; Greenberg & Slater, 1992). If the problem has been structurally moduled, then each module is solved independently, and the results are combined. The resultant minimum cutsets may be optimized using any appropriate technique. 4. The already optimized minimum cutsets are processed for probability estimation. These authors recommend the use of the Monte-Carlo simulation method (Soon, Joo, & Myung, 1985; Worrel & Stack, 1990; Rauzy, 1993) for this purpose instead of direct estimation because the simulation method not only gives the probability of the top event, but it also provides information on the sensitivity of the results. Simulation is also helpful in studying the impact of each of the initiating events. To increase the accuracy of the computations and reduce the margin of error due to inaccuracy involved in the reliability data of the basic events (initiating events), we recommend the use of fuzzy probability sets (Dubois & Prade, 1980; Noma, Tankara, & Asai, 1981; Tanaka, Fan, Lai, & Toguchi, 1983; Prugh, 1992). 5. An added advantage of the analytical simulation method is that it enables a study of the importance of each component, or in other words, each cause (initiating event) which leads to the top event. The contribution of each cause is estimated by repeating previous step (step 4) while that particular cause is absent. Subsequently, the contribution of each cause is transformed into an improvement index which signies the percentage contribution of each cause in leading to the top event. Thus, from the improvement index one can easily deduce what events are most likely to cause an accident and need immediate care.

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

135

The methodology summarized above was resolved into a computer-automated tool PROFAT (PRObabilistic FAult Tree analysis) which has been coded in C++ and consists of ve main modules: DATA, minimum cutsets analysis, probability analysis, improvement factor analysis, and general-purpose modules. Each module performs a specic task, and is linked with the other modules. For example, the minimum cutsets analysis module uses data provided in the form of a Boolean relation (fault tree relation) by the DATA module to generate minimum cutsets. Each module of PROFAT is comprised of two or more sub-modules. For example, matrix formulation, matrix solution, and cutsets optimization are subordinates (derived classes) to the main minimum cutsets analysis module (main minimum cutsets analysis class). These sub-modules (derived classes) inherit functions dened in the main module (main class) to serve specic applications as well as comprise some friends functions (functions which are not part of the class but are otherwise useful) (Khan & Abbasi, 1999d). 3.5. Step 4: Risk quantication and design of safety measures Using the results of the previous steps of hazard assessment and probabilistic hazard assessment, the risk is computed and subsequently compared with the regulatory standards; if it exceeds it, extra safety measures need to be added to the unit. After deciding the necessary safety options to be implemented, steps 2 and 3 are repeated and the latest risk is again compared with regulatory standards. This is repeated until the risk factors fall in the range of acceptable level.

typically greater than 99.5%. Fig. 3 shows the process ow diagram (PFD) of complete EO process plant. C2H40.5O2C2H4O C2H4O2.5O22CO22H2O C2H43O22CO22H2O (1) (2) (3)

4. Application of the SCAP to ethylene oxide plant The SCAP system of methodology discussed above has been used to design the safety measure for an ethylene oxide plant. The plant is at the design stage and will be located in an industrial complex (Fig. 2). A brief summary of the process of ethylene production is given below, for details refer to TVS Petrochemical (1999). 4.1. Process summary Ethylene oxide (EO) is produced by the oxidation of ethylene with pure oxygen. Ethylene and oxygen are reacted at 1030 atmospheres and 400500F in a xed bed catalytic reactor. The catalyst beds consist of large bundles of tubes that contain supported silver catalyst spheres or rings. The tubes are 612 m long and 2050 mm in diameter. The reactor off-gas is fed to CO2 scrubbers, then to EO scrubbers, which absorb the EO into the liquid phase. The EO is recovered from the liquid in a desorber and distilled to remove water. EO purity is

Catalyst pellets are designed to favor selective oxidation [epoxidation, Eq. (1)] over total oxidation [Eqs. (2) and (3)] by limiting the availability of active sites. Silver is supported on pure aluminum oxide having pore diameters ranging from 0.5 to 50 m and a specic surface area 2 m2/g. The motivation for designing this catalyst is that a less active catalyst will promote the partial oxidation of ethylene to EO, but it will promote neither the total oxidation of ethylene nor the subsequent oxidation of EO. The catalyst is operated with alkali metal promoters, usually cesium, and chlorine-containing inhibitors. The main drawback of using a silver catalyst is that, although its initial selectivity ranges from 79 to 83%, as it ages its selectivity deteriorates, and there are no generally applicable methods of regeneration. The life span of the catalyst is 25 years. The efuent from the reactor passes through the absorber, in which the EO and some of the carbon dioxide, hydrocarbons, and aldehydes dissolve in the water. Most of the unabsorbed gas that leaves the top of the absorber is cooled and becomes the recycle ethylene stream. Gaseous impurities from the oxygen feed, such as argon, are purged from the recycle gas stream through the main process vent (Vent A). Because there are fewer impurities in the oxygen feed, the purge stream is totally recycled. Thus, there is a build-up of by-product CO2 that could reduce catalytic selectivity to EO at high levels if not removed from the system. A portion of the overhead gas from the absorber passes through a CO2 absorber which uses potassium carbonate as an absorbent, then joins the recycle to the reactor. The spent CO2 absorbent is reactivated in the CO2 desorber, and then recycled to the CO2 absorber. The CO2 is vented from the CO2 desorber. The dilute aqueous solutions of EO, CO2, and other volatile organic compounds (VOC) from the absorbers are combined and fed to the desorber where the EO and dissolved inerts are distilled under reduced pressure. The desorber water, virtually free of EO, is re-circulated to the absorbers. The crude EO from the desorber is sent to a stripper for the removal of CO2 and inert gases and then sent to a nal rening column (distillation column). Light gases separated in the stripper are vented overhead (Vent B). The nal product, 99.5 mol% EO, is stored under a nitrogen atmosphere in pressurized tanks. 4.1.1. Safety practices The oxygen feed rate is kept consistent with the ethylene feed rate during start-up; therefore, the emission rate

136

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Fig. 2.

Plot showing location and layout of the EO plant along with population distribution.

from the main process vent during start-up is about the same as that for normal operations. Process upsets, however, can cause a sharp increase in emissions. When an upset occurs, the ethylene feed rate is reduced to lessen the amount of VOC in the vent stream. Because EO is completely soluble in water, the purge absorber can be 99.9% effective for its removal. The EO content of the main process vent stream (Vent A) is therefore quite low. The ethane and ethylene content, however, is sufcient for combustion. This stream is now normally burned in a thermal oxidizer. During upsets, the main process vent stream can be directed to an emergency are. The stripper vent (Vent B) of the air oxidation process releases the inert gases and ethylene which were absorbed into the main and purge absorber. The amount of emissions is affected by the water use rate, but not by process start-ups or shutdowns. EO is normally scrubbed from the stripper vent stream with water and returned to the process. The resulting vent stream is normally combusted in a boiler, effecting virtually 100% EO emissions control. The ethylene content of the main process vent stream (Vent A) is sufcient to support combustion and is routinely vented to a boiler or incinerator. The CO2 desorber vent (Vent B) contain more than 99.7% CO2 and water. It is estimated that maintenance required in plant will be 6% of the operation time.

4.2. Hazard identicationSWeHI The SWeHI system has been used to screen all units of the EO plant. The results are summarized in Table 1. Considering the planned process control arrangements and primary safety measures, the reaction unit and the EO storage unit have been identied as highly hazardous units, whereas the ethylene transportation line, EO distillation column, and ethylene reboiler are ranked as hazardous units. These units need a further detailed assessment of risk and accordingly safety measures designed to counter these escalated risks. Other units such as the EO scrubber, EO desorber, stripping column, and heat exchangers were moderately or low hazardous, and do not need further study. 4.3. Quantitative hazard assessmentMCAA 4.3.1. Envisaging of accident scenarios With the help of MCAS methodology credible accident scenarios have been envisaged in each unit. Out of the credible accident scenarios, the maximum credible accident scenario has been used here for a detailed MCAA of that particular unit.

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

137

Fig. 3.

Process ow diagram of the ethylene oxide (EO) plant.

4.3.1.1. Transportation of ethylene: Scenario 1 Ethylene has been transported through a pipeline to the reaction unit. A fraction of the pipeline runs along the road. The most credible accident scenario envisaged for this unit is the release of ethylene either through a leak or rupture, causing the development of a vapor cloud which on meeting ignition source, cause a reball. 4.3.1.2. Reaction unit: Scenario 2 The reaction unit is the most vulnerable part of the plant as it handles highly unstable chemicals under severe conditions of temperature and pressure. Any mis-operation in the unit may cause a build-up of high pressure in the reactor which would cause an explosion. On ignition, the released material would cause a reball. The most credible accident scenario envisaged for this unit is a conned vapor cloud followed by a reball. 4.3.1.3. Distillation column: Scenario 3 A distillation column is used to purify the EO. Any untoward situation in the column would cause the release of highly unstable EO as BLEVE; the released chemical on ignition would form a reball. 4.3.1.4. Ethylene oxide storage: Scenario 4 Excessively high pressure developed in the vessel is either due to overlling or a runaway reaction in the vessel. The instantaneous release of high pressure causes the vessel

to fail as CVCE. The released chemical on ignition would burn as a reball. 4.3.1.5. Reboiler: Scenario 5 Due to improper maintenance or other effects, a leak develops in the reboiler, causing the release of chemicals. The leaking area is believed to be 40% of the input/output of the pipeline cross-sectional area. The released chemical forms a vapor cloud over the area of the congested units. The vapor cloud on meeting an ignition source would cause a vapor cloud explosion. The unburned chemical would burn as a ash re. 4.4. Hazard quantication The forecasts for scenario 1 (reball) are presented in Table 2. The vapor cloud generated by instantaneous/continuous release on ignition would cause a reball, which would generate a heat radiation effect. It is clear from Table 2 that an area of 90 m radius faces a 50% probability of being damaged due to heat load. The heat radiation may cause a fatality as well as second-order accidents by seriously damaging other units/assessories. The worse affected would be the ethylene oxide reactor and its accessories. The forecasts based on detailed calculations for scenario 2 are presented in Table 3. CVCE followed by a reball would cause extensive damage. It is evident from

138

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Table 1 Safety weighted hazard index (SWeHI) for various units of the EO plant Fire and Explosion Damage Index (B1) 440.3 575.4 267.5 183.2 45.0 55.4 175.5 380.5 105.0 105.0 125.4 84.5 281.7 541.5 Toxic Damage Index (B2) Hazard Potential Index (B) Hazard Control Index (A) Safety perfmance index (SPI)= B/A

Units

Chemical of concern

Type of major Hazard present

Fire and explosion Ethylene and Ethylene Fire and Reaction unit oxide explosion Ethylene oxide Fire and Ethylene oxide scrubber explosion Ethylene oxide Fire and Ethylene oxide desorber explosion Fire and toxic Carbon dioxide CO2 scrubber release Fire and toxic Carbon dioxide CO2 desorber release Fire, explosion Light end and ethylene Stripping column and toxic oxide release Ethylene oxide Fire and Ethylene oxide distillation column explosion Ethylene oxide and Fire and toxic Heat exchanger 1 release CO2 Ethylene oxide and Fire and toxic Heat exchanger 2 release CO2 Ethylene oxide and Fire and toxic Heat exchanger 3 release CO2 Ethylene oxide and Fire and toxic Heat exchanger 4 release CO2 Fire and Reboiler Ethylene oxide explosion Ethylene oxide Fire and Ethylene storage explosion Ethylene
a

Ethylene transportation line

145.5 177.5 98.0 46.5 67.5 41.0 79.0 135.0 47.0 47.0 50.5 57.0 106.5 165.7

440.3 577.5 267.5 183.2 67.5 55.4 175.5 380.5 105.0 105.0 125.5 84.5 241.7 541.7

HHa EH H MH LH LH MH HH MH MH MH LH H EH

39.3 35.0 35.2 42.6 33.8 30.8 31.3 33.1 36.0 36.0 28.5 36.0 26.8 30.9

11.2 16.5 7.6 4.3 2.0 1.8 5.6 11.5 2.9 2.9 4.4 2.3 10.5 17.5

H HH MH LH LH LH MH H LH LH LH LH H HH

EH, Extremely hazardous; HH, highly hazardous; H, hazardous; MH, moderately hazardous; LH, less hazardous; NH, not hazardous.

Table 2 Results of maximum credible accident analysis for the ethylene transportation linescenario 1 Parameters Fire: Fireball Radius of the reball (m) Duration of the reball (s) Energy released by reball (kJ) Radiation heat ux (kJ/m2) Damage Radii (DR) due to thermal load DR for 100% fatality/damage (m) DR for 50% fatality/damage (m) DR for 100% third degree of burn (m) DR for 50% third degree of burn (m) Values

50.00 21.00 9.20e+05 1406.00 50 88 139 181

Table 3 that damage of a high degree of severity due to overpressure and shockwave would be operative over an area of 100 m radius, while moderate damage (50% probability of lethality) would occur over an area of 150 m radius. The released unburned chemical would be burned as a reball. The heat load generated due to

the reball would be lethal over an area of more than 125 m radius. Heat load and shockwave generated due to this unit may initiate secondary and higher order of accidents in the units placed within the proximity of the damage area. As briefed elsewhere, the distillation column handles EO at quite high temperatures. The results of the damage calculation for the most credible accident scenario (scenario 3) in this unit are presented in Table 4. It is evident from the results that damage causing shockwaves would be effective over an area of more than 140 m radius. The burning of a vapor cloud as a reball would generate an intensive heat load which would be devastating over an area 125 m radius. As many other units are in close proximity to this unit, this scenario is most likely to cause a domino effect. The results of scenario 4 are presented in Table 5. It is evident from the results that this scenario would be the most disastrous one. As the damage causing shockwave would be operative over an area of 150 m radius, the heat load sufcient to cause fatality would envelope an area of 200 m radius. Though the storage vessel is

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

139

Table 3 Results of maximum credible accident analysis for the ethylene oxide reactorscenario 2 Parameters Values

Table 4 Results of maximum credible accident analysis for the distillation columnscenario 3 Parameters Values

Explosion: CVCE Energy released during explosion (kJ) 3.06e+09 Peak over pressure (kPa) 600.00 Variation of over pressure in air 511.00 Shock velocity of air (m/s) 753.00 Duration of shock wave (ms) 87.0 Missile characteristics Initial velocity of fragment (m/s) 539.00 Kinetic energy of fragment (kJ) 7.26e+05 Fragment velocity at study point (m/s) 528.00 Penetration ability at study point (based on empirical model) Concrete structure (m) 0.4153 Brick structure (m) 0.5307 Steel structure (m) 0.0538 Damage Radii (DR) for various degrees of damage due to over pressure DR for 100% damage (m) 100 DR for 100% fatality or 50% damage (m) 152 DR for 50% fatality or 25% damage (m) 224 Damage radii (DR) for the varying degree of damage due to missile DR for 100% damage or 100% fatality (m) 2904 DR for 50% damage or 100% fatality (m) 3019 DR for 100% fatality or 10% damage (m) 3123 Fire: Fireball Radius of the reball (m) 92.00 Duration of the reball (s) 38.00 Energy released by reball (kJ) 1.28e+07 4896.00 Radiation heat ux (kJ/m2) Damage Radii (DR) due to thermal load DR for 100% fatality/damage (m) 99 DR for 50% fatality/damage (m) 127 DR for 100% third degree of burn (m) 181 DR for 50% third degree of burn (m) 240

Explosion: BLEVE Total energy released (kJ) 1.3e+09 Peak over pressure (kPa) 510.00 Variation of over pressure in air (kPa/s) 490.00 Shock velocity of air (m/s) 745.00 Duration of shock wave (ms) 94.0 Missile characteristics Initial velocity (m/s) 335.00 Kinetic energy of fragment (kJ) 2.79e+05 Fragment velocity at study point (m/s) 328.00 Penetration ability at study point (based on empirical models) Concrete structure (m) 0.2028 Brick structure (m) 0.2591 Steel structure (m) 0.0334 Damage Radii (DR) for various degrees of damage due to over pressure DR for 100% damage (m) 95 DR for 100% fatality or 50% damage (m) 140 DR for 50% fatality or 25% damage (m) 210 Damage radii (DR) for the varying degree of damage due to missile DR for 100% damage or 100% fatality (m) 2674 DR for 50% damage or 100% fatality (m) 2790 DR for 100% fatality or 10% damage (m) 2893 Fire: Fireball Radius of the reball (m) 74.00 Duration of the reball (s) 30.00 Energy released by reball (kJ) 1.18e+07 4493.00 Radiation heat ux (kJ/m2) Damage Radii (DR) due to thermal load DR for 100% fatality/damage (m) 74 DR for 50% fatality/damage (m) 126 DR for 100% third degree of burn (m) 180 DR for 50% third degree of burn (m) 238

located in the extreme corner of the plant (relatively isolated place), however, the damage radius due to heat load, overpressure (shockwave), and missile effect would envelope some of the vulnerable units of the plant, which may initiate a higher order of accidents. Unlike the storage vessel and the EO reactor, the reboiler poses fewer hazards. Though the scenario has been envisaged as a vapor cloud explosion followed by a ash re, detailed analysis reveals that a vapor cloud explosion is unlikely to occur with the given constraints. Therefore, there is no threat due to overpressure or shockwave. However, the damaging effect of heat load due to a ash re would be effective over an area 70 m radius (Table 6). 4.5. Probabilistic hazard assessmentASM This step is comprised of two activities: (i) fault tree development, and (ii) fault tree analysis. We have conducted this step for all ve of the pre-identied units.

However, due to limited space we present details of only two units, and a summary of the others. 4.5.1. Ethylene transportation line 4.5.1.1. Fault tree development The top event was identied as a release causing the formation of a vapor cloud, which on meeting an ignition source would lead to a reball. There are twelve basic events which may contribute directly and/or indirectly to the accident scenario. These events with their frequency of failure are given in Table 7. Most of the data is obtained from the specic industry; however, the values of some parameters were obtained from the literature, as industry-specic data was not available for these events (Lees, 1996). Based on the process description and the detailed study of the reactor, a fault tree was developed (Fig. 4). 4.5.1.2. Fault tree analysis The result of fault tree analysis (output of PROFAT) is presented in Table 8.

140

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Table 5 Results of maximum credible accident analysis for the ethylene oxide storagescenario 4 Parameters Values

Table 7 Elements of the fault tree developed for the most credible accident in the ethylene transportation line Number referred in Figure 1 Elements Failure frequency (/yr) 4.5e-05 1.0e-08 3.6e-02 1.2e-02 2.5e-04 3.5e-03 4.3e-03 2.5e-03 7.8e-03 4.0e-05 2.6e-04 1.0e-01 1.0e-01 1.0e-02 5.0e-02 1.0e-01

Explosion: CVCE Energy released during explosion (kJ) 2.05e+09 Peak over pressure (kPa) 580.00 Variation of over pressure in air (kPa/s) 504.00 Shock velocity of air (m/s) 753.00 Duration of shock wave (ms) 80.0 Missile characteristics Initial velocity of fragment (m/s) 283.00 Kinetic energy of fragment (kJ) 2.00e+05 Fragment velocity at study point (m/s) 277.00 Penetration ability at study point (based on empirical model) Concrete structure (m) 0.1579 Brick structure (m) 0.2018 Steel structure (m) 0.0283 Damage Radii (DR) for various degrees of damage due to over pressure DR for 100% damage (m) 97 DR for 100% fatality or 50% damage (m) 150 DR for 50% fatality or 25% damage (m) 220 Damage radii (DR) for the varying degree of damage due to missile DR for 100% damage or 100% fatality (m) 2594 DR for 50% damage or 100% fatality (m) 2710 DR for 100% fatality or 10% damage (m) 2814 Fire: Fireball Radius of the reball (m) 145.00 Duration of the reball (s) 59.00 Energy released by reball (kJ) 2.89e+07 8038.00 Radiation heat ux (kJ/m2) Damage Radii (DR) due to thermal load DR for 100% fatality/damage (m) 145 DR for 50% fatality/damage (m) 200 DR for 100% third degree of burn (m) 277 DR for 50% third degree of burn (m) 360

Release due to accident with road tanker 2 Release due to damage caused by earthquake 3 Choking of the pipeline 4 Compressor overrun 5 Side reaction in the pipeline 6 Heating of the pipe 7 Leaks from the joints and/or bends 8 Leaks from bends 9 Leak from the straight run pipe due to corrosion 10 Mechanical failure or fault in the pipeline 11 Leak from the valves 12 Ignition source Events added for safety measures 13 Cooling system failed 14 Safety relief system failed 15 Flammable chemical detector failed to function on demand 16 Inert gas purging/blanking system to dilute released toxic/ammable gases failed 17 Flame arrestor failed to function on demand

5.0e-02

Table 6 Results of maximum credible accident analysis for reboilerscenario 5 Parameters Explosion: UVCE No explosion Fire: Flash Fire Volume of vapor cloud (m3) Effective time of re (s) Effective thermal load (kJ/m2) Damage Radii (DR) due to thermal load DR for 100% fatality/damage (m) DR for 50% fatality/damage (m) DR for 100% third degree of burn (m) DR for 50% third degree of burn (m) Values

389 213787 1762 69 93 142 165

Fig. 4.

Fault tree for an accident in a pipeline.

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

141

Table 8 Results of PROFAT for the most credible accident scenario in the ethylene transportation line Event not occurring 0 1 2 3 4 5 6 7 8 9 10 11 12 Probability 8.077949e-03 7.677899e-03 8.077963e-03 3.939644e-03 6.704153e-03 8.049340e-03 7.677839e-03 7.586344e-03 7.792205e-03 7.185653e-03 8.073375e-03 8.048296e-03 0.000000e+00 Improvement 0.000000e+00 1.600200e-03 5.855691e-08 1.655322e-02 5.495187e-03 1.144345e-04 1.600440e-03 1.966421e-03 1.142977e-03 3.569184e-03 1.829898e-05 1.186125e-04 3.231180e-02 Improvement Index 0.000000 2.481282 0.000091 25.66763 8.520895 0.177443 2.481660 3.049154 1.772313 5.534415 0.028375 0.183922 50.10301

The total probability of occurrence of the undesired event when all initiating events occur is estimated as 8.07E-03 per year. The improvement factor analysis (fth step of ASM) suggests that event 12 has the largest contribution (about 50%) to the probability of the eventual accident. Table 8, which summarizes the results of the improvement analysis, indicates that events which would have the lowest contribution towards the undesired event are 2, 5, 10, and 11. The study concludes that particular attention must be paid to events 12, 3, 4, 9, 7, 6, and 1, which are most likely to lead to the eventual accident (top event). 4.5.2. Ethylene oxide storage vessel 4.5.2.1. Fault tree development As mentioned elsewhere, the most credible accident scenario for this unit is envisaged as CVCE followed by a reball. There are nineteen basic events that contribute directly and indirectly to an accident. The likely sequences of events are depicted in Fig. 5. The probability of the occurrence of these basics events is presented in Table 9. 4.5.2.2. Fault tree analysis The developed fault tree (depicted in Fig. 5) has been analyzed using PROFAT. The result of the analysis is presented in Table 10. The overall probability of occurrence of this particular scenario is estimated as 8.269E-04 per year. It is evident from Table 10 that events 18, 6, 1, 2, and 3 contribute to the extent of 45%, 18%, 13%, 8%, and 8% respectively, in causing this accident. Control of these events would considerably reduce the overall probability of occurrence of the top event. 4.5.3. Reaction unit, EO distillation column, and reboiler A fault tree has been developed for the most credible accident scenario in the reaction unit. The developed tree

Fig. 5.

Fault tree for an accident in a storage vessel of EO.

contains 25 basic events. Similarly, the fault tree for the distillation column contains 23 basic events, and for the reboiler, 18 basic events. These fault trees are subsequently analyzed using PROFAT. The results reveal that the most credible accident in the reaction unit is likely to occur with a frequency of 4.292E-03 per year.

142

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Table 9 Elements of the fault tree developed for the most credible accident in the ethylene oxide storage vessel Number referred in Figure 1 2 Elements Failure frequency (/yr)

Truck hitting the storage tank Road accident causing generation of heat load 3 Cooling failed or inadequate 4 Damage due to earthquake 5 Failure due to corrosion 6 Joint failed 7 Hitting from external source 8 Impurities present in the tank/or EO impure 9 Decomposition of EO 10 Pressure control failed 11 Excess ow (overlling of the tank) in the tank 12 Inow to storage is at higher pressure 13 Overheating due to high temperature EO inow 14 Temperature controller failed 15 Heat generation due to side reaction 16 Bursting disk capacity inadequate/failed to function 17 Relief valve inadequate/failed to function 18 Ignition source 19 Alarm failed Events added for safety measures 20 Installed insulated barrier (wall) between transportation and storage vessel failed 21 Improper maintenance or maintenance failure to detect the defect 22 Emergency relief valve to evacuate the content to another vessel failed 23 Installed cooling system failed 24 Inert gas purging/blanking system to dilute released toxic/ammable gases failed 25 Flame arrestor failed to function on demand

2.0e-03 5.0e-02 2.0e-02 1.0e-08 6.0e-04 3.0e-03 2.0e-04 1.0e-01 2.5e-01 2.5e-01 1.0e-01 3.5e-02 5.0e-02 2.5e-01 5.0e-03 2.0e-02 2.0e-02 1.0e-01 1.5e-01 1.0e-02

vidual risk, 2.34E-03 and 1.575 E-03 per year respectively, because the probability of occurrence of both events is quite high. FN curves for these units have been plotted in Figs. 610. It is evident from these gures that except for some parts of the distillation column and the reboiler most of the FN curves are far above the acceptance criteria (Dutch acceptable risk criteria). Thus, these units require extra safety measures. 4.6.1. Risk reduction through add-on safety measuresMCCAPFTA controller system A list of the possible control options to reduce the risk is given in Table 12. From these, various combinations of the control measures were selected to reduce the risk potential of a unit. When these measures were accounted for, the fault tree for the unit was modied, as shown in Fig. 11 for an ethylene transportation line. On analyzing the new fault tree (Fig. 11), the frequency of occurrence of the top event (envisaged accident) was changed to 3.153E-05, which is about 250 times lower than the previous value. The risk prole (FN curve) after the implementation of control measures for an ethylene transportation line is shown in Fig. 6, revealing that after safety measures were taken into account, the risk prole decreased to well within the acceptable limits. After deciding the safety measures, the fault tree for the storage vessel was modied, as shown in Fig. 12. The modied fault tree has been processed through PROFAT for probability estimation. The results reveal that after implementing the safety measures, the probability of occurrence decreases to 4.515E-06, a value about 180 times lower than the previous value (Table 11). It can be seen from Fig. 9 that the FN curve for the modied situation is well within the acceptable range. This step has also been repeated for the reaction unit, the distillation column, and the reboiler. A signicant lowering of the probability has been observed in these cases as well (Table 11). The risk proles for these units are presented in Figs. 7, 8 and 10. For the reboiler unit, implementation of only a few safety measures brings the FN curve to an acceptable range. On the other hand, for the reaction unit and to some extent for the distillation column, the implementation of considerable safety measures, similar to those for the storage vessel, are required to bring FN curve to an acceptable range (Figs. 7 and 8).

1.0e-01

5.0e-03

1.0e-01 1.0e-01

5.0e-02

Accidents in the distillation column and the reboiler are less likely to occur (1.45E-04 per year and 3.50E-04 per year, respectively, Table 11). 4.6. Risk quantication Using the results of steps 2 and 3, risk has been computed. The summary of the average individual risk factor caused by different accidents is given in Table 11. Analysis of these results reveals that the ethylene transportation line and the reaction unit pose maximum indi-

5. Conclusion The objective of this paper is to discuss a recently proposed methodology for safety management through a quantitative feedback system of risk assessment, and to demonstrate its application to real life. The methodology is basically a combination of four quantitative steps, each requiring independent methodology and com-

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

143

Table 10 Results of PROFAT for the most credible accident scenario in the chlorohydrin reactor Event not occurring 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Probability 8.269699e-04 5.960017e-04 6.803274e-04 6.802230e-04 8.270441e-04 7.576942e-04 4.803985e-04 8.039474e-04 8.254201e-04 8.200557e-04 8.245261e-04 8.264632e-04 8.268506e-04 8.267462e-04 8.254646e-04 8.270144e-04 8.172244e-04 8.172244e-04 0.000000e+00 8.172244e-04 Improvement 0.000000e+00 9.238724e-04 5.865701e-04 5.869873e-04 2.969609e-07 2.771026e-04 1.386285e-03 9.208970e-05 6.199130e-06 2.765663e-05 9.775176e-06 2.026922e-06 4.770845e-07 8.948991e-07 6.021248e-06 1.779845e-07 3.898186e-05 3.898186e-05 3.307879e-03 3.898186e-05 Improvement Index 0.000000 12.60345 8.001984 8.007675 0.004051 3.780231 18.91169 1.256287 0.084568 0.377291 0.133353 0.027651 0.006508 0.012208 0.082142 0.002428 0.531790 0.531790 45.12606 0.531790

Table 11 Average individual risk factor before and after add-on safety measures have been decided Process units Before improvement of safety measures Probability of occurrence Ethylene pipeline Ethylene oxide reactor Distillation column Ethylene oxide storage Reboiler 8.077E-03 4.292E-03 1.450E-04 8.269E-04 3.505E-04 Average individual risk factor 2.340E-03 1.575E-03 5.200E-05 4.540E-04 1.020E-04 After implementation of safety measures Probability of occurrence 3.153E-05 1.455E-05 7.562E-06 4.515E-06 1.150E-05 Average individual risk factor 9.90E-06 5.32E-06 2.73E-06 2.50E-06 3.37E-06

Fig. 6.

FN curves for an ethylene transportation pipeline.

Fig. 7.

FN curve for an EO reactor (reaction unit).

144

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Table 12 Various add-on safety options that have been suggested for implementation over different units to bring risk factors to the acceptable values Control option Flame arrester Installing insulated barrier (wall) between transportation and storage vessel Regular maintenance scheme for corrosion and other mechanical defects Sprinkling system Advanced control mechanism, i.e. feed forward, cascade control, neural network based control, DDC Advanced nal control element (digital controller) Installation of pressure monitoring with emergency relief system Installing cooling system Replacement of old valves with more reliable valves Check valve with relief provision Installation of additional controllers Installation of by pass line Flammable chemical detector Safety relief valve Emergency relief valve to evacuate the contents to another vessel Inert gas purging/blanking system to dilute released toxic/ammable gases Frequency of failure (/yr) 0.050 0.010 0.100 0.010 0.005 0.001 0.050 0.100 0.090 0.030 0.020 0.040 0.050 0.010 0.005 0.100

Fig. 8.

FN curve for a distallation column.

Fig. 9.

FN curve for an EO storage vessel.

Fig. 10.

FN curves for a reboiler.

fault tree analysis, PROFAT, the recommended computer-automated tool. In the third step, the results of the previous two steps are combined to compute risk. The estimated risk is subsequently compared with the criteria; if it exceeds the acceptable level, step 4 is executed. Step 4 is the feed back step, which carries out step 3, once the necessary safety measures to control the risk have been decided. The proposed methodology has been given the acronym SCAP, Safety, Credible Accident, Probabilistic fault tree analysis. The usefulness of the methodology has been demonstrated by applying it to a real life situation (ethylene oxide plant) where SCAP showed how successive safety measures lowered the risks posed by ve units of the plant within levels dened safe. These authors believe that this methodology scores better in the following ways: Easy to implement: there are only four straightforward steps with structured methodology and guidance to conduct each step. Faster in implementation: the use of a computer-automated tool will considerably reduce the time of the application. More reliable results: as the methodology recommends the use of the latest, reliable methodology and models for each step such as SWeHI, MCAS, and

puter-aided tools. The rst step is to identify and screen the hazards in an industry; for this the robust, reliable and efcient methodology of SWeHI has been recommended. The next step, hazard quantication (MCAA), uses the recently proposed methodology of MCAS and computer tools such as MAXCRED-III. Another part of this step estimates the probability of an envisaged accident scenario and is conducted using the

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

145

Fig. 11. Modied fault tree diagrams after implementing control measures for an accident in an ethylene pipeline. Fig. 12. Modied fault tree diagrams after implementing control measures for an accident in a storage vessel of EO.

ASM, the nal outcome of the study will be more reliable. No interpretation of results: the outcome of each step is of direct importance and does not require any interpretation; e.g. the results of SWeHIradius of area under threat; MCASmost credible accident scenario; risk computationindividual risk factor and FN curve, etc.

References
API (1990). Management of process hazards, American Petroleum Institute Recommended Practice 750 (1st ed.). Washington, DC: API. BBC (2000). Huge blast rocks Kuwaits renery. WWW.BBC.COM Bossche, A. (1991). Computer aided fault tree synthesis; system modeling and causal trees; Fault tree construction; real time fault locationI. Reliability Engineering and System Safety, 32, 217 241. CCPS (1989). Guidelines for chemical process quantitative risk analysis. New York: AIChE. CNN (1997). Explosion and re reported at Shell Oil Company plant. www.cnn.com/us9706/22/briefs/shwll.oil.expl/index.html CNN (1998). Fuel from vandalized Nigerian pipeline ignites killing 50. www.cnn.com/2000/world/africa/03/22/nigeria.pipeline.re CNN (1999a). Largest ne ever sought for fatal pipeline explosion in Washington state. www.cnn.com/2000/law/06/02/ pipeline.safety.ne/index.html CNN (1999b). 2 killed in Tennessee oil tank blast. www.cnn.com/us/9906/30/tank.explodes CNN (2000a). Explosion hits Kuwaits al-Ahmadi renery. www.cnn.com CNN (2000b). 4 dead, 49 hurt in blast at Kuwaits largest oil renery. www.cnn.com

Acknowledgements Support provided by Faculty of Engineering and Applied Science, Memorial University of Canada and Centre for Pollution Control and Energy Technology, Pondicherry University of India is highly appreciated. Authors are also grateful to Dr. Iona Bulgin for editing the text of the manuscript.

146

F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129146

Cristen, P., Bhnenblust, H., & Seitz, S. (1994). A method for assessing catastrophic damage to the population and environment. Process Safety Progress, 13 (4), 14. CSB (1999). Investigation report explosive manufacturing facility at Sierra chemical company, Chemical Safety and Hazard Investigation Board, 2175 K Street, N.W. Suite 400, Washington, DC. Dubois, D., & Prade, H. (1980). Fuzzy sets and systems: theory and applications. New York: Academic Press. Fowcett, H. H. (1993). In H. H. Fowcett, & W. S. Wood, Toxicity versus hazards, safety and accident prevention in chemical operation (pp. 245260). New York: Wiley. Greenberg, H. R., & Slater, B. B. (1992). Fault tree and event tree analysis. New York: Van Nostrand Reinhold. Greenbook (1992). Methods for determining of possible damage to people and objects resulting from release of hazardous materials. Report CPR 16E, Voorburg, Warrington. Khan, F. I., & Abbasi, S. A. (1997a). A maximum credible accident analysis based quantitative risk assessment study of chemical process industry. Indian Chemical Engineer, A39 (2), 9298. Khan, F. I., & Abbasi, S. A. (1997b). Risk analysis of chloralkali industry situated in populated area using MAXCRED-II, Process safety progress. American Institution of Chemical Engineers (AIChE), 16 (3), 172184. Khan, F. I., & Abbasi, S. A. (1997c). Accident hazard index: a multiattribute scheme for process industry hazard rating. Transaction Institution of Chemical Engineers: Environmental Protection and Safety, 75B, 217221. Khan, F. I., & Abbasi, S. A. (1998a). Risk assessment in chemical process industries: advanced techniques. New Delhi: Discovery. Khan, F. I., & Abbasi, S. A. (1998b). Multivariate hazard identication and ranking system. Process Safety Progress (AIChE), 17 (3), 157165. Khan, F. I., & Abbasi, S. A. (1998c). Techniques for risk analysis of chemical process industries. Journal of Loss Prevention in Process Industries, 11 (2), 91105. Khan, F. I., & Abbasi, S. A. (1998d). Accident simulation as a tool for assessing and calculation environmental risk in CPI: a case study. Korean Journal of Chemical Engineering, 11 (2), 1219. Khan, F. I., & Abbasi, S. A. (1999a). The worst chemical industry accident of 1990swhat happened and what might have been: A quantitative study. Process Safety Progress, 18, 135141. Khan, F. I., & Abbasi, S. A. (1999b). MAXCREDa new software package for rapid risk assessment in chemical process industries. Environment Modeling and Software, 14, 1125. Khan, F. I., & Abbasi, S. A. (1999c). Major accidents in process industries and analysis of their causes and consequences. Journal of Loss Prevention in Process Industries, 12, 361378. Khan, F. I., & Abbasi, S. A. (1999d). PROFAT: a user-friendly system for probabilistic fault tree analysis. Process Safety Progress, 18 (1), 4249. Khan, F. I., & Abbasi, S. A. (1999e). Assessment of risks posed by chemical industries-application of a new computer automated tool MAXCRED-III. Journal of Loss Prevention in Process Industries, 12, 455469.

Khan, F. I., & Abbasi, S. A. (2000). Studies on the probabilities and likely impacts of chains of accident (domino effect) in a fertilizer industry. Process Safety Progress, 19 (1), 4553. Khan, F. I., & Abbasi, S. A. (2001a). Criteria for developing credible accident scenarios for risk assessment. Journal of Loss Prevention in Process Industries (in press). Khan, F. I., & Abbasi, S. A. (2001b). Analytical simulation and PROFAT II: a new methodology and a computer automated tool for fault tree analysis in chemical process industries. Journal of Hazardous Materials (in press). Khan, F. I., & Abbasi, S. A. (2001c). Risk analysis of a typical chemical industry using ORA. Journal of Loss Prevention in Process Industries, 14 (1), 4359. Khan, F. I., Husain, T., & Abbasi, S. A. (2001). Safety Weighted Hazard Index (SWeHI): a new user-friendly tool for swift yet comprehensive hazard identication and safety evaluation in chemical process industries. Trans IChemE, 79 (B), 6680. Khoda, T., & Henley, E. J. (1988). On digraphs, fault trees and cut sets. Reliability Engineering, 20, 3542. Laplante, A. (1998). Too close to home: a report on chemical accident risks in the united states. US Public Interest Research Group (U.S. PIRG), 218 D Street, S.E., Washington, DC. Lees, F. P. (1996). Loss prevention in CPI. London: Butterworths. Noma, K., Tankara, H., & Asai, K. (1981). Fault tree analysis with fuzzy probability. Journal of Ergonomics, 17, 291297. Papazoglou, A., Nivoliantiou, A. O., & Christou, M. (1992). Probabilistic safety analysis in chemical installation. Journal of Loss Prevention in Process Industries, 5 (3), 181191. Perrow, C. (2000). PIRG Toxics too close to home. www.pirg.org/reports/enviro. Prugh, R. W. (1992). Computer-aided HAZOP and fault tree analysis. Journal Loss Prevention Process Industries, 5, 312. Rauzy, A. (1993). New algorithms for fault tree analysis. Reliability Engineering and System Safety, 40, 203211. Shafaghi, A. (1988). Structure modeling of process systems for risk and reliability analysis. In A. Kandel, & E. Avni, Engineering risk and hazard assessment (pp. 4564) (Vol. 2). Boca Raton, FL: CRC Press. Soon, H. C., Joo, Y. P., & Myung, K. K. (1985). The Monte-Carlo method without sorting for uncertainty propagation analysis in PRA. Reliability Engineering, 10, 233. Tanaka, H., Fan, L. T., Lai, F. S., & Toguchi, K. (1983). Fault tree analysis by fuzzy probability. IEEE Transactions on Reliability, R32, 453456. Tyler, B. J., Thomas, A. R., Doran, P., & Grieg, T. R. (1994). A toxicity hazard index. Hazards, 13, 351. TVS Petrochemical (1999). A techno-feasibility report of ethylene manufacture. ARSF consultants, Amsterdam, The Netherlands. Worrel, R. B., & Stack, D. W. (1990). A SETS users manual for the fault tree analyst. SAND77-2051. Sandia National Laboratory, Albuquerque, NM. Yllera, J. (1988). Modularization methods for evaluating fault tree of complex technical system. In Kandel, & Avni, Engineering risk and hazard assessment (pp. 81100) (Vol. 2). Boca Raton, FL: CRC Press.