process safety_handbook_2011.pdf
TRANSCRIPT
-
8/10/2019 Process safety_Handbook_2011.pdf
1/129
-
8/10/2019 Process safety_Handbook_2011.pdf
2/129
INTERNAL 2of 129PROCESS SAFETY HANDBOOK
2011-04-04
Contents1 Reference publications ...................................................................................................... 4
1.1 External references to standards and guidelines ........................................................................... 4
1.2 References to external specialist works ........................................................................................ 4
1.3
Yara reference documents ............................................................................................................. 4
1.4 Process Safety categorised as 12 Elements (PSE) ........................................................................ 4
2 Structure of Process Safety .............................................................................................. 52.1 Structure of ISO (OSHAS) 18001 ................................................................................................ 5
2.2 ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements) ......................................... 5
2.3 Yara documents related to ISO 18001 .......................................................................................... 6
3 Definitions .......................................................................................................................... 9
4 Risk, risk analyses and safety studies ............................................................................ 174.1 Risk identification and risk ranking, ........................................................................................... 17
4.2 Risk acceptance criteria .............................................................................................................. 17
4.2.1 Acceptance in connection with risk ranking .............................................................................. 17
4.3 On- site risk acceptance (Yara Green Rule) ................................................................................ 19
4.4 Off site risk acceptance (Yara Green Rule) ................................................................................ 19
5
Hazards and consequences related to production activities ........................................ 215.1 Hazard identification by Check Lists .......................................................................................... 23
5.1.1 Simple Check- List .................................................................................................................... 235.1.2 Comprehensive checklist ........................................................................................................... 24
5.2 Hazard and Operability Studies (HAZOP) ................................................................................. 275.2.1 HAZOP study work process ...................................................................................................... 29
5.2.2 Operating procedures ................................................................................................................. 325.2.3 Computer- controlled processes ................................................................................................. 32
5.2.4 Documentation needed for a HAZOP study .............................................................................. 33
5.2.5 Recording of the HAZOP work ................................................................................................. 33
5.3 Criticality ranking for maintenance purposes ............................................................................. 36
5.3.1 Purpose of criticality analysis and risk assessment ............................................................... 365.3.2 The risk assessment process ...................................................................................................... 38
5.3.3
Establishing local acceptance criteria ........................................................................................ 39
5.3.4 Carrying out the criticality analysis ranking .............................................................................. 40
5.3.5 Criticality analysis team and necessary documents ................................................................... 42
6 Probability analysis ......................................................................................................... 446.1 Reliability of equipment and systems ......................................................................................... 446.2 Reliability of safety functions, .................................................................................................... 48
6.2.1 Dangerous failures in safety functions ....................................................................................... 48
6.2.2 Reliability of safety functions, safe failures .............................................................................. 496.3 Human Reliability ....................................................................................................................... 50
6.4 System analysis and modelling ................................................................................................... 51
7 Consequence analysis ...................................................................................................... 567.1 Release ........................................................................................................................................ 56
7.2 Gas dispersion ............................................................................................................................. 58
7.3
Evaporation ................................................................................................................................. 60
7.4 Ignition ........................................................................................................................................ 61
7.5 Fire .............................................................................................................................................. 63
7.6 Explosion .................................................................................................................................... 68
7.7 Exposure of toxic gases............................................................................................................... 74
8 SIL analyses ..................................................................................................................... 768.1 Safety integrity (Yara Green Rule) ............................................................................................. 768.2 Determination of SIL (Yara Green Rule).................................................................................... 77
8.3 Total risk reduction for a specific event ...................................................................................... 83
8.4 Examples of SIL analyses ........................................................................................................... 848.4.1 Ammonia oxidizing unit ............................................................................................................ 84
-
8/10/2019 Process safety_Handbook_2011.pdf
3/129
INTERNAL 3of 129PROCESS SAFETY HANDBOOK
2011-04-04
8.4.2 Water pipe for steam wetting ..................................................................................................... 87
8.4.3 Steam drum ................................................................................................................................ 88
8.4.4 Leakage of toxic gas to process hall .......................................................................................... 89
8.4.5 Fire in heavy rotating equipment ............................................................................................... 90
9
Layer of Protection Analysis (LOPA) ........................................................................... 92
9.1 LOPA scenarios .......................................................................................................................... 92
9.2 Methodology ............................................................................................................................... 939.3 Example of failure data for Independent Protection Layers used in LOPA ................................ 95
10 Quantitative Risk Analysis (QRA) ................................................................................ 9610.1 When is a QRA or CQRA done .................................................................................................. 9710.2 Plant data ..................................................................................................................................... 97
10.3 Off site risk ................................................................................................................................. 98
10.4 On site risk .................................................................................................................................. 99
11 Failure Data relevant for Safety Functions................................................................. 10211.1 Data sources .............................................................................................................................. 102
11.2 Factors influencing the reliability ............................................................................................. 102
11.3 Continuous and Demand mode operation ................................................................................. 103
11.4
SIL capability ............................................................................................................................ 10311.5 Presentation of the most relevant failure data for safety functions ........................................... 103
11.6 Sensors ...................................................................................................................................... 10411.7 Logic solvers ............................................................................................................................. 105
11.8 Final elements ........................................................................................................................... 10511.9 Safety Relief Valves ................................................................................................................. 107
11.10 Overview of spurious trip rate for some safety related functions ............................................. 107
12 Leakage data relevant for risk analyses ...................................................................... 10813 Human reliability .......................................................................................................... 111
14 Risk reduction ............................................................................................................... 11514.1 Inherent safety ........................................................................................................................... 115
14.2 Risk reducing measures ............................................................................................................ 11514.3 Definition of layers ................................................................................................................... 116
14.4
Safety functions ........................................................................................................................ 118
14.5 Life- cycle activities .................................................................................................................. 12414.6 Invariable requirements to design of safety functions .............................................................. 124
14.7 Principles for increasing reliability of safety systems ............................................................... 125
Yara green rules4.2.1 Acceptance criteria in connection with risk ranking, pp17-184.3 On- site risk acceptance, p 19
4.4 Off- site risk acceptance, pp19-208.1 Safety integrity, pp76-83
Table 16. Yara recommended dangerous undetected failure data for sensors, p105Table 17. Yara recommended dangerous undetected failure data for logic solvers, p105Table 19. Yara recommended dangerous undetected failure data for final elements, p107
Table 21. Yara recommended dangerous undetected failure data for pressure relief valves, p107Table 28. Yara recommended dangerous undetected failure process tasks, p114
-
8/10/2019 Process safety_Handbook_2011.pdf
4/129
INTERNAL 4of 129PROCESS SAFETY HANDBOOK
2011-04-04
1 Reference publications
1.1 External references to standards and guidelines
Key external references to process safety are:
1. ISO (OSHAS) 180012. The Seveso II- directive3. EN standards
Machine directive, EN-1050: 1996, EN 620 : 2002
ATEX; directive- 94/9/EC and EN 60079-104. IEC 61508/615115. API6. EIGA7. NFPA8. ISO9. Guidelines from acknowledged organisations
EFMA IFA
The Fertilizer Society
1.2 References to external specialist works
Some references to external specialist works, which are used in this handbook, are:
1. Norsk Hydro Handbook of Safety Risk Assessment, 20002. AIChE: Layer of Protection Analysis, 20013. AIChE: Guidelines for Process Quantitative Risk Analysis, 20004. Gas Explosion Handbook,
http://www.gexcon.com/index.php?src=gas/gas_explosions.html
5. TNO, Yellow book, Methods for the calculation of physical effects, CPR14E; The
Hague, 19966. TNO, Purple book, Guideline for quantitative risk assessment, CPR 18E, 2005
1.3 Yara reference documents
The HES documents are on four levels in the Yara document hierarchy:
1. Technical and Operational Standards2. Best Practices (BP)3. Manuals and Reference Documents
1.4 Process Safety categorised as 12 Elements (PSE)
In Yara-TOPS 0-P04 Process safety management is categorised as 12 elements:
1. Process Safety Information
2. Process Safety Studies3. Operating Procedures4. Safe Work Practices5. Modification to Process Variables and Equipment6. Technical Safety Barriers7. Quality control and maintenance of equipment8. Competence and training9. Investigation and reporting10.Emergency planning and response11.Pre- start up safety reviews
-
8/10/2019 Process safety_Handbook_2011.pdf
5/129
INTERNAL 5of 129PROCESS SAFETY HANDBOOK
2011-04-04
12.Inspection and auditing
2 Structure of Process Safety
2.1 Structure of ISO (OSHAS) 18001
The structure of ISO (OSHAS) 18001 is defined in table 1 below.
Table 1 ISO (OSHAS) 18001 structure
Clause Content
1 Scope
2 Reference publications
3 Definitions
4 OH&S management system elements
4.1 General requirements4.2 OH&S policy
4.3 Planning
4.3.1 Planning for hazard identification, risk assessment and risk control
4.3.2 Legal and other requirements
4.3.3 Objectives
4.3.4 OH&S management programme(s)
4.4 Implementation and operation
4.4.1 Structure and responsibility
4.4.2 Training, awareness and competence
4.4.3 Consultation and communication
4.4.4 Documentation
4.4.5 Document and data control4.4.6 Operational control
4.4.7 Emergency preparedness and response
4.5 Checking and corrective action
4.5.1 Performance, measurement and monitoring
4.5.2 Accidents, incidents non- conformance and corrective and preventive action
4.5.3 Records and records management
4.5.4 Audit
4.6 Management review
2.2 ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements)
As shown in table 3 below, 16 elements of process safety can be identified from the ISO
(OSHAS) 18001 structure, shown in italic in the table below.
Table 2 Identification of Process Safety Elements in ISO (OSHAS) 18001
-
8/10/2019 Process safety_Handbook_2011.pdf
6/129
INTERNAL 6of 129PROCESS SAFETY HANDBOOK
2011-04-04
ISO (OSHAS) 18001 Process Safety Element (PSE)
#no Title1 Scope
2 Reference publications3 Definitions
4 OH&S management system
elements
4.1 General requirements
4.2 OH&S policy
4.3 Planning
4.3.1 Planning for hazard identification,risk assessment and risk control
PSE 1 Process Safety Information
PSE 2 Process Safety Studies
4.3.2 Legal and other requirements
4.3.3 Objectives
4.3.4 OH&S management programme(s)
4.4 Implementation and operation
4.4.1 Structure and responsibility
4.4.2 Training, awareness andcompetence
PSE 8 Competence and training
4.4.3 Consultation and communication
4.4.4 Documentation
4.4.5 Document and data control
4.4.6 Operational control PSE 3 Operating Procedures
PSE 4 Safe Work Practices
PSE 5 Modification to Process Variables and Equipment
PSE 11 Pre- start up safety reviews
PSE 6 Safety Barriers
4.4.7 Emergency preparedness and
response
PSE 10 Emergency planning
4.5 Checking and corrective action PSE 7 Quality control and maintenance of equipment
4.5.1Performance, measurement and
monitoring PSE 12 Inspection and auditing
4.5.2 Accidents, incidents non-
conformance and corrective and
preventive action
PSE 9 Investigation and reporting
4.5.3 Records and records management
4.5.4 Audit PSE 12 Inspection and auditing
4.6 Management review
2.3 Yara documents related to ISO 18001
The relation between ISO (OSHAS) 18001 and Yara documents are described in the
table below. Clauses related to process safety in italic.
Table 3 Relation between ISO (OSHAS) 18001 and Yara steering documents
ISO (OSHAS) 18001 Yara document1 Scope
2 Reference publications
3 Definitions
4 OH&S management system elements TOPS 0
4.1 General requirements TOPS 0
4.2 OH&S policy TOPS 0
-
8/10/2019 Process safety_Handbook_2011.pdf
7/129
INTERNAL 7of 129PROCESS SAFETY HANDBOOK
2011-04-04
ISO (OSHAS) 18001 Yara document4.3 Planning
4.3.1 Planning for hazard identification, risk
assessment and risk control
TOPS 0
4.3.2 Legal and other requirements
4.3.3 Objectives
4.3.4 OH&S management programme(s)
4.4 Implementation and operation
4.4.1 Structure and responsibility
4.4.2 Training, awareness and competence TOPS 1-01, 1-18
4.4.3 Consultation and communication
4.4.4 Documentation
4.4.5 Document and data control
4.4.6 Operational control TOPS 0-P-08,-11
TOPS 1-01, 1-02, 1-03, 1-04, 1-05, 1-06, 1-07, 1-
08, 1-09, 1-10, 1-11, 1-12, 1-11, 1-12,1-13, 1-14,
1-15, 1-16, 1-17,2-01, 2-04, 2-05, 3-01, 3-02, 3-
03,3-04, 3-05, 3-06, 3-07, 4-01, 4-02, 5-01,5-02,5-03, 5-04,
4.4.7 Emergency preparedness and response TOPS 0-P-04
4.5 Checking and corrective action
4.5.1 Performance, measurement and monitoring
4.5.2 Accidents, incidents non- conformance and
corrective and preventive action
TOPS 0-P -01,-02
4.5.3 Records and records management
4.5.4 Audit
4.6 Management review
The relation between, Process Safety Elements, ISO (OSHAS) 18001clauses and Yara
documents are also shown in the table below. Clauses related to process safety are in
italic. It is indicated where no relevant Yara document is identified.Table 4. The relation between, ISO 18001 clauses related to process safety and
Yara documents
ISO 18001 Clause ISO (OSHAS) 18001 title
Yara document no Yara document title4.3.1 Planning for hazard identification, risk assessment and risk control
TOPS 0-P-04 Controlling chemical risk related to personnel
TOPS 0-P-10 Plant design, construction, modification and decommissioning
4.3.2 Legal and other requirements
4.3.3 Objectives
4.3.4 OH&S management programme(s
4.4.1 Structure and responsibility
4.4.2 Training, awareness and competenceTOPS 1- 01 Systematic, optimal and safe operation
4.4.3 Consultation and communication
4.4.4 Documentation
4.4.5 Document and data control
4.4.6 Operational control
TOPS 0-P-05 Product Stewardship
TOPS 1- 01 Systematic, optimal and safe operation
TOPS 1-02 Work permits
TOPS 1-03 Modifications / Management of change
TOPS 1-04 Instrument- based safety functions
-
8/10/2019 Process safety_Handbook_2011.pdf
8/129
-
8/10/2019 Process safety_Handbook_2011.pdf
9/129
INTERNAL 9of 129PROCESS SAFETY HANDBOOK
2011-04-04
3 Definitions
The definitions presented below are intended to comprise terms used in Yara HES
documents and handbooks
Acceptance criteria for riskCriteria that are used to express a risk level that is acceptable for the activity in
question. Acceptance criteria may be expressed verbally or numerically.
ALARPPrinciple to reduce risk As Low As Reasonable Practicable
AccidentAn unintended incident which results in injury to persons and/or damage to property,
the environment, a third party or which leads to production loss
AvailabilityThe proportion of time that an item is capable of operating to specification within a
large time intervalBarrier
Barrier is a device, system or action that is capable of preventing a scenario from
proceeding to the undesired consequence. Preventive measures are aimed at the
prevention of a LOC. In terms of risk such a measure is considered to reduce the
probability of an LOC. Mitigating measures are aimed at minimising the
consequences. In terms of risk, a mitigating measure is considered to reduce the
effect.
Business UnitIn this procedure the term is used to cover all units reporting to Upstream,
Downstream and Industrial management.
CAS-number:
The identification number for a substance in Chemical Abstract ServiceCause (failure cause, for components)
The physical or chemical processes, design defects, quality defects, partial
misapplication or other processes which are the basic reason for failure or which
initiate the physical process by which deterioration proceeds to failure.
Chemical agentsAny chemical element or compound used or produced in the process including raw
materials, intermediates, trade products, maintenance and auxiliary chemicals and
waste
CMR-chemicalsCarcinogenic and mutagenic chemical agents and chemicals those are toxic to
reproduction
Common cause failureFailure, which is the result of one or more events, causing failures of two or more
separate channels in a multiple channel system, leading to a system failure.
ConsequenceThe result of the realisation of a hazard- material damage, environmental pollution,
injuries, fatalities or financial loss. Consequences may be expressed verbally or
numerically to define the extent of injury to humans, or environmental or material
damage
Contractors
-
8/10/2019 Process safety_Handbook_2011.pdf
10/129
INTERNAL 10of 129PROCESS SAFETY HANDBOOK
2011-04-04
Persons working for contractors who are under contract to execute work for the unit,
but not being part of the units work force.
Control room (CR):For the purpose of this standard, a "control room" is an area from where an operator
can monitor and control a process that requires a safe shut- down and/or canexecute the emergency response actions necessary to prevent accident escalation.
The "control room" may be a central control room (CCR) for a complete facility or
a local control room (LCR) for a local unit.
Corrective maintenanceMaintenance carried out to restore operational effectiveness after a failure
Critical equipmentEquipment rated as critical in a criticality ranking
Criticality ranking (for maintenance purposes)Analysis of events and faults and the ranking of these in order of the seriousness of
their consequences.
Customer
Customers of Yara are distributors of fertilizers and industrial and professional usersof Yara products.
Cut setA list of components such that if they all fail then the system is also in the failed
state
Dangerous failureFailure, which has the potential to put the safety system in a hazardous or fail- to-
function state.
DemandA condition which requires a protective system to operate.
Design accidental event:Accidental events that serve as the basis for layout, dimensioning and use of
installations and the activity at large, in order to meet the defined risk acceptance
criteria or according to defined deterministic scenarios
Deterministic process safety studyA set of accidental events or scenarios representing the safety picture shall be
defined. A maximum credible event shall be defined. Effective safety barriers shall
prevent credible effects of the scenarios.
Diagnostic coverageRatio of detected failure rate to the total failure rate of the component or system as
detected by diagnostic tests. Diagnostic coverage does not include any faults
detected by proof test.
Diversity
Means that various types of equipment, technologies and functions are used toreduce the probability of common mode failure.
Down timeThe time during which an item is not able to perform to specification
EffectThe effects of an incident scenario are e.g. blast, dispersion of toxic materials, heat
radiation etc.
EmployeesPermanent employees of the unit and personnel on ordinary employment contracts
Exposure
-
8/10/2019 Process safety_Handbook_2011.pdf
11/129
INTERNAL 11of 129PROCESS SAFETY HANDBOOK
2011-04-04
The amount, concentration or dose of a substance or physical factor a human
population, area or environmental area is subjected to.
EventAn event is an occurrence related to an accident scenario. A distinction can be made
between initiating and enabling events (or enabling conditions). The initiating eventis the event that starts the chain of events leading to the undesired consequence.
Three types of initiating events can be distinguished;
1. External events
2. Equipment failures
3. Human failures or inappropriate actions
An enabling event or enabling condition is an event or condition that is required for
the initiating event to unleash a scenario. Enabling events are neither failures nor
protection layers. They are expressed as probabilities. Examples of enabling events
are start-up phase, material present, ignition source present etc.
Failure rateThe number of failures of an item (component, system) per unit time
Fatal accident rate (FAR).The number of deaths that have occurred or are predicted to occur in a defined
group, in a given environment, during 108hours of operation
Fault toleranceAbility of a functional unit to continue to perform a required function in the presence
of faults or error.
Fault tree analysisA graphical method of modelling a system failure using AND and OR logic in tree
form
First-aid injury (FAI)Injury at work requiring first aid treatment only, before the injured person resumes
normal work.
F-N curveA plot showing, for a specified hazard, the frequency of all events causing a stated
degree of harm to N or more people, against N.
General equipmentEquipment rated as general in a criticality ranking
Hazardous chemicalAny chemical agent which meets the criteria for classification as a dangerous
substance or preparation according to national legislation except from those only
meeting the criteria for danger for the environment (i.e. explosive, oxidizing,
extremely flammable, highly flammable, flammable, very toxic, toxic, harmful,
corrosive, irritating, sensitising, carcinogenic, mutagenic, toxic to reproduction).
Hazard identificationA study carried out to identify risks in the process by ranking of frequency and
consequence
Hazardous liquids and gases:Chemicals which under the stored conditions are liquids or gases, and that fall within
the categories given in the EU Council Directive 96/82/EC (SEVESO directive),
annex 1 part 1 or part 2, or are classified as corrosive.
HAZOP (HAZard and OPerability study)A study carried out by the application of guide- words to identify all deviations from
design intent with undesirable effects for safety or operability
-
8/10/2019 Process safety_Handbook_2011.pdf
12/129
INTERNAL 12of 129PROCESS SAFETY HANDBOOK
2011-04-04
Hired personnelPersonnel from other units or companies that are under contract to work full or part
time in position for the Yara unit, and are considered to be part of the work force
Important equipment
Equipment rated as important in a criticality rankingIncident
A sudden work related accident or near miss, a security breach, sustained in service.
An injury or near miss injury 'in service' means when the incident occurs:
on company property or on property under Yara operational management
within agreed working hours
on an approved business trip
on approved training course, meeting, work assignment, entertaining businessassociates, etc.
on a social event arranged by the employer.Individual risk criteria
Criteria related to the likelihood with which an individual may be expected to sustaina given level of harm from the realisation of specified hazards
Inherent safety principle:Limit the hazard by minimizing the amount of hazardous material or processes,
substituting with less dangerous material, moderating the process conditions and
simplifying the equipment and process- when possible
Leakage-The term leakage used in risk analyses consists of rupture major leakage, and
minor leakageFor piping / pipelines rupture means full bore rupture, major leakage means a leak
area of 1/10 of a fall bore rupture, and minor leakage means leak area of 1/100 of a
full bore rupture.
For large pipes and pipelines, major leak is usually limited to 50mm. Minor leakagethen means a 1/10 of that of a major leakage.
For tanks and vessels, the failure mode rupture means a failure resulting in the
sudden release of their entire contents, while the failure mode major leakage means a
circular hole of diameter 50 mm. Minor leakages means a 1/10 of that of a major
leakage.
LOPA (Layer of protection analysis)Layer of protection analyses (LOPA) is a semi-quantitative tool for analysing and
assessing risk. LOPA is a simplified form of risk assessment as typically "order of
magnitude" categories for initiating event frequencies, consequence severity and the
likelihood of failure of independent protection layers (IPLs) are taken into account.
Using this information, the risk of a scenario is assessed. The method thus falls in
between qualitative methods like HAZOP, What-If or FMEA and a quantitativemethod like QRA.
Loss of containment (LOC)Loss of containment is the top event in a scenario that one aims to prevent from
occurring. Examples of LOC are spill of materials, heat radiation, melting of
(electrical) isolation
Lost-time injury (LTI)Injury at work leading to unfitness for work and absence beyond the day of the
incident
Maintainability
-
8/10/2019 Process safety_Handbook_2011.pdf
13/129
-
8/10/2019 Process safety_Handbook_2011.pdf
14/129
INTERNAL 14of 129PROCESS SAFETY HANDBOOK
2011-04-04
ReliabilityThe probability that an item will perform a required function, under the stated
conditions, for a stated period of time. Since observed reliability is empirical it is
defined as the ratio of items which perform their function for the stated period to the
total number in the sample.Reliability centred maintenance
The application of quantified reliability techniques to optimising discard, times,
proof test intervals and spares levels.
Residual riskThe risk remaining after implementing protective measures. It is the residual risk
which is estimated in a risk analyses.
Restricted work case (RWC)Injury at work that does not lead to absence after the day of the incident, because of
alternative job assignment.
RiskThe probability of specific adverse consequences. Risk can thus be considered as a
function of probability and consequences and describes the chance of realisation of ahazard.
Risk analysis:A systematic approach for describing and/or calculating risk. Risk analysis involves
the identification of potential undesired events, and the causes and consequences of
these events.
Risk assessmentThe process of choosing risk analysis technique(s) and performing risk acceptance
criteria and drawing conclusions on the need for risk evaluation.
Risk contourLines that connect points of equal risk around the facility (iso- risk lines)
Risk evaluationThe process of comparing the results of a risk analysis with risk acceptance criteria
and drawing conclusions on the need for risk reduction.
Risk managementA decision making process where decisions for risk reduction are based on risk
analysis and risk evaluation.
Risk matrixMatrix for risk acceptance. On the horizontal axis are probabilities of occurrence of
accidents; on the vertical axis are consequences.
Safe failureFailure which does not have the potential to put the safety system in a hazardous or
fail-to- function state
Safety critical failureFailure of equipment, which is a part of a safety system, and which error disables the
safety function so that its function cannot be carried out when needed.
Safety data sheetA document consisting of HES information following a prescribed national or
international format as determined by specific legislation governing the labelling,
handling and use of chemical substances and chemical based products.
Safety functionFunction to be implemented by a safety system, which is intended to achieve or
maintain a safe state for the process, with respect to a specific hazard.
-
8/10/2019 Process safety_Handbook_2011.pdf
15/129
INTERNAL 15of 129PROCESS SAFETY HANDBOOK
2011-04-04
Safety integrityAverage probability of a safety related system satisfactorily performing the required
safety functions under all the stated conditions within a stated period of time
Safety life cycle
Necessary activities involved in the implementation of safety functions occurringduring a period of time that starts at the concept phase of a project and finishes when
all of the safety functions no longer are available for use
Safety managementSystematic measures undertaken by an organisation in order to attain and maintain a
level of safety that complies with defined objectives.
Safety unavailability (SU)SU=1- SI (Safety Integrity)
Security breachIncidents which are illegal acts intended to or by accident harm Yara's personnel,
property, operations, transport or other interests
Shut down
Unexpected stop of equipment. Shut downs are either spurious or realSick leave
All absence that is authorized by a doctor's certificate or by legitimate self-
declaration. Sick leave does not include carer's leave or maternity leave. Sick leave
are recorded in the unit in which the hours worked are recorded.
Side- on pressureThe pressure that would be recorded on the side of a structure parallel to the blast
SIL (Safety Integrity Level, according to the standards IEC 61508 / 61511)Discrete level (three normally in use in process industry, 1 lowest 3 highest) for
safety integrity
SiteProduction plant, terminal, warehouse, office.
SJASafe job analysis
Societal riskThe relationship between frequency and the number of people suffering from a
specified level of harm in a given population from the realisation of specified
hazards.
Societal risk criteriaCriteria related to the likelihood of a number of people suffering from a specified
level of harm in a given population from the realisation of specified hazards.
Substandard practice and substandard condition (unsafe act and unsafe condition)A substandard practice (also called unsafe act) refers to a behaviour deviating from
an accepted standard, e.g. not following the procedure when carrying out a worktask. A substandard condition (also called unsafe condition) refers to a condition,
which deviates from an accepted standard, e.g. inadequate guard on a machinery.
Technical safetyRisk reduction by use of technology. By technology is here meant technological
knowledge and technical systems
TNT equivalency modelAn explosion model based on the explosion of a thermodynamically equivalent mass
of TNT
Top event
-
8/10/2019 Process safety_Handbook_2011.pdf
16/129
INTERNAL 16of 129PROCESS SAFETY HANDBOOK
2011-04-04
The selected system outcome whose possible causes are analysed in a fault tree
Transport informationThe transport of goods and products is regulated according to international and
national legislation and agreements. An assessment has to be made as to whether a
particular product is classifiable as dangerous goods or not. If a product isclassifiable, then specific transport information has to be entered into the appropriate
Yara product SAP database administered by Yara Operational Shared Services
(OSS) before the product can be transported either by road, rail, sea/waterways, or
air. In addition, it is a legal requirement worldwide that appropriate safety documents
are prepared containing safety information about the product to be transported. These
documents must accompany the shipment and must be written in appropriate
language(s) as stipulated in the international transport regulations.
TremcardTransport emergency information which is legally required to be issued to a
transporter of dangerous goods on road, and which shall be available with the driver
of the vehicle under Yara's management.
TripAs Shut Down
WatchdogCombination of diagnostics and an output device (typically a switch) for monitoring
the correct operation of the programmable electronic device and taking action upon
detection of an incorrect operation
Wind roseA plan view diagram that shows the percentage of time the wind is blowing in a
particular direction
Worst credible incidentThe most severe incident, considering only incident outcomes and their
consequences, of all identified incidents and their outcomes, that is considered
plausible or reasonably believable.
Worst possible incidentThe most severe incident, considering only incident outcomes and their
consequences, of all identified incidents and their outcomes.
-
8/10/2019 Process safety_Handbook_2011.pdf
17/129
INTERNAL 17of 129PROCESS SAFETY HANDBOOK
2011-04-04
4 Risk, risk analyses and safety studies
4.1 Risk identification and risk ranking,
Risk identification and (rapid) risk ranking can be performed by use of a risk matrix,
where the identified risks are ranked as low, medium and high as shown in the sectiondescribing risk acceptance criteria.
Risks can also be identified by use of check- lists, as described in a sub sequent section.
4.2 Risk acceptance criteria
The consequences from accidents can be categorized as:
On-site consequences
Fatality of plant personnel
Personal injury to plant personnel
Equipment damage
Product quality damages
Business interruption Off-site consequences
Death or injury for living beings in the nearby community
Property damage
Business interruption
Environmental Consequences
Contamination and damage to nature
The challenges in a risk evaluation of safety functions are:
To study what are the events that can result in unwanted consequences,
To estimate the frequency they are likely to occur and
To decide how to prevent or mitigate them
It is possible to design redundancies and multiple independent layers of protection in
order to bring the risk to a negligible level. However, it should be remembered that
business is about the bottom line, and risk reduction costs money. So a tolerable level of
risk should be accepted.
4.2.1 Acceptance in connection with risk ranking
For risk ranking the risk matrix and the consequence class definitions are shown in the table
7 and 8 shown below are used as guidelines for acceptance of on- site risk. Risk ranking is
used both for on site and off site risk.
-
8/10/2019 Process safety_Handbook_2011.pdf
18/129
INTERNAL 18of 129PROCESS SAFETY HANDBOOK
2011-04-04
Table 5 Yara Risk Matrix
RISKS
HIGH RISK FREQUENCIES
MEDIUM RISK VERYFREQ.
FREQUENT PROBABLE LOW PROB. UNLIKELY MOST
UNLIKELY
LOW RISK5
> 10 / yr4
> 1 / yr3
> 10-1/ yr2
> 10-2/ yr1
> 10-3/ yr0
< 10-3/ yr
CONSEQUENCES
CATASTROPHIC 5
CRITICAL 4
DANGEROUS 3
SOME DANGER 2
MINOR DAMAGE 1
Table 6 Consequence class definitions
CATEGORIES
LEVELS
HES
(PEOPLE)
ENVIRONMENT MATERIAL VALUES
DESCRIPTION COST
()CATASTROPHIC 5 Several
fatalities
Damage with recovery time
more than 5 years.
Major plant damage, complete
demolition of plant
> 10M
International public attention Production cessation
CRITICAL 4 One
fatality
Damage with recovery time
less than 5 years.
.
Major damage to equipment,
break- down of main process
equipment like reactors,crackers, pipelines etc.
< 10M
-Evacuation of neighbourhood
required.-National public attention
Major quality or production loss
DANGEROUS 3 Permanent
injury
Damage with recovery time
less than 2 years.
Considerable damage to
equipment, ruptures etc.
< 1M
-Warning of neighbour-hood
required
-Local public attention.
Considerable quality or
production loss
SOME DANGER 2 Medical
treatment
No durable damages Minor damage to equipment,
fire with limited extent,
emission of toxic flammable or
hot substances etc.
< 0.1M
Release causing-unpleasantsmell outside site area
Small quality or production loss
MINOR
DAMAGE1 First aid Insignificant damage - Insignificant damage, small
emission of water, air, nitrogen,
steam etc-
< 10.000
No external reaction No quality or production loss
Typical areas where the risk matrix is recommended for use are shown in the table
below.
-
8/10/2019 Process safety_Handbook_2011.pdf
19/129
INTERNAL 19of 129PROCESS SAFETY HANDBOOK
2011-04-04
Table 7 Typical areas where the risk matrix is recommended for use
USE OF RISK MATRIX DESCRIPTION
1 Identification of safety critical parts in
production system
process unit
main equipment
2 Identification of risk in fertilizer storages fire
explosion
decomposition
3 Identification of risk from process
equipment, pipes and pipelines:
leakage
fires
explosions
toxic gas release
4 Identifying needs for safety barriers preventive instrument based
mitigating safety relief devices
gas detection
fire extinguishing
fire walls / cells
bunds5 Application on technical installations fire cells
fire detection
A form for reporting risk ranking is shown in the table below.
Table 8 Form for reporting risk ranking
Ref Event
Probability Consequence
CommentsCause (0-5) Description (1-5)
4.3 On- site risk acceptance (Yara Green Rule)
For on- site risk acceptance, the control room criterion applies.
Control rooms, office buildings etc.For any control room, office or other building on site where people normally will be
present, the aggregate probability of accidents occurring at the facility which will
cause destruction beyond repair and / or multiple fatalities inside the building should
not exceed 10
-4
per year.4.4 Off site risk acceptance (Yara Green Rule)
Off- site risk can be presented in two forms: individual risk and societal risk. The
individual risk is defined as the chance that a person staying at a fixed location
permanently is killed as a result of an accident. Guidelines for acceptance are presented
below.
1 Societal risk, related to F / N curves
-
8/10/2019 Process safety_Handbook_2011.pdf
20/129
INTERNAL 20of 129PROCESS SAFETY HANDBOOK
2011-04-04
The societal risk describes the frequency of an accident that causes N or more
fatalities, F / N- curves. The limits for societal risk are set at f = 10-3/ N
2as a
guideline. For example, this means that accidents causing 20 or more fatalities
should not exceed 2.5.10-6
per year.
Figure 1 Societal risk, F / N curve
2 Individual riskNo single residential area or public assembly area should be exposed to fatal
exposure levels caused by major accidents at the site of frequency greater than 10-5
per year.
It should be remembered that this is the total risk exposure from the plant, and it cannotbe direct applied to risks from single scenarios.
-
8/10/2019 Process safety_Handbook_2011.pdf
21/129
INTERNAL 21of 129PROCESS SAFETY HANDBOOK
2011-04-04
5 Hazards and consequences related to production activities
The production processes are highly automated and controlled from control rooms.
Dangerous substances are handled in a safe way. But hazards are present since large
quantities are involved, often under high pressure or high temperatures.
Characteristics for the most important production methods are shown in the table below.
Table 10 Characteristics for the most important production methods
PRODUCTION CHARACTERISTIC
Ammonia production Based on hydrocarbons.High pressure and temperature
Large amounts of ammonia stored and transported
Nitric acid
production
Based on ammonia
High pressure and temperatureAmmonium nitrate
production
Based on ammonia and nitric acid
Reactors, heaters and tanks with temperature near up to stability point
Large explosion potentials
CAN production Based on ammonium nitrate and fillersStable substance
NPK production Based on nitric acid or phosphoric acid and nutrient salts
Decomposition due to operational failure can cause large toxic
releasesCN production Based on nitric acid, ammonia and calcium
Decomposition due to operational failure can cause large toxic
releases
The production activities, associated hazards and consequences are shown in Table
below. The hazards are of five categories, with regard to risk and safety studies:
Fire
Explosion
Toxic release
Decomposition
Production shut down
Production shut down is not listed as a hazard in the table for the different production
processes. But it is a following effect for all hazards.
Consequences can be divided in the following categories:
Internal, inflicting on employed and hired people, asset and production regulation
External, effecting external people, environment and businesses outside the site
High internal or external consequences can cause fatalities, lasting environmentaleffects and large economical losses due to production shut down.
Hazards and possible consequences for different production activities are shown in the
table below.
-
8/10/2019 Process safety_Handbook_2011.pdf
22/129
INTERNAL 22of 129PROCESS SAFETY HANDBOOK
2011-04-04
Table 11 Production activities, storages, Hazards and Possible Consequences
Production activity and storage Hazard Possible
consequences
Ammonia
Feed gas transport Fire, explosion Internal, high
Feed gas storage Fire, explosion Internal, high
Production plant incl. noble gas,
metals
Fire, explosion, toxic
release
Internal, high
Ammonia pipeline, loading Toxic release External, high
Ammonia storage tanks Toxic release External, high
Ammonia transport Toxic release External high
Nitric Acid
NA production plant, incl. N2O4 Fire, explosion, toxic
release
Internal
NA tanks Toxic release InternalNA and N2O4 transport Toxic release, N2O4
explosion
External, high
Ammonium Nitrate (AN)
AN plant Fire, explosion Internal, high
AN tanks Toxic release Internal
AN storages Explosion External, high
AN transport Explosion External, high
CAN
CAN production Fire Internal
CAN storage Decomposition and toxic
release
Internal
CAN transport Decomposition and toxic
release
External
NPK
NPK production plants Fire, explosion, toxic
release
Internal
NPK storage Decomposition and toxic
release
External
NPK transport Decomposition and toxic
release
External
Phosphoric acid production Toxic release Internal
Phosphoric acid tanks Toxic release Internal
Sulphuric acid tanks Toxic release InternalCN
CN production plant Fire, explosion Internal
CN storage Fire, decomposition and
toxic release
Internal
CN transportation Fire, decomposition and
toxic release
Internal
Urea
Urea production plants Fire, explosion Internal
-
8/10/2019 Process safety_Handbook_2011.pdf
23/129
INTERNAL 23of 129PROCESS SAFETY HANDBOOK
2011-04-04
Urea storage No
Urea transport No
Power, Control, Utilities, Buildings, Conveyor belts
Power generation, distribution Fire, explosion, production
shut down
Internal, high
Control systems Fire, explosion, production
shut down
Internal
Steam generation Fire, explosion, production
shut down
Internal
Buildings, structures Fire Internal, high
Conveyor belts Fire Internal, high
Others
CO2production Toxic release Internal
CO2tanks Toxic release Internal
CO2transport Toxic release
Salt of hartshornCoating tanks Fire Internal
Loading stations, formic acid, nitric
acid
Toxic release Internal
5.1 Hazard identification by Check Lists
The purposes of checklists are:
Identify hazards
Identify and check protection
Stand alone tool for
audits
safety inspections
small plants
Support tool for identifying hazards, needs for protection in
HAZOP
Safe Job Analyses
Preliminary mapping (for further risk studies) of
hazards
safety critical parts of process plants
5.1.1 Simple Check- List
The table below shows a simple check- list.
Table 12 Simple checklists
Hazards Possible impact
(only acute on people)1. Collision people, material values
2. Falling A. on the same level people, material valuesB. to a lower level people, material values
C. stumbling people
3. Hitting against something people, material values
4. Squeezing, pinching people
-
8/10/2019 Process safety_Handbook_2011.pdf
24/129
INTERNAL 24of 129PROCESS SAFETY HANDBOOK
2011-04-04
5. Impact A. from moving object people, material valuesB. flying object, fragment people, material values
6. Contact A. with sharp object peopleB. with electric conductor people
C. with hot surface / fluid peopleD. with dangerous chemical (fluid) peopleE. with corrosive chemicals people
7. Exposure A. to dangerous gas, smoke peopleB. to steam peopleC. to dust peopleD. to dangerous light people
8. Choking (reduced oxygen content) people
9. Drowning people
10. Fire, explosion people, material values11. Radiation people
12. Crime people, material values13. Biological treats people14. Flooding environment, material values
15. Landslide, avalanche environment, material values
16. Release A. of chemical dangerous for environment environment
B. of oil environment
C. of dust environment
17. Collapsing material values
18. Late delivery material values
5.1.2 Comprehensive checklist
A comprehensive checklist is shown below. The checklist is divided into the followingnine categories:
1. Materials2. Material Handling3. Storage4. Reactions5. Equipment6. Instrumentation7. Pressure Relief8. Utility Systems9. Fire Protection
Under each category several "Items" are listed in the left column with "Subjects to beinvestigated" in the right column. In some cases several items are to be checked against
the same group of subjects. Each item in the left column should be checked against each
subject in the right column of the same row.
-
8/10/2019 Process safety_Handbook_2011.pdf
25/129
INTERNAL 25of 129PROCESS SAFETY HANDBOOK
2011-04-04
Table 13 Comprehensive checklist
Category / item Subjects to be investigated1. Materials
Raw materials
Intermediate materials
End products
By-products
Waste
Toxicity, flammability
Reactions, decompositions
Corrosiveness
Long-term storage behaviour
Total amount, possible reductions
2. Material handling
Transport, container
Pumping
Road/rail transport
Ship transport
Overfilling protection
Spill collection
Leak detection
Cleaning/inspection
Procedures
Dropped load and potential targets
Crane handling
Conveyor belts
Stop devices, guards
3. Storages
Storage tanks
Dikes
Storage halls
Silos
Overfilling protection
Fire protection
Explosion venting
Inerting/purging/blanketing
External mech. impact
Cleaning/inspection
Freezing/overheating
Deterioration of contents
Unintentional mixing
4. Reactions
Hazardous reactions
Combustible mixtures
Runaway reactions
Wrong materials/contaminants
Wrong proportions
Deviation of process parameters
Unknown kinetics
Pump/agitator failureFlow blockage
Isolation to stop reaction
De-pressuring/draining to stop reaction
5. Equipment
Vessels
Columns
Heat exchangersPiping
Ducts
Valves
Machinery
Design, size
Material selection (corrosion)
Over pressure protectionLevel, temperature protection
Reverse flow protection
Emergency isolation (remotely)
Emergency de-pressuring (remotely)
Vent and drain possibilities
Isolation for maintenance
Potential leaks: Glass components, small-bore connections
Inspection and maintenance
Compliance with codes
Certificates
Piping Thermal stresses, movement, support, freeze protection. flushing
Valves Maintenance: accessibility, bypass and isolation,
Fail safe in case of power failure
Function testing
Interlock against unintentional opening/closing
Heat exchanger Tube rupture protection
-
8/10/2019 Process safety_Handbook_2011.pdf
26/129
INTERNAL 26of 129PROCESS SAFETY HANDBOOK
2011-04-04
Category / item Subjects to be investigatedDe-super-heater Too much/too little cooling liquid flow
Rotating machinery Mechanical de-coupling from piping
Safety margin to critical speedReverse flow protection
Surge protection (minimum flow)
Reaction to sudden power failure/trip
Maintenance: isolation, start-up of
6. Instrumentation
Sensors
Signal transmission
Signal processing
Status display
Alarms
Automatic actions
Actuators
Power supply
Function separation (survey, process control, safety)
Common cause failures
Redundant systems
Redundant power supplies
Fail safe principle
Spurious trips
Temporary non-availability (repair/calibration)
Environmental effects
Classification for hazardous areaMan-machine interface
Procedures for commissioning, operation maintenance
Reset of trip bypass
Tagging, documentation
Logic charts (cause/effect)
7. Pressure relief
Relief valves
Vacuum breakers
Rupture disc
Liquid seals
Installed where required, e.g. on all sections/vessels that can be over-
pressurised by equipment malfunction or operator error
Sizing criteria
Safe discharge without personal exposure
Blocking by solids (ice, sediments)
Drain points in discharge lines
Maximum back pressure in flare system
Maintenance: testing, repair, written procedure, interlockRedundancy: spare device
Liquid seals Procedure for checking liquid level
8. Utility systems
Electric power
Steam
Cooling medium
Heating medium
Air (instrument + plant)
Chemicals
Reliability of supply
Normal load/emergency load
Consequences of failure of one utility
Common cause failures
Consequences of failure of several utilities
Fail safe principle
Start-up/shut down
Maintenance/repair without process interruption
Electric power Potential ignition source
Classified equipment in hazardous areas
Steam Thermal isolation of hot pipingFreeze protection of dead legs
Risk for burns at tap points
Tube ruptures in heat exchangers (pressure/contamination)
Cooling medium Tube ruptures in heat exchangers
Freeze protection (if water)
Chemicals Maximum delivery pressure relative to design pressure of section
into which chemical is injected
Back flow protection
Isolation in emergency
9. Fire protection
General measures Reduce inventory of flammables
-
8/10/2019 Process safety_Handbook_2011.pdf
27/129
INTERNAL 27of 129PROCESS SAFETY HANDBOOK
2011-04-04
Category / item Subjects to be investigatedAvoid leaks
Avoid ignition sources
Prevent fire propagationLimit heat load from design fire by spacing
Provide easy access for fire fighting
Water main Security of supply (pond, sea, public)
Two independent routes of supply
Sectioned ring main
Capacity related to maximum demand scenario
Freeze protection
Low pressure alarm
Procedure for regular testing, including pumps
Pumps protected from fire/explosion
Pump redundancy/inclusive drive and power supply
Hydrants Number and location
Maximum distance to object: hose length limitations
Minimum distance to object: heat loadSprinklers Number and location
Hazard category: low/medium/high
Capacity (mm/min = 1/m2 min) according to hazard category
Water spray cooling Pressurised storage of flammablesImportant structural members
Water impact on all heat exposed sides
Capacity (l/m2s) according to heat flux in maximum scenario
Foam systems
Water mist systems
Nitrogen, inergen systems
Dual agent systems
Portable systems
Number, type, location
Capacity
Maintenance procedures
Test procedures
Fire detectors Number, type, location
Reliability (function on demand)Spurious trips due to open flames, sunlight
Voting logic
Manual alarms
Alarm system
Number, location
Visual/acoustic alarm in Central Control
Room (CCR)
Visual/acoustic alarm in plant
Communication CCR/plant and vice versa
Public address system
Telephone, UHF radio
External assistance
Fire proofing Important structural members potentially exposed to gas fires, liquid
pool fires, and sufficient height above ground. Insulation sufficient to
limit steel temperature to < 450C in maximum duration fire
Liquid drain Drained away escaped flammable liquid from hazardous area
5.2 Hazard and Operability Studies (HAZOP)
This chapter describes HAZOP. The hazard analysis and critical control points
(HACCP) [Council Directive No 93/43/EEC9] for food processing is a similar
approach. This is not described in this chapter.
The basic concept of a HAZOP study is to identify hazards, which may arise within a
specific system or as a result of system interactions with an industrial process. This
-
8/10/2019 Process safety_Handbook_2011.pdf
28/129
INTERNAL 28of 129PROCESS SAFETY HANDBOOK
2011-04-04
requires the expertise of a number of specialists familiar with the design and operation
of the plant. The team of experts systematically considers each item of the plant
applying as set of guidewords to determine the consequences of operating outside the
design intentions. Because of the structured form of a HAZOP, it is necessary that a
number of terms be clearly defined in the table below.
Table 14 HAZOP terms
HAZOP term Explanation
Cause Reasons why a deviation might occur.
Consequence Result of a deviation
Deviation Departure from the design intentions, discovered by systematic applications of
the guidewords
Hazard Consequence, which can cause damage, injury or loss.
Guideword Simple word used to qualify the intention and hence deviation.
Node In a process the main mode of operation can be examined by working
downstream through the plant a node at a time. A node could be a lineconnecting vessels; it may incorporate a simple vessel such as a heatexchanger. It could be a vessel itself, particularly where some significant
process change occurs in the vessel
Parameter Variable, components or activity referred to in the study
The list of the guidewords is shown in the table below.
Table 15 Explanation of Guidewords
Guideword Explanation
No / Not No flow, pressure, etc.
More High flow, high pressure, etc.
Less Low flow, low pressure, etc.
As well as Material in addition to the normal process fluids.
Part of A component is missing from the process fluid.
Reverse Reverse flow of process fluids.
A list of possible parameters is in the table below:
Table 16 Possible HAZOP parameters
Possible HAZOP parameters
FlowPressure
TemperatureMixingStirring
TransferLevel
ViscosityReaction
CompositionAddition
SeparationTimePhase
SpeedParticle size
MeasureControl
pHSequence
SignalStart / stopOperate
MaintainServices
Communication
As described below, HAZOP is systematic application of meaningful combinations of
guidewords and parameters.
-
8/10/2019 Process safety_Handbook_2011.pdf
29/129
INTERNAL 29of 129PROCESS SAFETY HANDBOOK
2011-04-04
5.2.1 HAZOP study work process
Multi-disciplinary teams, the members of the team providing a technical contribution or
supporting role, carry out HAZOP studies.
For the HAZOP team the following requirements are mandatory:
Thorough knowledge of the actual P&ID
Thorough knowledge of operation and maintenance of the process
The team is lead by a person with thorough experience in use of HAZOP analysis
As a minimum the team shall consist of
Safety expert, HAZOP- leader
Process expert
Operation expert
Instrument expert
It is necessary that the team leader is independent of the task issuer. The leader shallpreside the meetings in such a way that all sides of the questions raised are thrown light
on. The group must not become absorbed in problems that are not resolved in the
meeting. The attitudes of the team are not only the responsibility of the team leader. The
members must also be aware of the danger of having defence attitudes in relation to
own discipline or work field. It can easily happen that people are plant blind, that is
they lose the ability to realize weaknesses in their own process or project. So
independent persons should attend. The work periods between breaks should not be too
long. More than two hours of continuous work is not recommended, since the processrequires alertness and creative thinking.
For each node the following is clarified in a structured way:
1. Node number and description2. Design intent; description of how the node functions3. Deviations4. Causes; some can be classified as unrealistic and later rejected.5. Consequences; which cause damage, injury or loss6. Existing safeguard to reduce risks7. Recommendations to improve safety if evaluated to be necessary
The team goes systematically through the process using the guidewords to parameters
as recommended, in the following order:
1. Changes in flow2. Changes in physical condition3. Changes in chemical condition4. Start- up and shut- down5. Changes in vessel condition6. Effluents7. Emergencies
A recommended work process is shown infigure 2below. Meaningful combinations of
parameters and guidewords are shown in table 17.
-
8/10/2019 Process safety_Handbook_2011.pdf
30/129
INTERNAL 30of 129PROCESS SAFETY HANDBOOK
2011-04-04
Figure 2 Flow diagram for the HAZOP analysis of a node
Define the node
Describe and discuss the node, determine the design envelope
From the description and design, select a parameter
Combine this parameter with a guideword to a meaningful deviation
Seek a possible cause of the deviation and identify the consequences
Evaluate the safeguards, decide if adequate or if a change or further
study is needed. Record
Has all the causes for the deviation been
considered?
Does any other guideword combine with
this?
Are there further parameters toconsider?
Examination if the node is complete
-
8/10/2019 Process safety_Handbook_2011.pdf
31/129
-
8/10/2019 Process safety_Handbook_2011.pdf
32/129
INTERNAL 32of 129PROCESSSAFETY HANDBOOK2011-04-04
5.2.2 Operating procedures
As a procedural sequence, the parts under examination during the HAZOP process are
the relevant sequential instructions. In addition to the standard guidewords Out of
sequence and Missing can be productive. In the list of parameters, the phrasecomplete the step can be used to good effect, as it combines meaningfully with the
guidewords No, More, Less, Reverse, Part of; As well as, Out of sequence and Missing.
A major difference from process studies is that many of the causes of deviation are
related to human actions. These may be of omission or commission. Other possible
causes include poorly- written procedures; difficulties caused by poor layout, bad
lighting and parameter indicators with limited or poor ranges or too many alarms.
Example.A HAZOP study on an operating procedure is illustrated by the example below.We consider a small batch process for the manufacture of a safety critical component. Thecomponent must meet a tight specification in both its material properties and its colour.
The processing sequence is as follows:1.
Take 12 kg of powder "A"
2. Place in blender
3. Take 3 kg of colorant powder "B"4. Place in blender
5. Start blender
6. Mix for 15 minutes; stop blender7. Remove blended mixture into 3 x 5 kg bags8. Wash out blender
9. Add 50 l to mixing vessel10.Add 0.5 kg of hardener to mixing vessel
11.Add 5 kg of mixed powder ("A" & "B")
12.
Stir for 1 minute13.Pour mixture into moulds within 5 minutes
A HAZOP study is carried out to examine ways in which below-specification material may
be produced.
Recommended actions from a HAZOP of this operation can be:
Check quality assurance procedures at manufacturer
Check if powder A may be contaminated by spills, leakages or operator errors
Discuss if critical control point should be implemented after step 7
Implement a safeguard against adding too much hardener in step9.
5.2.3 Computer- controlled processes
It is strongly recommended to use only standardised and well-proven computers on
safety critical processes. This implies use of one of the two following systems,
depending on process complexity and hazard potentials in the processes:
PLC- for monitoring, control and sequencing and safety functions
Separate control and shut down systems with
DCS for alarm, monitoring and control functions
Certified shut down systems for safety functions of SIL level 1, 2 or 3
-
8/10/2019 Process safety_Handbook_2011.pdf
33/129
INTERNAL 33of 129PROCESSSAFETY HANDBOOK
2011-04-04
If standard computers for process control applications are used, techniques for
avoidance, detection and action in case of fail state are embedded. The HAZOP team
should decide if:
outputs from the computer have to be
fail safe that is causing valves to go in safe position incremental- that is causing valves to freeze in current position
back up function is needed in case of computer failure
for manual control
information
for safety functions
redundancy in the computer system is needed for
availability reasons- that is avoiding production stop in case of failure of a singlecomputer
safety reasons- that is
monitoring by watch dog (or equivalent) and alarm so the operator can take
necessary actions or SIL 1, 2 or 3 certified computers
To avoid failures in application software the following shall be applied:
verification of the programme by an independent person
routines for loop test prior to start up
routines for periodical proof test after operation has started to detect possible failureswhich can arise due to changes, maintenance failures or component failures
Special attention must be paid to sequencing system since control of sequential
processes are often more complicated than continuous processes. Safety critical points
are:
Operator intervention such as manual control / bypassing / of steps
Handling of reset and acknowledging functions and test signals in relation toautomatic flags must be discussed.
Programmers and operators must participate in the HAZOP meetings.
5.2.4 Documentation needed for a HAZOP study
Necessary documentation to conduct a HAZOP constitutes:
Process flow diagrams
Process and Instrument Diagrams (P&ID)
Risk and safety studies (HAZID, RR, QRA)
Safety shut down diagrams Operational and emergency procedures
Chemical data sheets
Area safety drawings
5.2.5 Recording of the HAZOP work
HAZOP reports shall comprise
Reference to P&ID, number, version and date
Date when HAZOP conducted
For each entry reference to:
-
8/10/2019 Process safety_Handbook_2011.pdf
34/129
INTERNAL 34of 129PROCESSSAFETY HANDBOOK
2011-04-04
Process Equipment, by Functional Location
Parameter and Guideword
Cause
Possible consequence
Action; recommendation to safeguard or other action or comment
Responsible for carrying out decided action
Time limit for carrying out the decided action
It is underlined that all guidewords shall be covered in the study. However, not all
guidewords have to be reported. Three levels of reporting are possible:
record by exception- that is only when an action results
intermediate record- that is, where an action results, where a hazard exists orwhere a significant discussion takes place
full record
Recording by exception requires an entry only when the team makes a recommendation.This level can be used in existing processes with long operational experience.
At the intermediate level, a record is generated whenever there is any significant
discussion by the team, including those occasions where there is no associated action.
These include deviations identified by the team, which, through realistic and
unanticipated in the original design work, happen to be adequately protected by the
existing safeguards. This level is generally recommended.
In full recording, an entry is included for every deviation considered by the team, even
when no significant causes or consequences were found. At this level, each parameter is
recorded with each guideword for which the combination is physically meaningful. This
level should only be used in process unit that need to demonstrate the highest possiblestandard of safety management.
But as underlined above, all guideword have to be discussed. It is assumed that a
guideword not reported is discussed and no deviation, comment or observation is found.
A table for recording of HAZOP is shown in table 18 below.
-
8/10/2019 Process safety_Handbook_2011.pdf
35/129
INTERNAL 35of 129PROCESSSAFETY HANDBOOK2011-04-04
Table 18 Form for recording of HAZOPNode no / description:
Design intent:
Project
Project phase
P&ID (no/title)
Ref. Pipe, equipment no Guideword and
deviation
Cause(s) Consequence(s) Safeguard(s) Recom
Co
-
8/10/2019 Process safety_Handbook_2011.pdf
36/129
INTERNAL 36of 129PROCESSSAFETY HANDBOOK2011-04-04
5.3 Criticality ranking for maintenance purposes
This chapter provides guidelines for assessing the risk of failure in plant processing
equipment (loss of equipments integrity and / or function). This implies that non-
processing facilities, like structures, buildings, automobiles, etc. are not dealt with. Norare occupational health risks, like exposure to noise, burns caused by contact with hot
surfaces, etc. The document does further not address risks associated with human errors
(possibility of mal-operations) or external risks, like terror attacks, airplanes falling
down, cars crashing into plant equipment or alike.
5.3.1 Purpose of criticality analysis and risk assessment
The purpose of maintenance is to keep the condition and functionality of the plants
equipment at acceptable level, as mal-functioning could adversely affect one or more of
the following values (in descending order of priority):
Peoples safety and health
Environment
Product quality Production capability
Assets / property
Some equipment failure scenarios could have impact on all of the above values.
Other failure scenarios may only affect one or two of them. Some scenarios may have
big and long lasting consequences whereas others may have smaller impact. Some
failures are known to happen frequently whereas others only happen once in a blue
moon.
The objective of Risk Assessment is to identify and rank the potential failures, such that
the operation, inspection, condition monitoring and maintenance activities can befocused on avoiding events associated with unacceptable risk.
A plants organisation should, in general, pay more attention to elements and activities
involving high risk than to those involving low or no risk. This is the fundamental idea
of so-called Risk Based Maintenance / Inspection / Operation.
As the loss of say 100,000 means more to some production sites than to others, and as
local regulations (e.g. allowable emissions) also vary from place to place, the relevant
site management must define what is unacceptable for their site.
This is in principle done in the Business Plan, which outlines the targets for next years
production volumes as well as safety performance, costs, etc. If the Business Planallows only e.g. 15 days loss of production, the availability requirement for the
respective plant becomes (365-15) / 365 = 0.96.
The Business Plan therefore sets the overall production regularity requirement and the
equipment maintenance program must be designed accordingly within the defined
operating and maintenance cost budgets. A maintenance budget normally contains
planned activities (like periodic jobs) and unplanned activities (corrective maintenance).
Ideally, the corrective maintenance budget should match the plants total expected and
-
8/10/2019 Process safety_Handbook_2011.pdf
37/129
INTERNAL 37of 129PROCESSSAFETY HANDBOOK
2011-04-04
accepted - monetary risk. The table below illustrates how the corrective maintenance
budget, in principle, could be established by use of risk assessment methods:
Table 19 Illustration of corrective maintenance budget established by use of risk
Item Probability of
failure
Monetary
consequence per
failure
Calculated monetary risk,
(probability x
consequence)
Component A 0.01 pr. year 100,000 1,000 per yr
Component B 0.001 pr. year 2,000,000 2,000 per yr
Sum = Total
plant
Budget for corrective mtce: Sum = 3,000 per yr
Example 1: A shell and tube heat exchanger contains 500 tubes, and the probability (i.e.
frequency) of one tube failing is 0.01 (one every 100 years) the total probability of a tube
failures in this heat exchanger becomes: 500 x 0.01 = 5 pr. year: If the consequences of atube rupture are large (e.g. the whole production has to stop because the final product getscontaminated), the risk of failure (consequence x probability) may be considered
unacceptably high. Some kind of remedy (e.g. change to other tube material) should then beevaluated. But if e.g. the tube-side carries the same fluid as the shell-side, the immediate
consequences of a tube rupture may be minor especially if the heat exchanger has some
surplus capacity. In this case therefore, the risk may be regarded as low / acceptable.
Example 2: Two identical pumps are serving two totally different functions. One is
pumping conditioning chemicals into the main process, and the other is pumping water tothe toilets in the 2
ndfloor of the administration building. It goes without saying that the first
pump requires more attention (periodic inspection, lubrication, etc.) than do the latter.Also, the response upon failure (the corrective action / maintenance) should be prompt in the
first case, - whereas the toilet pump could wait till after the weekend. The probability oflosing the pumping function may be the same for both, but the consequences following afailure may be regarded as critical for one pump, and non-critical for the other.
Hence, the fist pump carries a high risk and the latter a low risk.
Example 3:Two identical water pumps, - one is a hot spare for the other:The consequences of losing the pumping function may be severe, and hence this function is
seen as critical to the plant operations. But, as the spare pump automatically starts if thefirst pump fails the probability of losing the pumping function is very small. (If a standby
pump needs long time to start, it should not be considered as a hot spare). Hence, the risk(consequence x probability, or criticality x likelihood) is low.
Example 4:Again, two identical pumps one is hot spare for the other, but these are
pumping toxic liquid. The pumps are located near the main control room. The pumpingfunction is just as critical to the plant operations as the pumps in example 3:
As the liquid is toxic a potential leak (which is one possible failure) could affect peoples
safety as well as the environment (especially if the pumps cannot be quickly isolated).The probability of failure may be the same as in example 3, but the risk becomes higher
due to the potential safety as well as environment and production impact. Hence, these
pumps will be riskier than the pumps in example 3, and call for even more attention andcloser follow-up through inspection programs.
-
8/10/2019 Process safety_Handbook_2011.pdf
38/129
-
8/10/2019 Process safety_Handbook_2011.pdf
39/129
INTERNAL 39of 129PROCESSSAFETY HANDBOOK
2011-04-04
Theprobabilityof a loss of function does depend on the actual equipmentand theactual operational conditions.
In order to get the Risk Assessment process started, a number of initial and simplifying
assumptions may be needed. As and when real life experience is gathered andsystemised, these assumptions, and thereby also the risk assessment can be adjusted and
fine-tuned.
It is recommended to break the Risk Assessment into the following steps:
1 Establish Local Acceptance Criteria for the 5 values (peoples safety,environment, product quality, production capability, assets / property).
Examples of criteria are given below.
2 Carry out Criticality Ranking, i.e. assess the potential Consequences ofequipment failure as High (3), Medium (2), or Low (1) and classify the
equipment accordingly as Critical, Important or General - for all the 5 values.
3 Carry out RBI, SIL and RCM methods, to estimate the probability and theresulting Risk of failure (= consequence x probability). Start with the mostcritical equipment failures.
This stepwise approach should filter out the non-important matters and set the priorities
for developing maintenance plans / programs. Steps 1) and 2) are further described in
the following chapters whereas the methods mentioned under step 3) are covered by
separate documents.
5.3.3 Establishing local acceptance criteria
As the loss of say 100,000 Euro means more to some production sites than to others,
and as local regulations (e.g. allowable emissions) also vary from place to place, the
relevant site management must define what is acceptable and unacceptable for their
plant(s). The table below shows the principle way of assessing consequences.
Table 20 General consequence classification for maintenance purposes
Criticality /
consequences
Health, safety and
environment
Production and/ or
product quality loss
(Note 1)
Equipment
restoring cost (Note
1)3Critical /
High
-Potential for serious
personnel injuries.
-Render safety critical
systems inoperable.
-Potential for fire in
classified areas.
-Potential for large pollution.
Stop in production /
significant reduced rate of
production exceeding X
hours (specify duration)
within a defined period of
time.
Substantial cost
exceeding Y Euro
(specify cost limit)
2Important /
Medium
-Potential for injuries
requiring medical treatment.
-Limited effect on safety
systems.
-No potential for fire in
classified areas.
-Potential for moderate
pollution.
Brief stop in production /
reduced rate of production
lasting less than X hours
(specify duration) within
defined period of time.
Moderate cost between
Z Y Euro (specify
cost limits)
1General /
Low
-No potential for injuries.
-No potential for fire or
effect on safety systems.
No effect on production
within defined period of
time.
Insignificant cost
less than Z Euro
(specify cost limit)
-
8/10/2019 Process safety_Handbook_2011.pdf
40/129
INTERNAL 40of 129PROCESSSAFETY HANDBOOK
2011-04-04
-No potential for pollution
(specify limit)
Note 1: The loss of Production and / or product quality should in monetary value comply with the
corresponding cost limits specified for Equipment Restoring Cost.
The table below shows a typical application of the guidelines given above.
Table 21 Example of Consequence Classification for maintenance purposes
Criticality /
consequences
Health, safety and environment Production and/ or
product quality loss
Equipment
restoring cost
3Critical /
High
Leakage of:
-Hydrocarbons, highly ignitable gases,
and other flammable media.
-Liquid / steam, above
50 C or 10 bars.
-Toxic gas and fluids.
-Chemicals harmful to theenvironment
More than 100,000 More than 100,000
2Important /
Medium
Leakage of:
-Oil, diesel and other less ignitable
gases and fluids.
-Liquid / steam, less than 50 C and 10
bars.
-Toxic substance, small volume.
Between 10,000 and
100,000
Between 10,000 and
100,000
1General /
Low
Leakage of:
-Non-ignitable media.
-Atmospheric gases and fluids
harmless to humans and environment.
-Negligible toxic effects.
-Harmless chemicals.
Less than 10,000 Less than 10,000
5.3.4 Carrying out the criticality analysis ranking
Once the criteria in the Consequence Classification matrix are defined, an experienced
and knowledgeable operator could mark those systems on the P&ID that are potentially
harmful to people and / or environment with different colours. In doing so, the
operator will also be able to spot areas of particular concern e.g. areas where a leak
cannot be easily isolated and where big volumes of toxic / harmful material can be
released and spread around. Such marking exercise (and associated documentation) will
be useful if the Company is considering certifying itself according to Environmental
Management Standards or Process Safety Management Standards, like ISO-14001 and
OHSAS-18001. (Similarly, marking the systems and equipment which could adversely
affect the final product quality would help demonstrating overview and control,according to e.g. the ISO-9000 Product Quality Management Standard).
Unlike nuclear power plants and offshore oil installations, fertiliser plants have few
duplicated functions i.e. there are no hot spare compressors or heat exchangers.
There is, however, some duplicated pumps and there are some control valves with
bypasses that also can be used for control. These could be circled in on the P&ID, and
marked as areas where the probability of losing the functionality is small.
-
8/10/2019 Process safety_Handbook_2011.pdf
41/129
INTERNAL 41of 129PROCESSSAFETY HANDBOOK
2011-04-04
All equipment in a plant has an intended function:
1. A tanks function is to store and contain material2. A pipes function is to transport and contain material3. A pumps function is to increase pressure and transport material