process safety_handbook_2011.pdf

8/10/2019 Process safety_Handbook_2011.pdf

1/129


2/129

INTERNAL 2of 129PROCESS SAFETY HANDBOOK

2011-04-04

Contents1 Reference publications ...................................................................................................... 4

1.1 External references to standards and guidelines ........................................................................... 4

1.2 References to external specialist works ........................................................................................ 4

1.3

Yara reference documents ............................................................................................................. 4

1.4 Process Safety categorised as 12 Elements (PSE) ........................................................................ 4

2 Structure of Process Safety .............................................................................................. 52.1 Structure of ISO (OSHAS) 18001 ................................................................................................ 5

2.2 ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements) ......................................... 5

2.3 Yara documents related to ISO 18001 .......................................................................................... 6

3 Definitions .......................................................................................................................... 9

4 Risk, risk analyses and safety studies ............................................................................ 174.1 Risk identification and risk ranking, ........................................................................................... 17

4.2 Risk acceptance criteria .............................................................................................................. 17

4.2.1 Acceptance in connection with risk ranking .............................................................................. 17

4.3 On- site risk acceptance (Yara Green Rule) ................................................................................ 19

4.4 Off site risk acceptance (Yara Green Rule) ................................................................................ 19

5

Hazards and consequences related to production activities ........................................ 215.1 Hazard identification by Check Lists .......................................................................................... 23

5.1.1 Simple Check- List .................................................................................................................... 235.1.2 Comprehensive checklist ........................................................................................................... 24

5.2 Hazard and Operability Studies (HAZOP) ................................................................................. 275.2.1 HAZOP study work process ...................................................................................................... 29

5.2.2 Operating procedures ................................................................................................................. 325.2.3 Computer- controlled processes ................................................................................................. 32

5.2.4 Documentation needed for a HAZOP study .............................................................................. 33

5.2.5 Recording of the HAZOP work ................................................................................................. 33

5.3 Criticality ranking for maintenance purposes ............................................................................. 36

5.3.1 Purpose of criticality analysis and risk assessment ............................................................... 365.3.2 The risk assessment process ...................................................................................................... 38

5.3.3

Establishing local acceptance criteria ........................................................................................ 39

5.3.4 Carrying out the criticality analysis ranking .............................................................................. 40

5.3.5 Criticality analysis team and necessary documents ................................................................... 42

6 Probability analysis ......................................................................................................... 446.1 Reliability of equipment and systems ......................................................................................... 446.2 Reliability of safety functions, .................................................................................................... 48

6.2.1 Dangerous failures in safety functions ....................................................................................... 48

6.2.2 Reliability of safety functions, safe failures .............................................................................. 496.3 Human Reliability ....................................................................................................................... 50

6.4 System analysis and modelling ................................................................................................... 51

7 Consequence analysis ...................................................................................................... 567.1 Release ........................................................................................................................................ 56

7.2 Gas dispersion ............................................................................................................................. 58

7.3

Evaporation ................................................................................................................................. 60

7.4 Ignition ........................................................................................................................................ 61

7.5 Fire .............................................................................................................................................. 63

7.6 Explosion .................................................................................................................................... 68

7.7 Exposure of toxic gases............................................................................................................... 74

8 SIL analyses ..................................................................................................................... 768.1 Safety integrity (Yara Green Rule) ............................................................................................. 768.2 Determination of SIL (Yara Green Rule).................................................................................... 77

8.3 Total risk reduction for a specific event ...................................................................................... 83

8.4 Examples of SIL analyses ........................................................................................................... 848.4.1 Ammonia oxidizing unit ............................................................................................................ 84


3/129


2011-04-04

8.4.2 Water pipe for steam wetting ..................................................................................................... 87

8.4.3 Steam drum ................................................................................................................................ 88

8.4.4 Leakage of toxic gas to process hall .......................................................................................... 89

8.4.5 Fire in heavy rotating equipment ............................................................................................... 90

9

Layer of Protection Analysis (LOPA) ........................................................................... 92

9.1 LOPA scenarios .......................................................................................................................... 92

9.2 Methodology ............................................................................................................................... 939.3 Example of failure data for Independent Protection Layers used in LOPA ................................ 95

10 Quantitative Risk Analysis (QRA) ................................................................................ 9610.1 When is a QRA or CQRA done .................................................................................................. 9710.2 Plant data ..................................................................................................................................... 97

10.3 Off site risk ................................................................................................................................. 98

10.4 On site risk .................................................................................................................................. 99

11 Failure Data relevant for Safety Functions................................................................. 10211.1 Data sources .............................................................................................................................. 102

11.2 Factors influencing the reliability ............................................................................................. 102

11.3 Continuous and Demand mode operation ................................................................................. 103

11.4

SIL capability ............................................................................................................................ 10311.5 Presentation of the most relevant failure data for safety functions ........................................... 103

11.6 Sensors ...................................................................................................................................... 10411.7 Logic solvers ............................................................................................................................. 105

11.8 Final elements ........................................................................................................................... 10511.9 Safety Relief Valves ................................................................................................................. 107

11.10 Overview of spurious trip rate for some safety related functions ............................................. 107

12 Leakage data relevant for risk analyses ...................................................................... 10813 Human reliability .......................................................................................................... 111

14 Risk reduction ............................................................................................................... 11514.1 Inherent safety ........................................................................................................................... 115

14.2 Risk reducing measures ............................................................................................................ 11514.3 Definition of layers ................................................................................................................... 116

14.4

Safety functions ........................................................................................................................ 118

14.5 Life- cycle activities .................................................................................................................. 12414.6 Invariable requirements to design of safety functions .............................................................. 124

14.7 Principles for increasing reliability of safety systems ............................................................... 125

Yara green rules4.2.1 Acceptance criteria in connection with risk ranking, pp17-184.3 On- site risk acceptance, p 19

4.4 Off- site risk acceptance, pp19-208.1 Safety integrity, pp76-83

Table 16. Yara recommended dangerous undetected failure data for sensors, p105Table 17. Yara recommended dangerous undetected failure data for logic solvers, p105Table 19. Yara recommended dangerous undetected failure data for final elements, p107

Table 21. Yara recommended dangerous undetected failure data for pressure relief valves, p107Table 28. Yara recommended dangerous undetected failure process tasks, p114


4/129


2011-04-04

1 Reference publications

1.1 External references to standards and guidelines

Key external references to process safety are:

1. ISO (OSHAS) 180012. The Seveso II- directive3. EN standards

Machine directive, EN-1050: 1996, EN 620 : 2002

ATEX; directive- 94/9/EC and EN 60079-104. IEC 61508/615115. API6. EIGA7. NFPA8. ISO9. Guidelines from acknowledged organisations

EFMA IFA

The Fertilizer Society

1.2 References to external specialist works

Some references to external specialist works, which are used in this handbook, are:

1. Norsk Hydro Handbook of Safety Risk Assessment, 20002. AIChE: Layer of Protection Analysis, 20013. AIChE: Guidelines for Process Quantitative Risk Analysis, 20004. Gas Explosion Handbook,

http://www.gexcon.com/index.php?src=gas/gas_explosions.html

5. TNO, Yellow book, Methods for the calculation of physical effects, CPR14E; The

Hague, 19966. TNO, Purple book, Guideline for quantitative risk assessment, CPR 18E, 2005

1.3 Yara reference documents

The HES documents are on four levels in the Yara document hierarchy:

1. Technical and Operational Standards2. Best Practices (BP)3. Manuals and Reference Documents

1.4 Process Safety categorised as 12 Elements (PSE)

In Yara-TOPS 0-P04 Process safety management is categorised as 12 elements:

1. Process Safety Information

2. Process Safety Studies3. Operating Procedures4. Safe Work Practices5. Modification to Process Variables and Equipment6. Technical Safety Barriers7. Quality control and maintenance of equipment8. Competence and training9. Investigation and reporting10.Emergency planning and response11.Pre- start up safety reviews


5/129


2011-04-04

12.Inspection and auditing

2 Structure of Process Safety

2.1 Structure of ISO (OSHAS) 18001

The structure of ISO (OSHAS) 18001 is defined in table 1 below.

Table 1 ISO (OSHAS) 18001 structure

Clause Content

1 Scope


3 Definitions

4 OH&S management system elements

4.1 General requirements4.2 OH&S policy

4.3 Planning

4.3.1 Planning for hazard identification, risk assessment and risk control

4.3.2 Legal and other requirements

4.3.3 Objectives

4.3.4 OH&S management programme(s)

4.4 Implementation and operation

4.4.1 Structure and responsibility

4.4.2 Training, awareness and competence

4.4.3 Consultation and communication

4.4.4 Documentation

4.4.5 Document and data control4.4.6 Operational control

4.4.7 Emergency preparedness and response

4.5 Checking and corrective action

4.5.1 Performance, measurement and monitoring

4.5.2 Accidents, incidents non- conformance and corrective and preventive action

4.5.3 Records and records management

4.5.4 Audit

4.6 Management review

2.2 ISO (OSHAS) 18001 related to Yara PSE (Process Safety Elements)

As shown in table 3 below, 16 elements of process safety can be identified from the ISO

(OSHAS) 18001 structure, shown in italic in the table below.

Table 2 Identification of Process Safety Elements in ISO (OSHAS) 18001


6/129


2011-04-04

ISO (OSHAS) 18001 Process Safety Element (PSE)

#no Title1 Scope

2 Reference publications3 Definitions

4 OH&S management system

elements

4.1 General requirements

4.2 OH&S policy

4.3 Planning

4.3.1 Planning for hazard identification,risk assessment and risk control

PSE 1 Process Safety Information

PSE 2 Process Safety Studies


4.3.3 Objectives




4.4.2 Training, awareness andcompetence

PSE 8 Competence and training


4.4.4 Documentation

4.4.5 Document and data control

4.4.6 Operational control PSE 3 Operating Procedures

PSE 4 Safe Work Practices

PSE 5 Modification to Process Variables and Equipment

PSE 11 Pre- start up safety reviews

PSE 6 Safety Barriers

4.4.7 Emergency preparedness and

response

PSE 10 Emergency planning

4.5 Checking and corrective action PSE 7 Quality control and maintenance of equipment

4.5.1Performance, measurement and

monitoring PSE 12 Inspection and auditing

4.5.2 Accidents, incidents non-

conformance and corrective and

preventive action

PSE 9 Investigation and reporting


4.5.4 Audit PSE 12 Inspection and auditing


2.3 Yara documents related to ISO 18001

The relation between ISO (OSHAS) 18001 and Yara documents are described in the

table below. Clauses related to process safety in italic.

Table 3 Relation between ISO (OSHAS) 18001 and Yara steering documents

ISO (OSHAS) 18001 Yara document1 Scope


3 Definitions

4 OH&S management system elements TOPS 0

4.1 General requirements TOPS 0

4.2 OH&S policy TOPS 0


7/129


2011-04-04

ISO (OSHAS) 18001 Yara document4.3 Planning

4.3.1 Planning for hazard identification, risk

assessment and risk control

TOPS 0


4.3.3 Objectives




4.4.2 Training, awareness and competence TOPS 1-01, 1-18


4.4.4 Documentation


4.4.6 Operational control TOPS 0-P-08,-11

TOPS 1-01, 1-02, 1-03, 1-04, 1-05, 1-06, 1-07, 1-

08, 1-09, 1-10, 1-11, 1-12, 1-11, 1-12,1-13, 1-14,

1-15, 1-16, 1-17,2-01, 2-04, 2-05, 3-01, 3-02, 3-

03,3-04, 3-05, 3-06, 3-07, 4-01, 4-02, 5-01,5-02,5-03, 5-04,

4.4.7 Emergency preparedness and response TOPS 0-P-04

4.5 Checking and corrective action

4.5.1 Performance, measurement and monitoring

4.5.2 Accidents, incidents non- conformance and

corrective and preventive action

TOPS 0-P -01,-02


4.5.4 Audit


The relation between, Process Safety Elements, ISO (OSHAS) 18001clauses and Yara

documents are also shown in the table below. Clauses related to process safety are in

italic. It is indicated where no relevant Yara document is identified.Table 4. The relation between, ISO 18001 clauses related to process safety and

Yara documents

ISO 18001 Clause ISO (OSHAS) 18001 title

Yara document no Yara document title4.3.1 Planning for hazard identification, risk assessment and risk control

TOPS 0-P-04 Controlling chemical risk related to personnel

TOPS 0-P-10 Plant design, construction, modification and decommissioning


4.3.3 Objectives

4.3.4 OH&S management programme(s


4.4.2 Training, awareness and competenceTOPS 1- 01 Systematic, optimal and safe operation


4.4.4 Documentation


4.4.6 Operational control

TOPS 0-P-05 Product Stewardship

TOPS 1- 01 Systematic, optimal and safe operation

TOPS 1-02 Work permits

TOPS 1-03 Modifications / Management of change

TOPS 1-04 Instrument- based safety functions


8/129


9/129


2011-04-04

3 Definitions

The definitions presented below are intended to comprise terms used in Yara HES

documents and handbooks

Acceptance criteria for riskCriteria that are used to express a risk level that is acceptable for the activity in

question. Acceptance criteria may be expressed verbally or numerically.

ALARPPrinciple to reduce risk As Low As Reasonable Practicable

AccidentAn unintended incident which results in injury to persons and/or damage to property,

the environment, a third party or which leads to production loss

AvailabilityThe proportion of time that an item is capable of operating to specification within a

large time intervalBarrier

Barrier is a device, system or action that is capable of preventing a scenario from

proceeding to the undesired consequence. Preventive measures are aimed at the

prevention of a LOC. In terms of risk such a measure is considered to reduce the

probability of an LOC. Mitigating measures are aimed at minimising the

consequences. In terms of risk, a mitigating measure is considered to reduce the

effect.

Business UnitIn this procedure the term is used to cover all units reporting to Upstream,

Downstream and Industrial management.

CAS-number:

The identification number for a substance in Chemical Abstract ServiceCause (failure cause, for components)

The physical or chemical processes, design defects, quality defects, partial

misapplication or other processes which are the basic reason for failure or which

initiate the physical process by which deterioration proceeds to failure.

Chemical agentsAny chemical element or compound used or produced in the process including raw

materials, intermediates, trade products, maintenance and auxiliary chemicals and

waste

CMR-chemicalsCarcinogenic and mutagenic chemical agents and chemicals those are toxic to

reproduction

Common cause failureFailure, which is the result of one or more events, causing failures of two or more

separate channels in a multiple channel system, leading to a system failure.

ConsequenceThe result of the realisation of a hazard- material damage, environmental pollution,

injuries, fatalities or financial loss. Consequences may be expressed verbally or

numerically to define the extent of injury to humans, or environmental or material

damage

Contractors


10/129


2011-04-04

Persons working for contractors who are under contract to execute work for the unit,

but not being part of the units work force.

Control room (CR):For the purpose of this standard, a "control room" is an area from where an operator

can monitor and control a process that requires a safe shut- down and/or canexecute the emergency response actions necessary to prevent accident escalation.

The "control room" may be a central control room (CCR) for a complete facility or

a local control room (LCR) for a local unit.

Corrective maintenanceMaintenance carried out to restore operational effectiveness after a failure

Critical equipmentEquipment rated as critical in a criticality ranking

Criticality ranking (for maintenance purposes)Analysis of events and faults and the ranking of these in order of the seriousness of

their consequences.

Customer

Customers of Yara are distributors of fertilizers and industrial and professional usersof Yara products.

Cut setA list of components such that if they all fail then the system is also in the failed

state

Dangerous failureFailure, which has the potential to put the safety system in a hazardous or fail- to-

function state.

DemandA condition which requires a protective system to operate.

Design accidental event:Accidental events that serve as the basis for layout, dimensioning and use of

installations and the activity at large, in order to meet the defined risk acceptance

criteria or according to defined deterministic scenarios

Deterministic process safety studyA set of accidental events or scenarios representing the safety picture shall be

defined. A maximum credible event shall be defined. Effective safety barriers shall

prevent credible effects of the scenarios.

Diagnostic coverageRatio of detected failure rate to the total failure rate of the component or system as

detected by diagnostic tests. Diagnostic coverage does not include any faults

detected by proof test.

Diversity

Means that various types of equipment, technologies and functions are used toreduce the probability of common mode failure.

Down timeThe time during which an item is not able to perform to specification

EffectThe effects of an incident scenario are e.g. blast, dispersion of toxic materials, heat

radiation etc.

EmployeesPermanent employees of the unit and personnel on ordinary employment contracts

Exposure


11/129


2011-04-04

The amount, concentration or dose of a substance or physical factor a human

population, area or environmental area is subjected to.

EventAn event is an occurrence related to an accident scenario. A distinction can be made

between initiating and enabling events (or enabling conditions). The initiating eventis the event that starts the chain of events leading to the undesired consequence.

Three types of initiating events can be distinguished;

1. External events

2. Equipment failures

3. Human failures or inappropriate actions

An enabling event or enabling condition is an event or condition that is required for

the initiating event to unleash a scenario. Enabling events are neither failures nor

protection layers. They are expressed as probabilities. Examples of enabling events

are start-up phase, material present, ignition source present etc.

Failure rateThe number of failures of an item (component, system) per unit time

Fatal accident rate (FAR).The number of deaths that have occurred or are predicted to occur in a defined

group, in a given environment, during 108hours of operation

Fault toleranceAbility of a functional unit to continue to perform a required function in the presence

of faults or error.

Fault tree analysisA graphical method of modelling a system failure using AND and OR logic in tree

form

First-aid injury (FAI)Injury at work requiring first aid treatment only, before the injured person resumes

normal work.

F-N curveA plot showing, for a specified hazard, the frequency of all events causing a stated

degree of harm to N or more people, against N.

General equipmentEquipment rated as general in a criticality ranking

Hazardous chemicalAny chemical agent which meets the criteria for classification as a dangerous

substance or preparation according to national legislation except from those only

meeting the criteria for danger for the environment (i.e. explosive, oxidizing,

extremely flammable, highly flammable, flammable, very toxic, toxic, harmful,

corrosive, irritating, sensitising, carcinogenic, mutagenic, toxic to reproduction).

Hazard identificationA study carried out to identify risks in the process by ranking of frequency and

consequence

Hazardous liquids and gases:Chemicals which under the stored conditions are liquids or gases, and that fall within

the categories given in the EU Council Directive 96/82/EC (SEVESO directive),

annex 1 part 1 or part 2, or are classified as corrosive.

HAZOP (HAZard and OPerability study)A study carried out by the application of guidewords to identify all deviations from

design intent with undesirable effects for safety or operability


12/129


2011-04-04

Hired personnelPersonnel from other units or companies that are under contract to work full or part

time in position for the Yara unit, and are considered to be part of the work force

Important equipment

Equipment rated as important in a criticality rankingIncident

A sudden work related accident or near miss, a security breach, sustained in service.

An injury or near miss injury 'in service' means when the incident occurs:

on company property or on property under Yara operational management

within agreed working hours

on an approved business trip

on approved training course, meeting, work assignment, entertaining businessassociates, etc.

on a social event arranged by the employer.Individual risk criteria

Criteria related to the likelihood with which an individual may be expected to sustaina given level of harm from the realisation of specified hazards

Inherent safety principle:Limit the hazard by minimizing the amount of hazardous material or processes,

substituting with less dangerous material, moderating the process conditions and

simplifying the equipment and process- when possible

Leakage-The term leakage used in risk analyses consists of rupture major leakage, and

minor leakageFor piping / pipelines rupture means full bore rupture, major leakage means a leak

area of 1/10 of a fall bore rupture, and minor leakage means leak area of 1/100 of a

full bore rupture.

For large pipes and pipelines, major leak is usually limited to 50mm. Minor leakagethen means a 1/10 of that of a major leakage.

For tanks and vessels, the failure mode rupture means a failure resulting in the

sudden release of their entire contents, while the failure mode major leakage means a

circular hole of diameter 50 mm. Minor leakages means a 1/10 of that of a major

leakage.

LOPA (Layer of protection analysis)Layer of protection analyses (LOPA) is a semi-quantitative tool for analysing and

assessing risk. LOPA is a simplified form of risk assessment as typically "order of

magnitude" categories for initiating event frequencies, consequence severity and the

likelihood of failure of independent protection layers (IPLs) are taken into account.

Using this information, the risk of a scenario is assessed. The method thus falls in

between qualitative methods like HAZOP, What-If or FMEA and a quantitativemethod like QRA.

Loss of containment (LOC)Loss of containment is the top event in a scenario that one aims to prevent from

occurring. Examples of LOC are spill of materials, heat radiation, melting of

(electrical) isolation

Lost-time injury (LTI)Injury at work leading to unfitness for work and absence beyond the day of the

incident

Maintainability


13/129


14/129


2011-04-04

ReliabilityThe probability that an item will perform a required function, under the stated

conditions, for a stated period of time. Since observed reliability is empirical it is

defined as the ratio of items which perform their function for the stated period to the

total number in the sample.Reliability centred maintenance

The application of quantified reliability techniques to optimising discard, times,

proof test intervals and spares levels.

Residual riskThe risk remaining after implementing protective measures. It is the residual risk

which is estimated in a risk analyses.

Restricted work case (RWC)Injury at work that does not lead to absence after the day of the incident, because of

alternative job assignment.

RiskThe probability of specific adverse consequences. Risk can thus be considered as a

function of probability and consequences and describes the chance of realisation of ahazard.

Risk analysis:A systematic approach for describing and/or calculating risk. Risk analysis involves

the identification of potential undesired events, and the causes and consequences of

these events.

Risk assessmentThe process of choosing risk analysis technique(s) and performing risk acceptance

criteria and drawing conclusions on the need for risk evaluation.

Risk contourLines that connect points of equal risk around the facility (iso- risk lines)

Risk evaluationThe process of comparing the results of a risk analysis with risk acceptance criteria

and drawing conclusions on the need for risk reduction.

Risk managementA decision making process where decisions for risk reduction are based on risk

analysis and risk evaluation.

Risk matrixMatrix for risk acceptance. On the horizontal axis are probabilities of occurrence of

accidents; on the vertical axis are consequences.

Safe failureFailure which does not have the potential to put the safety system in a hazardous or

fail-to- function state

Safety critical failureFailure of equipment, which is a part of a safety system, and which error disables the

safety function so that its function cannot be carried out when needed.

Safety data sheetA document consisting of HES information following a prescribed national or

international format as determined by specific legislation governing the labelling,

handling and use of chemical substances and chemical based products.

Safety functionFunction to be implemented by a safety system, which is intended to achieve or

maintain a safe state for the process, with respect to a specific hazard.


15/129


2011-04-04

Safety integrityAverage probability of a safety related system satisfactorily performing the required

safety functions under all the stated conditions within a stated period of time

Safety life cycle

Necessary activities involved in the implementation of safety functions occurringduring a period of time that starts at the concept phase of a project and finishes when

all of the safety functions no longer are available for use

Safety managementSystematic measures undertaken by an organisation in order to attain and maintain a

level of safety that complies with defined objectives.

Safety unavailability (SU)SU=1- SI (Safety Integrity)

Security breachIncidents which are illegal acts intended to or by accident harm Yara's personnel,

property, operations, transport or other interests

Shut down

Unexpected stop of equipment. Shut downs are either spurious or realSick leave

All absence that is authorized by a doctor's certificate or by legitimate self-

declaration. Sick leave does not include carer's leave or maternity leave. Sick leave

are recorded in the unit in which the hours worked are recorded.

Side- on pressureThe pressure that would be recorded on the side of a structure parallel to the blast

SIL (Safety Integrity Level, according to the standards IEC 61508 / 61511)Discrete level (three normally in use in process industry, 1 lowest 3 highest) for

safety integrity

SiteProduction plant, terminal, warehouse, office.

SJASafe job analysis

Societal riskThe relationship between frequency and the number of people suffering from a

specified level of harm in a given population from the realisation of specified

hazards.

Societal risk criteriaCriteria related to the likelihood of a number of people suffering from a specified

level of harm in a given population from the realisation of specified hazards.

Substandard practice and substandard condition (unsafe act and unsafe condition)A substandard practice (also called unsafe act) refers to a behaviour deviating from

an accepted standard, e.g. not following the procedure when carrying out a worktask. A substandard condition (also called unsafe condition) refers to a condition,

which deviates from an accepted standard, e.g. inadequate guard on a machinery.

Technical safetyRisk reduction by use of technology. By technology is here meant technological

knowledge and technical systems

TNT equivalency modelAn explosion model based on the explosion of a thermodynamically equivalent mass

of TNT

Top event


16/129


2011-04-04

The selected system outcome whose possible causes are analysed in a fault tree

Transport informationThe transport of goods and products is regulated according to international and

national legislation and agreements. An assessment has to be made as to whether a

particular product is classifiable as dangerous goods or not. If a product isclassifiable, then specific transport information has to be entered into the appropriate

Yara product SAP database administered by Yara Operational Shared Services

(OSS) before the product can be transported either by road, rail, sea/waterways, or

air. In addition, it is a legal requirement worldwide that appropriate safety documents

are prepared containing safety information about the product to be transported. These

documents must accompany the shipment and must be written in appropriate

language(s) as stipulated in the international transport regulations.

TremcardTransport emergency information which is legally required to be issued to a

transporter of dangerous goods on road, and which shall be available with the driver

of the vehicle under Yara's management.

TripAs Shut Down

WatchdogCombination of diagnostics and an output device (typically a switch) for monitoring

the correct operation of the programmable electronic device and taking action upon

detection of an incorrect operation

Wind roseA plan view diagram that shows the percentage of time the wind is blowing in a

particular direction

Worst credible incidentThe most severe incident, considering only incident outcomes and their

consequences, of all identified incidents and their outcomes, that is considered

plausible or reasonably believable.

Worst possible incidentThe most severe incident, considering only incident outcomes and their

consequences, of all identified incidents and their outcomes.


17/129


2011-04-04

4 Risk, risk analyses and safety studies

4.1 Risk identification and risk ranking,

Risk identification and (rapid) risk ranking can be performed by use of a risk matrix,

where the identified risks are ranked as low, medium and high as shown in the sectiondescribing risk acceptance criteria.

Risks can also be identified by use of checklists, as described in a sub sequent section.

4.2 Risk acceptance criteria

The consequences from accidents can be categorized as:

On-site consequences

Fatality of plant personnel

Personal injury to plant personnel

Equipment damage

Product quality damages

Business interruption Off-site consequences

Death or injury for living beings in the nearby community

Property damage

Business interruption

Environmental Consequences

Contamination and damage to nature

The challenges in a risk evaluation of safety functions are:

To study what are the events that can result in unwanted consequences,

To estimate the frequency they are likely to occur and

To decide how to prevent or mitigate them

It is possible to design redundancies and multiple independent layers of protection in

order to bring the risk to a negligible level. However, it should be remembered that

business is about the bottom line, and risk reduction costs money. So a tolerable level of

risk should be accepted.

4.2.1 Acceptance in connection with risk ranking

For risk ranking the risk matrix and the consequence class definitions are shown in the table

7 and 8 shown below are used as guidelines for acceptance of on- site risk. Risk ranking is

used both for on site and off site risk.


18/129


2011-04-04

Table 5 Yara Risk Matrix

RISKS

HIGH RISK FREQUENCIES

MEDIUM RISK VERYFREQ.

FREQUENT PROBABLE LOW PROB. UNLIKELY MOST

UNLIKELY

LOW RISK5

> 10 / yr4

> 1 / yr3

> 10-1/ yr2

> 10-2/ yr1

> 10-3/ yr0

< 10-3/ yr

CONSEQUENCES

CATASTROPHIC 5

CRITICAL 4

DANGEROUS 3

SOME DANGER 2

MINOR DAMAGE 1

Table 6 Consequence class definitions

CATEGORIES

LEVELS

HES

(PEOPLE)

ENVIRONMENT MATERIAL VALUES

DESCRIPTION COST

()CATASTROPHIC 5 Several

fatalities

Damage with recovery time

more than 5 years.

Major plant damage, complete

demolition of plant

> 10M

International public attention Production cessation

CRITICAL 4 One

fatality


less than 5 years.

.

Major damage to equipment,

break- down of main process

equipment like reactors,crackers, pipelines etc.

< 10M

-Evacuation of neighbourhood

required.-National public attention

Major quality or production loss

DANGEROUS 3 Permanent

injury


less than 2 years.

Considerable damage to

equipment, ruptures etc.

< 1M

-Warning of neighbour-hood

required

-Local public attention.

Considerable quality or

production loss

SOME DANGER 2 Medical

treatment

No durable damages Minor damage to equipment,

fire with limited extent,

emission of toxic flammable or

hot substances etc.

< 0.1M

Release causing-unpleasantsmell outside site area

Small quality or production loss

MINOR

DAMAGE1 First aid Insignificant damage - Insignificant damage, small

emission of water, air, nitrogen,

steam etc-

< 10.000

No external reaction No quality or production loss

Typical areas where the risk matrix is recommended for use are shown in the table

below.


19/129


2011-04-04

Table 7 Typical areas where the risk matrix is recommended for use

USE OF RISK MATRIX DESCRIPTION

1 Identification of safety critical parts in

production system

process unit

main equipment

2 Identification of risk in fertilizer storages fire

explosion

decomposition

3 Identification of risk from process

equipment, pipes and pipelines:

leakage

fires

explosions

toxic gas release

4 Identifying needs for safety barriers preventive instrument based

mitigating safety relief devices

gas detection

fire extinguishing

fire walls / cells

bunds5 Application on technical installations fire cells

fire detection

A form for reporting risk ranking is shown in the table below.

Table 8 Form for reporting risk ranking

Ref Event

Probability Consequence

CommentsCause (0-5) Description (1-5)

4.3 On- site risk acceptance (Yara Green Rule)

For on- site risk acceptance, the control room criterion applies.

Control rooms, office buildings etc.For any control room, office or other building on site where people normally will be

present, the aggregate probability of accidents occurring at the facility which will

cause destruction beyond repair and / or multiple fatalities inside the building should

not exceed 10

-4

per year.4.4 Off site risk acceptance (Yara Green Rule)

Off- site risk can be presented in two forms: individual risk and societal risk. The

individual risk is defined as the chance that a person staying at a fixed location

permanently is killed as a result of an accident. Guidelines for acceptance are presented

below.

1 Societal risk, related to F / N curves


20/129


2011-04-04

The societal risk describes the frequency of an accident that causes N or more

fatalities, F / N- curves. The limits for societal risk are set at f = 10-3/ N

2as a

guideline. For example, this means that accidents causing 20 or more fatalities

should not exceed 2.5.10-6

per year.

Figure 1 Societal risk, F / N curve

2 Individual riskNo single residential area or public assembly area should be exposed to fatal

exposure levels caused by major accidents at the site of frequency greater than 10-5

per year.

It should be remembered that this is the total risk exposure from the plant, and it cannotbe direct applied to risks from single scenarios.


21/129


2011-04-04

5 Hazards and consequences related to production activities

The production processes are highly automated and controlled from control rooms.

Dangerous substances are handled in a safe way. But hazards are present since large

quantities are involved, often under high pressure or high temperatures.

Characteristics for the most important production methods are shown in the table below.

Table 10 Characteristics for the most important production methods

PRODUCTION CHARACTERISTIC

Ammonia production Based on hydrocarbons.High pressure and temperature

Large amounts of ammonia stored and transported

Nitric acid

production

Based on ammonia

High pressure and temperatureAmmonium nitrate

production

Based on ammonia and nitric acid

Reactors, heaters and tanks with temperature near up to stability point

Large explosion potentials

CAN production Based on ammonium nitrate and fillersStable substance

NPK production Based on nitric acid or phosphoric acid and nutrient salts

Decomposition due to operational failure can cause large toxic

releasesCN production Based on nitric acid, ammonia and calcium

Decomposition due to operational failure can cause large toxic

releases

The production activities, associated hazards and consequences are shown in Table

below. The hazards are of five categories, with regard to risk and safety studies:

Fire

Explosion

Toxic release

Decomposition

Production shut down

Production shut down is not listed as a hazard in the table for the different production

processes. But it is a following effect for all hazards.

Consequences can be divided in the following categories:

Internal, inflicting on employed and hired people, asset and production regulation

External, effecting external people, environment and businesses outside the site

High internal or external consequences can cause fatalities, lasting environmentaleffects and large economical losses due to production shut down.

Hazards and possible consequences for different production activities are shown in the

table below.


22/129


2011-04-04

Table 11 Production activities, storages, Hazards and Possible Consequences

Production activity and storage Hazard Possible

consequences

Ammonia

Feed gas transport Fire, explosion Internal, high

Feed gas storage Fire, explosion Internal, high

Production plant incl. noble gas,

metals

Fire, explosion, toxic

release

Internal, high

Ammonia pipeline, loading Toxic release External, high

Ammonia storage tanks Toxic release External, high

Ammonia transport Toxic release External high

Nitric Acid

NA production plant, incl. N2O4 Fire, explosion, toxic

release

Internal

NA tanks Toxic release InternalNA and N2O4 transport Toxic release, N2O4

explosion

External, high

Ammonium Nitrate (AN)

AN plant Fire, explosion Internal, high

AN tanks Toxic release Internal

AN storages Explosion External, high

AN transport Explosion External, high

CAN

CAN production Fire Internal

CAN storage Decomposition and toxic

release

Internal

CAN transport Decomposition and toxic

release

External

NPK

NPK production plants Fire, explosion, toxic

release

Internal

NPK storage Decomposition and toxic

release

External

NPK transport Decomposition and toxic

release

External

Phosphoric acid production Toxic release Internal

Phosphoric acid tanks Toxic release Internal

Sulphuric acid tanks Toxic release InternalCN

CN production plant Fire, explosion Internal

CN storage Fire, decomposition and

toxic release

Internal

CN transportation Fire, decomposition and

toxic release

Internal

Urea

Urea production plants Fire, explosion Internal


23/129


2011-04-04

Urea storage No

Urea transport No

Power, Control, Utilities, Buildings, Conveyor belts

Power generation, distribution Fire, explosion, production

shut down

Internal, high

Control systems Fire, explosion, production

shut down

Internal

Steam generation Fire, explosion, production

shut down

Internal

Buildings, structures Fire Internal, high

Conveyor belts Fire Internal, high

Others

CO2production Toxic release Internal

CO2tanks Toxic release Internal

CO2transport Toxic release

Salt of hartshornCoating tanks Fire Internal

Loading stations, formic acid, nitric

acid

Toxic release Internal

5.1 Hazard identification by Check Lists

The purposes of checklists are:

Identify hazards

Identify and check protection

Stand alone tool for

audits

safety inspections

small plants

Support tool for identifying hazards, needs for protection in

HAZOP

Safe Job Analyses

Preliminary mapping (for further risk studies) of

hazards

safety critical parts of process plants

5.1.1 Simple Check- List

The table below shows a simple checklist.

Table 12 Simple checklists

Hazards Possible impact

(only acute on people)1. Collision people, material values

2. Falling A. on the same level people, material valuesB. to a lower level people, material values

C. stumbling people

3. Hitting against something people, material values

4. Squeezing, pinching people


24/129


2011-04-04

5. Impact A. from moving object people, material valuesB. flying object, fragment people, material values

6. Contact A. with sharp object peopleB. with electric conductor people

C. with hot surface / fluid peopleD. with dangerous chemical (fluid) peopleE. with corrosive chemicals people

7. Exposure A. to dangerous gas, smoke peopleB. to steam peopleC. to dust peopleD. to dangerous light people

8. Choking (reduced oxygen content) people

9. Drowning people

10. Fire, explosion people, material values11. Radiation people

12. Crime people, material values13. Biological treats people14. Flooding environment, material values

15. Landslide, avalanche environment, material values

16. Release A. of chemical dangerous for environment environment

B. of oil environment

C. of dust environment

17. Collapsing material values

18. Late delivery material values

5.1.2 Comprehensive checklist

A comprehensive checklist is shown below. The checklist is divided into the followingnine categories:

1. Materials2. Material Handling3. Storage4. Reactions5. Equipment6. Instrumentation7. Pressure Relief8. Utility Systems9. Fire Protection

Under each category several "Items" are listed in the left column with "Subjects to beinvestigated" in the right column. In some cases several items are to be checked against

the same group of subjects. Each item in the left column should be checked against each

subject in the right column of the same row.


25/129


2011-04-04

Table 13 Comprehensive checklist

Category / item Subjects to be investigated1. Materials

Raw materials

Intermediate materials

End products

By-products

Waste

Toxicity, flammability

Reactions, decompositions

Corrosiveness

Long-term storage behaviour

Total amount, possible reductions

2. Material handling

Transport, container

Pumping

Road/rail transport

Ship transport

Overfilling protection

Spill collection

Leak detection

Cleaning/inspection

Procedures

Dropped load and potential targets

Crane handling

Conveyor belts

Stop devices, guards

3. Storages

Storage tanks

Dikes

Storage halls

Silos

Overfilling protection

Fire protection

Explosion venting

Inerting/purging/blanketing

External mech. impact

Cleaning/inspection

Freezing/overheating

Deterioration of contents

Unintentional mixing

4. Reactions

Hazardous reactions

Combustible mixtures

Runaway reactions

Wrong materials/contaminants

Wrong proportions

Deviation of process parameters

Unknown kinetics

Pump/agitator failureFlow blockage

Isolation to stop reaction

De-pressuring/draining to stop reaction

5. Equipment

Vessels

Columns

Heat exchangersPiping

Ducts

Valves

Machinery

Design, size

Material selection (corrosion)

Over pressure protectionLevel, temperature protection

Reverse flow protection

Emergency isolation (remotely)

Emergency de-pressuring (remotely)

Vent and drain possibilities

Isolation for maintenance

Potential leaks: Glass components, small-bore connections

Inspection and maintenance

Compliance with codes

Certificates

Piping Thermal stresses, movement, support, freeze protection. flushing

Valves Maintenance: accessibility, bypass and isolation,

Fail safe in case of power failure

Function testing

Interlock against unintentional opening/closing

Heat exchanger Tube rupture protection


26/129


2011-04-04

Category / item Subjects to be investigatedDe-super-heater Too much/too little cooling liquid flow

Rotating machinery Mechanical de-coupling from piping

Safety margin to critical speedReverse flow protection

Surge protection (minimum flow)

Reaction to sudden power failure/trip

Maintenance: isolation, start-up of

6. Instrumentation

Sensors

Signal transmission

Signal processing

Status display

Alarms

Automatic actions

Actuators

Power supply

Function separation (survey, process control, safety)

Common cause failures

Redundant systems

Redundant power supplies

Fail safe principle

Spurious trips

Temporary non-availability (repair/calibration)

Environmental effects

Classification for hazardous areaMan-machine interface

Procedures for commissioning, operation maintenance

Reset of trip bypass

Tagging, documentation

Logic charts (cause/effect)

7. Pressure relief

Relief valves

Vacuum breakers

Rupture disc

Liquid seals

Installed where required, e.g. on all sections/vessels that can be over-

pressurised by equipment malfunction or operator error

Sizing criteria

Safe discharge without personal exposure

Blocking by solids (ice, sediments)

Drain points in discharge lines

Maximum back pressure in flare system

Maintenance: testing, repair, written procedure, interlockRedundancy: spare device

Liquid seals Procedure for checking liquid level

8. Utility systems

Electric power

Steam

Cooling medium

Heating medium

Air (instrument + plant)

Chemicals

Reliability of supply

Normal load/emergency load

Consequences of failure of one utility

Common cause failures

Consequences of failure of several utilities

Fail safe principle

Start-up/shut down

Maintenance/repair without process interruption

Electric power Potential ignition source

Classified equipment in hazardous areas

Steam Thermal isolation of hot pipingFreeze protection of dead legs

Risk for burns at tap points

Tube ruptures in heat exchangers (pressure/contamination)

Cooling medium Tube ruptures in heat exchangers

Freeze protection (if water)

Chemicals Maximum delivery pressure relative to design pressure of section

into which chemical is injected

Back flow protection

Isolation in emergency

9. Fire protection

General measures Reduce inventory of flammables


27/129


2011-04-04

Category / item Subjects to be investigatedAvoid leaks

Avoid ignition sources

Prevent fire propagationLimit heat load from design fire by spacing

Provide easy access for fire fighting

Water main Security of supply (pond, sea, public)

Two independent routes of supply

Sectioned ring main

Capacity related to maximum demand scenario

Freeze protection

Low pressure alarm

Procedure for regular testing, including pumps

Pumps protected from fire/explosion

Pump redundancy/inclusive drive and power supply

Hydrants Number and location

Maximum distance to object: hose length limitations

Minimum distance to object: heat loadSprinklers Number and location

Hazard category: low/medium/high

Capacity (mm/min = 1/m2 min) according to hazard category

Water spray cooling Pressurised storage of flammablesImportant structural members

Water impact on all heat exposed sides

Capacity (l/m2s) according to heat flux in maximum scenario

Foam systems

Water mist systems

Nitrogen, inergen systems

Dual agent systems

Portable systems

Number, type, location

Capacity

Maintenance procedures

Test procedures

Fire detectors Number, type, location

Reliability (function on demand)Spurious trips due to open flames, sunlight

Voting logic

Manual alarms

Alarm system

Number, location

Visual/acoustic alarm in Central Control

Room (CCR)

Visual/acoustic alarm in plant

Communication CCR/plant and vice versa

Public address system

Telephone, UHF radio

External assistance

Fire proofing Important structural members potentially exposed to gas fires, liquid

pool fires, and sufficient height above ground. Insulation sufficient to

limit steel temperature to < 450C in maximum duration fire

Liquid drain Drained away escaped flammable liquid from hazardous area

5.2 Hazard and Operability Studies (HAZOP)

This chapter describes HAZOP. The hazard analysis and critical control points

(HACCP) [Council Directive No 93/43/EEC9] for food processing is a similar

approach. This is not described in this chapter.

The basic concept of a HAZOP study is to identify hazards, which may arise within a

specific system or as a result of system interactions with an industrial process. This


28/129


2011-04-04

requires the expertise of a number of specialists familiar with the design and operation

of the plant. The team of experts systematically considers each item of the plant

applying as set of guidewords to determine the consequences of operating outside the

design intentions. Because of the structured form of a HAZOP, it is necessary that a

number of terms be clearly defined in the table below.

Table 14 HAZOP terms

HAZOP term Explanation

Cause Reasons why a deviation might occur.

Consequence Result of a deviation

Deviation Departure from the design intentions, discovered by systematic applications of

the guidewords

Hazard Consequence, which can cause damage, injury or loss.

Guideword Simple word used to qualify the intention and hence deviation.

Node In a process the main mode of operation can be examined by working

downstream through the plant a node at a time. A node could be a lineconnecting vessels; it may incorporate a simple vessel such as a heatexchanger. It could be a vessel itself, particularly where some significant

process change occurs in the vessel

Parameter Variable, components or activity referred to in the study

The list of the guidewords is shown in the table below.

Table 15 Explanation of Guidewords

Guideword Explanation

No / Not No flow, pressure, etc.

More High flow, high pressure, etc.

Less Low flow, low pressure, etc.

As well as Material in addition to the normal process fluids.

Part of A component is missing from the process fluid.

Reverse Reverse flow of process fluids.

A list of possible parameters is in the table below:

Table 16 Possible HAZOP parameters

Possible HAZOP parameters

FlowPressure

TemperatureMixingStirring

TransferLevel

ViscosityReaction

CompositionAddition

SeparationTimePhase

SpeedParticle size

MeasureControl

pHSequence

SignalStart / stopOperate

MaintainServices

Communication

As described below, HAZOP is systematic application of meaningful combinations of

guidewords and parameters.


29/129


2011-04-04

5.2.1 HAZOP study work process

Multi-disciplinary teams, the members of the team providing a technical contribution or

supporting role, carry out HAZOP studies.

For the HAZOP team the following requirements are mandatory:

Thorough knowledge of the actual P&ID

Thorough knowledge of operation and maintenance of the process

The team is lead by a person with thorough experience in use of HAZOP analysis

As a minimum the team shall consist of

Safety expert, HAZOP- leader

Process expert

Operation expert

Instrument expert

It is necessary that the team leader is independent of the task issuer. The leader shallpreside the meetings in such a way that all sides of the questions raised are thrown light

on. The group must not become absorbed in problems that are not resolved in the

meeting. The attitudes of the team are not only the responsibility of the team leader. The

members must also be aware of the danger of having defence attitudes in relation to

own discipline or work field. It can easily happen that people are plant blind, that is

they lose the ability to realize weaknesses in their own process or project. So

independent persons should attend. The work periods between breaks should not be too

long. More than two hours of continuous work is not recommended, since the processrequires alertness and creative thinking.

For each node the following is clarified in a structured way:

1. Node number and description2. Design intent; description of how the node functions3. Deviations4. Causes; some can be classified as unrealistic and later rejected.5. Consequences; which cause damage, injury or loss6. Existing safeguard to reduce risks7. Recommendations to improve safety if evaluated to be necessary

The team goes systematically through the process using the guidewords to parameters

as recommended, in the following order:

1. Changes in flow2. Changes in physical condition3. Changes in chemical condition4. Start- up and shut- down5. Changes in vessel condition6. Effluents7. Emergencies

A recommended work process is shown infigure 2below. Meaningful combinations of

parameters and guidewords are shown in table 17.


30/129


2011-04-04

Figure 2 Flow diagram for the HAZOP analysis of a node

Define the node

Describe and discuss the node, determine the design envelope

From the description and design, select a parameter

Combine this parameter with a guideword to a meaningful deviation

Seek a possible cause of the deviation and identify the consequences

Evaluate the safeguards, decide if adequate or if a change or further

study is needed. Record

Has all the causes for the deviation been

considered?

Does any other guideword combine with

this?

Are there further parameters toconsider?

Examination if the node is complete


31/129


32/129

INTERNAL 32of 129PROCESSSAFETY HANDBOOK2011-04-04

5.2.2 Operating procedures

As a procedural sequence, the parts under examination during the HAZOP process are

the relevant sequential instructions. In addition to the standard guidewords Out of

sequence and Missing can be productive. In the list of parameters, the phrasecomplete the step can be used to good effect, as it combines meaningfully with the

guidewords No, More, Less, Reverse, Part of; As well as, Out of sequence and Missing.

A major difference from process studies is that many of the causes of deviation are

related to human actions. These may be of omission or commission. Other possible

causes include poorly- written procedures; difficulties caused by poor layout, bad

lighting and parameter indicators with limited or poor ranges or too many alarms.

Example.A HAZOP study on an operating procedure is illustrated by the example below.We consider a small batch process for the manufacture of a safety critical component. Thecomponent must meet a tight specification in both its material properties and its colour.

The processing sequence is as follows:1.

Take 12 kg of powder "A"

2. Place in blender

3. Take 3 kg of colorant powder "B"4. Place in blender

5. Start blender

6. Mix for 15 minutes; stop blender7. Remove blended mixture into 3 x 5 kg bags8. Wash out blender

9. Add 50 l to mixing vessel10.Add 0.5 kg of hardener to mixing vessel

11.Add 5 kg of mixed powder ("A" & "B")

12.

Stir for 1 minute13.Pour mixture into moulds within 5 minutes

A HAZOP study is carried out to examine ways in which below-specification material may

be produced.

Recommended actions from a HAZOP of this operation can be:

Check quality assurance procedures at manufacturer

Check if powder A may be contaminated by spills, leakages or operator errors

Discuss if critical control point should be implemented after step 7

Implement a safeguard against adding too much hardener in step9.

5.2.3 Computer- controlled processes

It is strongly recommended to use only standardised and well-proven computers on

safety critical processes. This implies use of one of the two following systems,

depending on process complexity and hazard potentials in the processes:

PLC- for monitoring, control and sequencing and safety functions

Separate control and shut down systems with

DCS for alarm, monitoring and control functions

Certified shut down systems for safety functions of SIL level 1, 2 or 3


33/129

INTERNAL 33of 129PROCESSSAFETY HANDBOOK

2011-04-04

If standard computers for process control applications are used, techniques for

avoidance, detection and action in case of fail state are embedded. The HAZOP team

should decide if:

outputs from the computer have to be

fail safe that is causing valves to go in safe position incremental- that is causing valves to freeze in current position

back up function is needed in case of computer failure

for manual control

information

for safety functions

redundancy in the computer system is needed for

availability reasons- that is avoiding production stop in case of failure of a singlecomputer

safety reasons- that is

monitoring by watch dog (or equivalent) and alarm so the operator can take

necessary actions or SIL 1, 2 or 3 certified computers

To avoid failures in application software the following shall be applied:

verification of the programme by an independent person

routines for loop test prior to start up

routines for periodical proof test after operation has started to detect possible failureswhich can arise due to changes, maintenance failures or component failures

Special attention must be paid to sequencing system since control of sequential

processes are often more complicated than continuous processes. Safety critical points

are:

Operator intervention such as manual control / bypassing / of steps

Handling of reset and acknowledging functions and test signals in relation toautomatic flags must be discussed.

Programmers and operators must participate in the HAZOP meetings.

5.2.4 Documentation needed for a HAZOP study

Necessary documentation to conduct a HAZOP constitutes:

Process flow diagrams

Process and Instrument Diagrams (P&ID)

Risk and safety studies (HAZID, RR, QRA)

Safety shut down diagrams Operational and emergency procedures

Chemical data sheets

Area safety drawings

5.2.5 Recording of the HAZOP work

HAZOP reports shall comprise

Reference to P&ID, number, version and date

Date when HAZOP conducted

For each entry reference to:


34/129


2011-04-04

Process Equipment, by Functional Location

Parameter and Guideword

Cause

Possible consequence

Action; recommendation to safeguard or other action or comment

Responsible for carrying out decided action

Time limit for carrying out the decided action

It is underlined that all guidewords shall be covered in the study. However, not all

guidewords have to be reported. Three levels of reporting are possible:

record by exception- that is only when an action results

intermediate record- that is, where an action results, where a hazard exists orwhere a significant discussion takes place

full record

Recording by exception requires an entry only when the team makes a recommendation.This level can be used in existing processes with long operational experience.

At the intermediate level, a record is generated whenever there is any significant

discussion by the team, including those occasions where there is no associated action.

These include deviations identified by the team, which, through realistic and

unanticipated in the original design work, happen to be adequately protected by the

existing safeguards. This level is generally recommended.

In full recording, an entry is included for every deviation considered by the team, even

when no significant causes or consequences were found. At this level, each parameter is

recorded with each guideword for which the combination is physically meaningful. This

level should only be used in process unit that need to demonstrate the highest possiblestandard of safety management.

But as underlined above, all guideword have to be discussed. It is assumed that a

guideword not reported is discussed and no deviation, comment or observation is found.

A table for recording of HAZOP is shown in table 18 below.


35/129


Table 18 Form for recording of HAZOPNode no / description:

Design intent:

Project

Project phase

P&ID (no/title)

Ref. Pipe, equipment no Guideword and

deviation

Cause(s) Consequence(s) Safeguard(s) Recom

Co


36/129


5.3 Criticality ranking for maintenance purposes

This chapter provides guidelines for assessing the risk of failure in plant processing

equipment (loss of equipments integrity and / or function). This implies that non-

processing facilities, like structures, buildings, automobiles, etc. are not dealt with. Norare occupational health risks, like exposure to noise, burns caused by contact with hot

surfaces, etc. The document does further not address risks associated with human errors

(possibility of mal-operations) or external risks, like terror attacks, airplanes falling

down, cars crashing into plant equipment or alike.

5.3.1 Purpose of criticality analysis and risk assessment

The purpose of maintenance is to keep the condition and functionality of the plants

equipment at acceptable level, as mal-functioning could adversely affect one or more of

the following values (in descending order of priority):

Peoples safety and health

Environment

Product quality Production capability

Assets / property

Some equipment failure scenarios could have impact on all of the above values.

Other failure scenarios may only affect one or two of them. Some scenarios may have

big and long lasting consequences whereas others may have smaller impact. Some

failures are known to happen frequently whereas others only happen once in a blue

moon.

The objective of Risk Assessment is to identify and rank the potential failures, such that

the operation, inspection, condition monitoring and maintenance activities can befocused on avoiding events associated with unacceptable risk.

A plants organisation should, in general, pay more attention to elements and activities

involving high risk than to those involving low or no risk. This is the fundamental idea

of so-called Risk Based Maintenance / Inspection / Operation.

As the loss of say 100,000 means more to some production sites than to others, and as

local regulations (e.g. allowable emissions) also vary from place to place, the relevant

site management must define what is unacceptable for their site.

This is in principle done in the Business Plan, which outlines the targets for next years

production volumes as well as safety performance, costs, etc. If the Business Planallows only e.g. 15 days loss of production, the availability requirement for the

respective plant becomes (365-15) / 365 = 0.96.

The Business Plan therefore sets the overall production regularity requirement and the

equipment maintenance program must be designed accordingly within the defined

operating and maintenance cost budgets. A maintenance budget normally contains

planned activities (like periodic jobs) and unplanned activities (corrective maintenance).

Ideally, the corrective maintenance budget should match the plants total expected and


37/129


2011-04-04

accepted - monetary risk. The table below illustrates how the corrective maintenance

budget, in principle, could be established by use of risk assessment methods:

Table 19 Illustration of corrective maintenance budget established by use of risk

Item Probability of

failure

Monetary

consequence per

failure

Calculated monetary risk,

(probability x

consequence)

Component A 0.01 pr. year 100,000 1,000 per yr

Component B 0.001 pr. year 2,000,000 2,000 per yr

Sum = Total

plant

Budget for corrective mtce: Sum = 3,000 per yr

Example 1: A shell and tube heat exchanger contains 500 tubes, and the probability (i.e.

frequency) of one tube failing is 0.01 (one every 100 years) the total probability of a tube

failures in this heat exchanger becomes: 500 x 0.01 = 5 pr. year: If the consequences of atube rupture are large (e.g. the whole production has to stop because the final product getscontaminated), the risk of failure (consequence x probability) may be considered

unacceptably high. Some kind of remedy (e.g. change to other tube material) should then beevaluated. But if e.g. the tube-side carries the same fluid as the shell-side, the immediate

consequences of a tube rupture may be minor especially if the heat exchanger has some

surplus capacity. In this case therefore, the risk may be regarded as low / acceptable.

Example 2: Two identical pumps are serving two totally different functions. One is

pumping conditioning chemicals into the main process, and the other is pumping water tothe toilets in the 2

ndfloor of the administration building. It goes without saying that the first

pump requires more attention (periodic inspection, lubrication, etc.) than do the latter.Also, the response upon failure (the corrective action / maintenance) should be prompt in the

first case, - whereas the toilet pump could wait till after the weekend. The probability oflosing the pumping function may be the same for both, but the consequences following afailure may be regarded as critical for one pump, and non-critical for the other.

Hence, the fist pump carries a high risk and the latter a low risk.

Example 3:Two identical water pumps, - one is a hot spare for the other:The consequences of losing the pumping function may be severe, and hence this function is

seen as critical to the plant operations. But, as the spare pump automatically starts if thefirst pump fails the probability of losing the pumping function is very small. (If a standby

pump needs long time to start, it should not be considered as a hot spare). Hence, the risk(consequence x probability, or criticality x likelihood) is low.

Example 4:Again, two identical pumps one is hot spare for the other, but these are

pumping toxic liquid. The pumps are located near the main control room. The pumpingfunction is just as critical to the plant operations as the pumps in example 3:

As the liquid is toxic a potential leak (which is one possible failure) could affect peoples

safety as well as the environment (especially if the pumps cannot be quickly isolated).The probability of failure may be the same as in example 3, but the risk becomes higher

due to the potential safety as well as environment and production impact. Hence, these

pumps will be riskier than the pumps in example 3, and call for even more attention andcloser follow-up through inspection programs.


38/129


39/129


2011-04-04

Theprobabilityof a loss of function does depend on the actual equipmentand theactual operational conditions.

In order to get the Risk Assessment process started, a number of initial and simplifying

assumptions may be needed. As and when real life experience is gathered andsystemised, these assumptions, and thereby also the risk assessment can be adjusted and

fine-tuned.

It is recommended to break the Risk Assessment into the following steps:

1 Establish Local Acceptance Criteria for the 5 values (peoples safety,environment, product quality, production capability, assets / property).

Examples of criteria are given below.

2 Carry out Criticality Ranking, i.e. assess the potential Consequences ofequipment failure as High (3), Medium (2), or Low (1) and classify the

equipment accordingly as Critical, Important or General - for all the 5 values.

3 Carry out RBI, SIL and RCM methods, to estimate the probability and theresulting Risk of failure (= consequence x probability). Start with the mostcritical equipment failures.

This stepwise approach should filter out the non-important matters and set the priorities

for developing maintenance plans / programs. Steps 1) and 2) are further described in

the following chapters whereas the methods mentioned under step 3) are covered by

separate documents.

5.3.3 Establishing local acceptance criteria

As the loss of say 100,000 Euro means more to some production sites than to others,

and as local regulations (e.g. allowable emissions) also vary from place to place, the

relevant site management must define what is acceptable and unacceptable for their

plant(s). The table below shows the principle way of assessing consequences.

Table 20 General consequence classification for maintenance purposes

Criticality /

consequences

Health, safety and

environment

Production and/ or

product quality loss

(Note 1)

Equipment

restoring cost (Note

1)3Critical /

High

-Potential for serious

personnel injuries.

-Render safety critical

systems inoperable.

-Potential for fire in

classified areas.

-Potential for large pollution.

Stop in production /

significant reduced rate of

production exceeding X

hours (specify duration)

within a defined period of

time.

Substantial cost

exceeding Y Euro

(specify cost limit)

2Important /

Medium

-Potential for injuries

requiring medical treatment.

-Limited effect on safety

systems.

-No potential for fire in

classified areas.

-Potential for moderate

pollution.

Brief stop in production /

reduced rate of production

lasting less than X hours

(specify duration) within

defined period of time.

Moderate cost between

Z Y Euro (specify

cost limits)

1General /

Low

-No potential for injuries.

-No potential for fire or

effect on safety systems.

No effect on production

within defined period of

time.

Insignificant cost

less than Z Euro

(specify cost limit)


40/129


2011-04-04

-No potential for pollution

(specify limit)

Note 1: The loss of Production and / or product quality should in monetary value comply with the

corresponding cost limits specified for Equipment Restoring Cost.

The table below shows a typical application of the guidelines given above.

Table 21 Example of Consequence Classification for maintenance purposes

Criticality /

consequences

Health, safety and environment Production and/ or

product quality loss

Equipment

restoring cost

3Critical /

High

Leakage of:

-Hydrocarbons, highly ignitable gases,

and other flammable media.

-Liquid / steam, above

50 C or 10 bars.

-Toxic gas and fluids.

-Chemicals harmful to theenvironment

More than 100,000 More than 100,000

2Important /

Medium

Leakage of:

-Oil, diesel and other less ignitable

gases and fluids.

-Liquid / steam, less than 50 C and 10

bars.

-Toxic substance, small volume.

Between 10,000 and

100,000

Between 10,000 and

100,000

1General /

Low

Leakage of:

-Non-ignitable media.

-Atmospheric gases and fluids

harmless to humans and environment.

-Negligible toxic effects.

-Harmless chemicals.

Less than 10,000 Less than 10,000

5.3.4 Carrying out the criticality analysis ranking

Once the criteria in the Consequence Classification matrix are defined, an experienced

and knowledgeable operator could mark those systems on the P&ID that are potentially

harmful to people and / or environment with different colours. In doing so, the

operator will also be able to spot areas of particular concern e.g. areas where a leak

cannot be easily isolated and where big volumes of toxic / harmful material can be

released and spread around. Such marking exercise (and associated documentation) will

be useful if the Company is considering certifying itself according to Environmental

Management Standards or Process Safety Management Standards, like ISO-14001 and

OHSAS-18001. (Similarly, marking the systems and equipment which could adversely

affect the final product quality would help demonstrating overview and control,according to e.g. the ISO-9000 Product Quality Management Standard).

Unlike nuclear power plants and offshore oil installations, fertiliser plants have few

duplicated functions i.e. there are no hot spare compressors or heat exchangers.

There is, however, some duplicated pumps and there are some control valves with

bypasses that also can be used for control. These could be circled in on the P&ID, and

marked as areas where the probability of losing the functionality is small.


41/129


2011-04-04

All equipment in a plant has an intended function:

1. A tanks function is to store and contain material2. A pipes function is to transport and contain material3. A pumps function is to increase pressure and transport material