loss prevention in chemical plants

May 1999Revised January 2001

Page 1 of 51

LOSS PREVENTION IN CHEMICAL PLANTS

Table of ContentsPage

1.0 SCOPE ................................................................................................................................................... 41.1 Changes .......................................................................................................................................... 4

2.0 LOSS PREVENTION RECOMMENDATIONS ....................................................................................... 42.1 Human Element ............................................................................................................................... 4

2.1.1 Process Safety Management (PSM) System ........................................................................ 42.1.1.1 General ...................................................................................................................... 42.1.1.2 Accountability and Responsibility .............................................................................. 52.1.1.3 Process Safety Knowledge and Documentation ....................................................... 52.1.1.4 Process Safety Review (Process Hazard Analysis) .................................................. 52.1.1.5 Management of Change ............................................................................................ 62.1.1.6 Process and Equipment (Mechanical) Integrity ......................................................... 62.1.1.7 Incident Investigation ................................................................................................. 62.1.1.8 Training and Performance ......................................................................................... 72.1.1.9 Human Factors .......................................................................................................... 7

2.1.1.9.1 Organization ............................................................................................... 72.1.1.9.2 Alarms ......................................................................................................... 82.1.1.9.3 Environmental ............................................................................................. 82.1.1.9.4 Maintenance Operations ............................................................................ 8

2.1.1.10 Standards, Codes and Laws ................................................................................... 82.1.2 Highly Protected Risk (HPR) ................................................................................................. 82.1.3 Principles of Inherent Safety ................................................................................................. 9

3.0 SUPPORT FOR RECOMMENDATIONS ............................................................................................... 93.1 Background Information .................................................................................................................. 9

3.1.1 Process Risk Management Strategies .................................................................................. 93.1.1.1 Tier 1 - Inherent Safety ........................................................................................... 103.1.1.2 Tier 2 - Passive ....................................................................................................... 103.1.1.3 Tier 3 - Active ........................................................................................................... 113.1.1.4 Tier 4 - Procedural ................................................................................................... 113.1.1.5 Summary ................................................................................................................. 12

3.1.2 Process Safety Management .............................................................................................. 123.1.2.1 Accountability and Responsibility ............................................................................ 12

3.1.2.1.1 Example: Liquefied Petroleum Gas (LPG), Mexico City, Mexico ............. 133.1.2.1.2 References ............................................................................................... 13

3.1.2.2 Process Safety Knowledge and Documentation ..................................................... 133.1.2.3 Process Safety Review (Process Hazard Analysis) ................................................. 15

3.1.2.3.1 Examples .................................................................................................. 163.1.2.4 Process Risk Management ..................................................................................... 17

3.1.2.4.1 Case Study ............................................................................................... 173.1.2.4.2 HPR Requirements ................................................................................... 20

3.1.2.5 Management of Change .......................................................................................... 203.1.2.5.1 Change in Technology .............................................................................. 203.1.2.5.2 Changes in Facilities ................................................................................ 213.1.2.5.3 Changes in Personnel .............................................................................. 213.1.2.5.4 Examples .................................................................................................. 213.1.2.5.5 References ............................................................................................... 23

FM Global 7-43Property Loss Prevention Data Sheets 17-2

2000 Factory Mutual Insurance Company. All rights reserved. No part of this document may be reproduced,stored in a retrieval system, or transmitted, in whole or in part, in any form or by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission of Factory Mutual Insurance Company.

3.1.2.6 Process and Equipment (Mechanical) Integrity ...................................................... 233.1.2.6.1 Reliability Engineering .............................................................................. 233.1.2.6.2 Materials of Construction and Fabrication ................................................ 243.1.2.6.3 Installation Procedures ............................................................................. 243.1.2.6.4 Preventive Maintenance ........................................................................... 243.1.2.6.5 Demolition Procedures ............................................................................. 25

3.1.2.7 Incident Investigation ............................................................................................... 253.1.2.7.1 Basic Elements ......................................................................................... 253.1.2.7.2 Incident Investigation Concepts ............................................................... 263.1.2.7.3 Investigative Techniques ........................................................................... 263.1.2.7.4 Example .................................................................................................... 27

3.1.2.8 Training and Performance ....................................................................................... 283.1.2.8.1 Example: Three Mile Island ...................................................................... 293.1.2.8.2 References ............................................................................................... 29

3.1.2.9 Human Factors ........................................................................................................ 293.1.2.9.1 Human Behavior ....................................................................................... 303.1.2.9.2 Human/Machine Interface ........................................................................ 313.1.2.9.3 Work Environment .................................................................................... 323.1.2.9.4 Human Factor in Maintenance Operations .............................................. 323.1.2.9.5 References ................................................................................................. 32

3.1.2.10 Standards, Codes, and Laws ................................................................................ 333.1.2.11 Audits and Corrective Actions ................................................................................ 33

3.1.2.11.1 PSM Audit Preparation ........................................................................... 343.1.2.11.2 PSM Audit Techniques ............................................................................ 35

3.1.2.12 Emergency Response Planning ............................................................................ 363.1.3 Concepts of Highly Protected Risk ..................................................................................... 37

3.1.3.1 Requirements to Achieve HPR Status .................................................................... 373.1.3.1.1 Integrated PSM System ........................................................................... 373.1.3.1.2 Management Commitment and Oversight ............................................... 383.1.3.1.3 Instrumentation and Process Control ....................................................... 383.1.3.1.4 Operator Training and Empowerment ...................................................... 383.1.3.1.5 Vessel, Piping and Reaction Overpressure Protection ............................ 383.1.3.1.6 Maintenance, Inspection, and Testing programs ...................................... 393.1.3.1.7 Adequate and Reliable Water Supply and Delivery System .................... 393.1.3.1.8 Ignition Source Control ............................................................................. 393.1.3.1.9 Adequate Spacing of Buildings, Process Units and Tanks ...................... 393.1.3.1.10 Emergency Response and Post-loss Contingency Plans ...................... 403.1.3.1.11 Testing and Understanding of Process Chemistry ................................. 403.1.3.1.12 Adequate and Reliable Fixed Suppression Systems ............................. 403.1.3.1.13 Drainage and Containment Systems ..................................................... 413.1.3.1.14 Equipment and Structural Steel Fire Protection ..................................... 413.1.3.1.15 Damage Limiting and Noncombustible Construction ............................. 423.1.3.1.16 Combustible Gas Detection .................................................................... 423.1.3.1.17 Inerting and Purging Systems ................................................................ 423.1.3.1.18 Barriers and Barricades .......................................................................... 423.1.3.1.19 Protection Against Natural Perils ............................................................ 43

3.1.4 Concepts of Inherent Safety ............................................................................................... 433.1.4.1 Intensification ........................................................................................................... 433.1.4.2 Substitution .............................................................................................................. 433.1.4.3 Attenuation ............................................................................................................... 443.1.4.4 Limitation of Effects ................................................................................................. 443.1.4.5 Simplification/Error Tolerance .................................................................................. 45

4.0 REFERENCES ..................................................................................................................................... 454.1 FM Global ...................................................................................................................................... 45

APPENDIX A GLOSSARY OF TERMS ..................................................................................................... 45APPENDIX B DOCUMENT REVISION HISTORY ..................................................................................... 45

7-4317-2 Loss Prevention in Chemical PlantsPage 2 FM Global Property Loss Prevention Data Sheets

2000 Factory Mutual Insurance Company. All rights reserved.

APPENDIX C: INTERNATIONAL ORGANIZATIONS AND REGULATORY CODESOVERSEEING CHEMICAL PLANT PROCESS SAFETY ................................................ 45

C.1 Mandatory Regulations Covering PSM and Related Chemical Industry Safety Oversight .......... 45C.1.1 Europe ................................................................................................................................ 46C.1.2 United States ...................................................................................................................... 46

C.1.2.1 Occupational Safety and Health Administration ..................................................... 46C.1.2.2 Environmental Protection Agency ........................................................................... 47

C.2 Voluntary Chemical Industry Programs ........................................................................................ 48C.2.1 Responsible Care ........................................................................................................... 48C.2.2 International Safety Rating System (ISRS) ......................................................................... 48

C.3 Other Sources for Chemical Process Safety Guidelines .............................................................. 49C.3.1 Australia .............................................................................................................................. 49C.3.2 Canada ............................................................................................................................... 49C.3.3 India .................................................................................................................................... 49C.3.4 Far East .............................................................................................................................. 49C.3.5 South America .................................................................................................................... 49C.3.6 United Kingdom .................................................................................................................. 49C.3.7 United States ...................................................................................................................... 49

APPENDIX D BIBLIOGRAPHY ................................................................................................................. 50D.1 Process Safety and Risk Management ........................................................................................ 50D.2 Highly Protected Risk Guidelines for Chemical Industry .............................................................. 50D.3 Concepts of Inherent Safety ......................................................................................................... 50D.4 Preventive Maintenance ............................................................................................................... 51D.5 Chemical Hazard Information ....................................................................................................... 51

List of TablesTable 1. Comparison of OSHA and EPA Thresholds of the More Common Hazardous Chemicals .......... 47

7-43Loss Prevention in Chemical Plants 17-2FM Global Property Loss Prevention Data Sheets Page 3


1.0 SCOPE

This data sheet describes general principles and concepts of chemical risk loss prevention and the mini-mum requirements for a chemical operation to qualify as a Highly Protected Risk (HPR). Other FM Globaldata sheets, listed in Appendix D.2, provide specific guidance on protection concepts and design require-ments within this HPR framework.

An HPR chemical facility is one that meets the highest standards of property loss prevention including man-agement commitment, process control, fixed active and passive protection where needed, and employeetraining and awareness.

Process Safety Management (PSM) as a way of conducting business has been developed over many yearsto guide the chemical process industry toward safer facilities before being adopted by various regulatoryagencies. It can and should be considered the foundation of all loss prevention activities in this industry aswell as related industries with hazardous chemical processes. Process safety management is a neces-sary component of an HPR facility to minimize or prevent episodic releases or events that can cause propertydamage and business interruption.

A number of U.S. national and state regulations, as well as those of the European Union and other interna-tional regulators, have adopted PSM in one form or another. (Highlights of some of these regulations arein the Appendix.) This data sheet is not meant to address issues associated with regulatory compliance butalso does not introduce any conflicts with these regulations.

As a fundamental subset of PSM and HPR concepts, principles of inherent safety, as they apply to the chemi-cal industry, are also discussed. Practicing the concept of inherent safety can significantly reduce the overallrisk of a hazardous plant or process.

The concepts of Highly Protected Risk, process safety management, and inherent safety are all interre-lated and apply to chemical facilities as well as non-chemical facilities with chemical processes. The levelof detail to which PSM principles are implemented is in proportion to the level of hazard of the operation. PSMprinciples are not a cookbook to be followed but a philosophy to be applied according to need.

1.1 Changes

September 2000. This revision of the document has been reorganized to provide a consistent format.

2.0 LOSS PREVENTION RECOMMENDATIONS

2.1 Human Element

2.1.1 Process Safety Management (PSM) System

2.1.1.1 General

2.1.1.1.1 Chemical plants and hazardous chemical operations in other plants should have a process safetymanagement system in place to ensure that the following (or equivalent) elements* of process safety areintegrated into plant operations:

a) Accountability and Responsibility

b) Process Safety Knowledge and Documentation

c) Process Safety Review (Process Hazard Analysis)

d) Process Risk Management

e) Management of Change

f) Process and Equipment (Mechanical) Integrity

g) Incident Investigation

h) Training and Performance

i) Human Factors

j) Standards, Codes, and Laws



k) Audits and Corrective Actions

l) Emergency Response Planning

* These 12 elements are based on the Center for Chemical Process Safety (CCPS) Plant Guidelines for Tech-nical Management of Chemical Process Safety. Other guidelines are equivalent and can be substituted.A list of CCPS and other references on PSM is provided in Appendix D, Bibliography.

2.1.1.2 Accountability and Responsibility

Key components of this element are a policy statement; management commitment; procedural requirements;and a performance measurement.

2.1.1.2.1 Management should develop a written policy statement that clearly defines process safety andloss prevention as a priority that is shared by management as well as plant operations personnel. The state-ment could include a Process Safety Management organization chart that clearly shows positions, lines ofauthority, and process safety functional titles. The policy statement should receive broad distribution to all sec-tors of the organization, backed by genuine management interest in loss prevention. The statement andorganizational chart should be reviewed regularly and updated as needed to reflect things such as manage-ment changes within the facility.

2.1.1.2.2 The facilitys PSM program should have procedures to resolve safety and loss prevention con-cerns that arise from new design, HAZOP reviews, Management of Change (MOC) issues, etc., and shouldinclude input from operations employees, where appropriate. These procedures should designate a personor position that is responsible for achieving resolution.

2.1.1.2.3 A program should be in place to track how well safety and loss prevention concerns are resolved.Of particular interest are those concerns that were not easily resolved. This could be as simple as a monthlyreport of the status of unresolved issues sent to a designated responsible person as indicated by theorganizational chart or plant procedures.

2.1.1.3 Process Safety Knowledge and Documentation

2.1.1.3.1 The organization should assign responsibility for maintaining key material and process hazard infor-mation, design basis information, design standards, electrical area classifications, key design decisions,alternate process considerations, and basic operation and maintenance procedures for all chemical pro-cesses. Documents also would also include accident investigations, causes and corrections as well as recordsof process, equipment and maintenance changes.

2.1.1.3.2 All processes should have detailed written procedures that document normal operating proce-dures, as well as start-up, shutdown and abnormal situations. These procedures should be kept up-to-dateand written in such manner as to be understood by all operating personnel. Should the facility be multilin-gual, procedures should be maintained in separate form for each language. Any changes to the documentedprocedures should follow the Management of Change procedures of the PSM program. Operator involve-ment in writing the procedures will ensure comprehensive detail in the procedures.

2.1.1.3.3 A periodic review or audit should be performed for all written procedures to ensure they remaincurrent.

2.1.1.4 Process Safety Review (Process Hazard Analysis)

2.1.1.4.1 The following are considered a minimum to meet the Process Safety Review requirements in aneffective program based on PSM principles:

a) Collaboration between process and loss prevention specialists at the concept stages of a project.

b) Agreement on a protection philosophy with special consideration given to inherently safe design insite selection, construction and protection features.

c) Conduct a detailed process safety review using a recognized methodology (HAZOP, Checklist, FEMA,etc.) at an early stage in the project. The review should be updated whenever process changes are madeand a complete re-evaluation made on a regular basis (about 5 yr. intervals).



2.1.1.5 Management of Change

2.1.1.5.1 Management should establish and implement written procedures to manage change in technol-ogy, facilities and personnel. These procedures should be flexible enough to accommodate both major andminor changes and should be understood and used. These procedures should:

a) Provide a method for identification of changes that should be subject to MOC procedures.

b) Provide for documentation of the process and mechanical design basis for the proposed change.

c) Provide an analysis of the loss prevention considerations involved in the proposed change, includinga formal process hazards review, if appropriate. The effects of the proposed change on separate butinterrelated upstream or downstream facilities also should be reviewed.

d) Identify the need for modifications of the operating procedures, updating P&IDs, updating personneltraining, etc.

e) Provide for communication of the proposed change and the consequences of that change to appropriatepersonnel such as maintenance engineers, operators, safety, and emergency response staff.

f) Establish administrative procedures needed (documentation, checklists that cover hazards, records ofpersonnel skills, responsibilities and training.)

g) Provide for tracking of and limiting the duration of any temporary change.

h) Identify the required authorizations.

2.1.1.5.2 A qualified member of the plant loss prevention, safety, or engineering staff should be assignedto communicate changes to the FM Global specialist where appropriate. This individual should ensure thatall plant personnel follow accepted methods for management of change, and that the FM Global specialist isnotified at the earliest stages of significant changes, to allow for proper consideration of the loss preventionaspects.

2.1.1.6 Process and Equipment (Mechanical) Integrity

2.1.1.6.1 To implement this element of PSM, programs should be in place to address the following:

a) Reliability Engineering Tracking and evaluating of individual equipment and processes to preventunexpected incidents throughout its lifetime.

b) Materials of Construction and Fabrication Ensuring that equipment is built according to appropri-ate standards with materials appropriate to the service conditions with appropriate supportingdocumentation.

c) Installation Procedures Planning quality control, inspection and pre-startup integrity testing to ensureinstallation in accordance with specifications and direction of the manufacturer. Poor installation caninvalidate a good design.

d) Preventive Maintenance Documenting procedures to ensure that maintenance is completed onschedule, unscheduled work is properly authorized and completed without introducing additional haz-ards, and records are maintained and evaluated to identify future needs. This would include acomprehensive vessel and piping inspection program, as well as instrumentation inspection, testing andcalibration.

e) Demolition Procedures Documenting methods to isolate, remove and dispose of obsolete orunneeded equipment without creating unnecessary hazards.

2.1.1.7 Incident Investigation

2.1.1.7.1 The corporation should have a system based on PSM principles that requires that incidents berecorded and investigated. The investigation methods should consist of the basic elements outlined above,and records should be kept detailing each incident, the level and results of the investigation and the statusof any findings or recommendations developed.



2.1.1.7.2 Management should make use of all incident investigations and near-misses to evaluate recur-rences. Action should be taken to eliminate the source of error, either through system redesign or additionaltraining. Important lessons learned in these investigations should receive wide distribution to interested andaffected parties.

2.1.1.8 Training and Performance

2.1.1.8.1 Operators should be fully trained in the normal operation of the facility, as well as the appropriateaction for each alarm condition. Since every process excursion cannot be detailed, the operators shouldbe trained in diagnostic and troubleshooting skills to facilitate an orderly correction. For the most critical appli-cations (i.e., nitrations, some polymerization and other highly reactive systems) use of a process simulatorfor training purposes is strongly suggested. If a simulator is to be used, the control panel and instrumentationshould be designed to match the actual equipment that will be used in the operation.

2.1.1.8.2 When either temporary or permanent changes are made to a process, the process documenta-tion and drawings should be updated prior to implementation of the changes. All employees whoseresponsibilities involve the affected area should be retrained in the new process parameters and safe work-ing conditions. This will allow integration of the new procedures into the day-to-day functioning of the facility.

2.1.1.8.3 Special care must be taken when critical actions are infrequently completed in the normal courseof operations. Actions such as responding to infrequent critical alarms may result in catastrophic events if theresponse is incorrect. In these cases, frequent retraining is needed.

2.1.1.8.4 Training should be mandatory for contract employees working in the area so they may performin a safe and effective manner. Training for contract employees may need to be as stringent as for operators.

2.1.1.8.5 A comprehensive retraining program should be in place for all operating personnel. The time inter-val for retraining will vary depending on the criticality of the process and number of changes made.Management should have a formal method to determine retraining frequencies.

2.1.1.8.6 A formal method for evaluating the effectiveness of the training program should be developed.This may be a written test, hands-on demonstration, simulation or an extended period of on-the-job train-ing. A feedback mechanism should be established to inform the operator of areas requiring further study andimprovement. Records should be kept of these evaluations to facilitate improving the method of trainingemployees.

2.1.1.9 Human Factors

2.1.1.9.1 Organization

2.1.1.9.1.1 The plants program should have written guidelines requiring that all new processes incorpo-rate fundamental concepts of human factor engineering beginning with the design phase of the project. Ifhuman factor specialists are not available in-house, consideration should be given to retaining outsidespecialists to assist in this area.

2.1.1.9.1.2 Human factor elements should be incorporated into existing processes, if economically viable,whenever changes or improvements are being planned.

2.1.1.9.1.3 HAZOP reviews should specifically explore human factor issues to determine if appropriate designhas been included.

2.1.1.9.1.4 Each of the above activities should include input from operating personnel to ensure thatday-to-day operating knowledge is incorporated into the proposed improvements.

2.1.1.9.1.5 Management should create an environment where process safety is paramount above produc-tion demands. Operators should be empowered to invoke a controlled shutdown of a process if operatingconditions indicate an imminent loss-of-control situation. A written statement to this effect, signed by seniorplant management, should be posted in the control rooms.

2.1.1.9.1.6 If staff reductions are anticipated, managements commitment to safety and loss preventionshould remain paramount. Special attention is needed during these times to ensure that operating personnelremain motivated to perform their functions in a consistent and safe manner.



2.1.1.9.2 Alarms

2.1.1.9.2.1 All alarms should be ranked according to severity and displayed visually and audibly in this orderto avoid alarm overload during an actual emergency.

2.1.1.9.2.2 Critical alarms should be grouped separately from information only alarms. Audible and visualalarms should be distinctly different for these type alarms so that priority can be given to critical alarms.

2.1.1.9.2.3 Critical process information should be easily accessible on the control panel so that an exces-sive number of screen changes will not be required to understand the information in an emergency situation.

2.1.1.9.2.4 Critical process information and alarms should be logged, by computer or manually as appro-priate, and maintained for a reasonable period of time to aid in incident investigation or future processimprovements.

2.1.1.9.2.5 The operator should have a proactive role in the monitoring and control of process variables,rather than simply waiting for alarm conditions to sound. This will encourage the operator to be familiar withthe process data and facilitate an appropriate response in an emergency situation.

2.1.1.9.3 Environmental

2.1.1.9.3.1 Optimal performance occurs when environment factors are within specific boundaries. Properclothing should be available for employees whose work is outside a climate-controlled environment.

2.1.1.9.3.2 For areas having excessive noise, proper hearing protection should be provided and a methodof communications established when vocal communication is not feasible.

2.1.1.9.3.3 Proper lighting should be provided in all operations areas, and most importantly in control rooms,to ensure that controls and process equipment are visible.

2.1.1.9.4 Maintenance Operations

2.1.1.9.4.1 All maintenance operations that may adversely impact the safe operation of a process or pro-duction facility should require written authorization. Included in this authorization is notification to all areas ofthe facility that will be impacted by the work. In most cases, operations will need to be stopped or bypassed,to allow safe work in the area. All such process modifications should be thoroughly studied to determinethe ramifications of the process change.

2.1.1.10 Standards, Codes and Laws

2.1.1.10.1 The organization should define the minimum codes, standards and laws that will be applied formaintaining an acceptable level of safety.

2.1.1.10.2 Responsibility should be assigned to ensure all codes, standards and regulations (internal orexternal) are maintained current and are available to those needing to use them.

2.1.1.10.3 A variance procedure should be developed that can be applied when an alternative to an existingcode is to be used.

2.1.2 Highly Protected Risk (HPR)

A Highly Protected Risk (HPR) level of loss prevention based on FM Global data sheets and industryguidelines should be the goal at chemical risks. (See also Section 3.1.3)

2.1.2.1 An HPR chemical risk is one that meets all of the following minimum guidelines:

a) A fully integrated system based on PSM principles at a level appropriate to the hazards.

b) Management commitment and oversight including early involvement of FM Global specialists at anearly stage of all projects.

c) Adequate process control and safety instrumentation.

d) Operator training and empowerment adequate for the process complexity.

e) Piping and vessel overpressure protection for the hazards that exist.

f) Maintenance, inspection, and testing programs covering all critical equipment and instrumentation.



g) An adequate and reliable water supply and delivery system.

h) Ignition source control.

i) Adequate spacing of buildings, process units and tanks.

j) Emergency response and post-loss contingency plans.

k) Testing and understanding of process chemistry.

Where needed based on hazard an HPR chemical risk also incorporates the following features:

l) Adequate and reliable fixed suppression systems.

m) Drainage and containment systems.

n) Fire protection of structural steel.

o) Damage limiting and noncombustible construction.

p) Combustible gas detection.

q) Inerting and purging systems.

r) Barriers, barricades and/or distance separation.

s) Protection against natural hazards.

2.1.3 Principles of Inherent Safety

2.1.3.1 Principles of Inherent Safety should be applied where possible when designing or improving chemicalplant processes. Inherent safety (see also Section 3.1.4) includes the following general principles:

a) Intensification using smaller amounts of a hazardous substances.

b) Substitution replacing a hazardous chemical with a non-hazardous or less hazardous one.

c) Attenuation using less hazardous process conditions or a less hazardous form of a material.

d) Limitation of effects designing a facility to minimize the impact of a release of hazardous materialor energy, for example by sufficient spacing or more resistant construction.

e) Simplification/error tolerance designing a facility so that operating errors are less likely or the processis more forgiving if errors are made.

3.0 SUPPORT FOR RECOMMENDATIONS

3.1 Background Information

In the following sections, concepts and strategies for risk reduction in the chemical industry are discussed.These include approaches to loss prevention using:

a) CCPS four-tiered Process Risk Management Strategy.

b) CCPS systematized Process Safety Management approach.

c) FM Global concepts of a Highly Protected Risk.

d) Concepts of Inherent Safety.

3.1.1 Process Risk Management Strategies

The CCPS four-tier safety strategy for reducing risk in a chemical facility includes inherent safety, passivesafety, active safety, and procedural safety.

These strategies are listed in preferred selection order as a loss prevention technique. By using this methodwhen designing a plant, one would approach the safety aspects by applying these strategies starting withan inherent safety concept, followed by passive protection where still needed, followed by active systems, andthen by procedural or administrative systems as needed. The techniques that are lower on the list are lesseffective in preventing losses.



3.1.1.1 Tier 1 - Inherent Safety

The first tier and most preferred approach to chemical plant loss prevention is Inherent Safety (IS). Inher-ent safety is defined as eliminating the hazard through intensification, substitution, attenuation, limitation ofeffects, or simplification/error tolerance. Refer to Section 3.1.4 for a full discussion on inherent safety con-cepts including definitions of these terms. The intent of applying inherent safety is to eliminate the need foradd-on layers of passive, active, or procedural protection, which have to function as designed to limit theeffects of a loss.

Examples of implementing inherent safety would be:

substitution of water for process cooling in place of a combustible thermal oil.

substitution of a non-flammable solvent for a flammable solvent, for example using supercritical carbondioxide in place of hexane for extraction.

through chemical research, replacing a high pressure process using extremely reactive materials in a flam-mable solvent with an atmospheric pressure process using non-flammable solvents in a reaction that isincapable of generating any pressure in the event of a runaway reaction.

storing flammable gases such as ethylene in low pressure refrigerated tanks rather than pressurized tanks.

In these examples, the revised cooling and extraction systems represent no fire hazard. They require nofixed fire protection with its installation, maintenance, and testing costs. With the new reaction system, thereis no potential for overpressure because of the chemistry of the process, and the physical characteristicsof the materials have no need for costly and failure-prone add on controls, emergency relief devices or reac-tor strengthening. Finally, with the refrigerated storage, the amount of vapor produced in the event of anunexpected release of the liquid will be minor compared to a similar event with pressurized storage.

Note that there may be tradeoffs when applying IS techniques or any of the four strategies. The water cool-ing system is more susceptible to freezing and may need more cold weather protection than a thermal oilsystem to prevent a costly freeze damage loss. The CO2 extraction system requires extremely high pres-sures and process equipment will be susceptible to overpressurization, requiring add on passive or activeprotection or procedural controls. The reaction system might require use of a corrosive material that couldcause long term building damage, requiring costly steel protection or maintenance. The economics and over-all risk reduction for all approaches, all of which carry risks, need full evaluation.

The potential for risk reduction through use of inherent safety is most feasible very early in the design pro-cess. To affect the chemistry of the process may require years of experimental work. Other more tolerantchanges and safety improvements may be made during plant design.

While opportunities to apply inherent safety concepts should always be explored, there will always besituations where other risk management strategies may need to be employed.

3.1.1.2 Tier 2 - Passive

The next tier, and the next in safety selection preference is the passive approach. A passive approach isone that requires no mechanical device or system to actively function to limit or prevent the loss. A passiveapproach also can be one that stores or uses hazardous materials in a form or state that is as benign aspossible.

For example, after a process review it is determined that water cooling cannot be used and the processrequires a reaction that is capable of generating 50 psig in the event of a runaway reaction.

If a combustible thermal oil must be used for cooling, a passive approach would attempt to use an oil withthe most benign properties and under the lowest temperature and pressure as possible. Further, this approachwould limit the amount of potential oil released by eliminating bulk storage of material within the unit and siz-ing the coolant feed system to the minimum flow requirement. Finally, in the event of spill, the process areawould be designed for rapid drainage and building steel fireproofing rather than placing reliance on (active)fixed fire suppression systems that may fail.

In the case of the reactor system, instead of relying on an active system such as a safety relief valve to pro-tect the reactor in the event of a runaway, a passive approach would be to design the reactor to containthe maximum expected overpressure.



Some additional examples of a passive approach are: diking and containment systems; fire barriers; blastresistant construction; using stainless steel in place of plastic in corrosive environments; proper spacing ofbuildings, vessels and process units; plant design to prevailing meteorological or geological hazard; enclosingplastic electric cables in metal conduit; processing potentially combustible dusts as a slurry, etc.

The single most favorable aspect of a passive approach is its performance reliability. Because it is not anactive system, it is not prone to failure unless process conditions or materials are changed withoutcommensurate improvements to the passive system.

3.1.1.3 Tier 3 - Active

The next tier, and the next in safety preference is the active approach. An active strategy is one that requiresa mechanical device or protective system to actively detect and respond to limit or prevent the loss. An activesystem must be:

reliably designed to work when intended

installed according to strict installation rules

maintained and tested over its entire life.

Because of this, an active system is more prone to failure than a passive system and may cost more overthe life of the plant. Active systems are also known as engineered controls.

In a previous example, if the thermal oil system is used under more hazardous operating conditions or thedrainage and fire proofing systems are lacking, insufficient, or too costly to retrofit, then an active fixed watersuppression system becomes the protection device of choice. This system must be properly designed andmaintained and tested over its entire life to be considered reliable and effective. Once activated, more dam-age will occur than with a passive system because the fuel (thermal oil) is not removed by drainage, thebuilding steel is not protected against radiant heat (and may structurally fail), and the water system itself maycause damage to sensitive instrumentation. Finally, if the suppression system should fail, always a possibil-ity, reliance for protection becomes dependant on the fourth tier, procedural or administrative controls. Ifreliance on procedures (i.e., manual response) is needed, a significant increase in damage will usually occurdue to delayed response.

In the reactor example, an active (engineered) approach would be to design the reactor to 15 psig andacknowledge the potential for a 50 psig overpressure by depending on process and management controlsto prevent the runaway reaction, and by providing properly designed emergency relief venting if it does run-away. The active system is complex and becomes even more complex as vent gas collection systems areinstalled, etc.

This active approach is the traditional approach to reactor protection and most other loss prevention activi-ties in a chemical plant. One primary reason is timing. Often protection is added after the plant is constructed.Inherent safety and passive approaches become less economical if not completely impractical - after aplant has entered the equipment design phase.

An active approach does not provide the same level of risk reduction that the inherently safe or passivelysafe systems do. In the case of the reactor, with an active approach the loss would be significant if the emer-gency relief system failed (reactor failure, building blast damage, ensuing fires, and production loss). In thecase of the passive system the pressure would be contained with minor risk effects (perhaps time and costto investigate, recertify the vessel, and retrain employees, etc). In the inherently safe system the event couldnot occur.

Some additional examples of an active strategy are: large deluge systems with high capacity water sys-tems; automatic sprinklers over grouped electrical cables; explosion suppression systems in dust collectors;flow, thermal and pressure controls and interlocks; emergency shutdown systems, etc.

While not as effective and reliable as the inherently safe or passive approach, nevertheless, active systemsare often required and necessary for adequate protection of a chemical plant.

3.1.1.4 Tier 4 - Procedural

The next tier, and last in safety preference is the procedural or administrative control approach. A proce-dural response to safety is one using operating procedures, administrative checks, emergency response, andother management approaches to prevent or minimize the severity of an incident.



An example would be to provide written procedures for operators to take corrective action for the runawayreactor, rather than providing active automatic controls or relief systems. In this scenario, emergency actionsuch as leaving the control room, inspecting the reactor, and manually adding quench water might be theonly loss prevention response. In the event of a thermal oil release and fire, the plant may have only theemergency response of the fire department to rely upon for damage control.

3.1.1.5 Summary

The application of a tiered approach to risk management does not necessarily imply a singular strategy. A com-plex HPR facility will feature aspects of all four safety tiers inherent, passive, active, and procedural within the plant. Given a sufficiently hazardous process, all four tiers might be applied to the single processto provide assurance to risk managers that if one level fails, additional levels are available to limit the loss.

Application of this tiered approach is fully consistent with HPR loss prevention concepts.

3.1.2 Process Safety Management

The CCPS defines process safety management as the application of management systems to theidentification, understanding, and control of process hazards to prevent process related incidents.

The CCPS defines process safety management systems as comprehensive sets of policies, procedures,and practices designed to ensure that barriers to episodic incidents are in place, in use, and effective.

The CCPS guidelines focus on twelve elements of chemical process safety:

Accountability and Responsibility Process Safety Knowledge Project Review and Design (Process Hazard Analysis) Process Risk Management Management of Change Process and Equipment (Mechanical) Integrity Incident Investigation Training and Performance Human Factors Standards, Codes, and Laws Audits and Corrective Actions Emergency Response Planning

In addition to CCPS, other organizations have developed PSM guidelines that may have different elementsand terminology but nonetheless are equivalent to the CCPS guidelines and may be fully substituted in appli-cation. Some are listed in the Appendix. There also are government regulations, both U.S. and international,which mandate application of PSM guidelines under specific conditions. Some information on theseregulations is also in the Appendix.

All 12 CCPS points are needed for a reliable system based on PSM principles but they need to be custom-ized for the corporation (i.e., making baking soda does not need the same program used for making polyvinylchloride).

3.1.2.1 Accountability and Responsibility

Accountability and responsibility are at the heart of any facilitys program. These concepts must be ingrainedinto the philosophy of an organization to be successful. Key components of accountability are a policystatement; management commitment; procedural requirements; and performance measurement.

The degree to which management demonstrates interest in implementing programs based on PSM prin-ciples at its facilities is of paramount concern to safe operation of the facility. Without solid managementbacking even the best written program will never achieve successful implementation. Management interestshould be demonstrated with a written policy statement that is shared with and understood by each employeeof the facility. Managements interest in loss prevention should be obvious in the day-to-day activities of a facil-ity. Simply having a paper document on file will be of no benefit. Routine safety meetings, communicationof safety issues to employees and publishing lessons learned from incident investigations are just a few waysin which this interest will be demonstrated.



The policy statement should be site-specific, and should assign ownership of safe operations to manage-ment, as well as to every employee involved in the operation. Expectations of every member of theorganization should be detailed and written in language understandable at every level of the organization.The policy statement should be reviewed on a periodic basis and changes made as needed. For example,when changes occur within an organization such as change in management structure, the policy statementshould be updated to reflect these changes.

The policy statement should clearly outline the objective of the PSM program. These principles should be rou-tinely communicated to all employees so as to reinforce a safety-conscious work force. Generally, a reviewof the policy statement will be included in the orientation of new employees. Periodic review with allemployees within the organization also is useful.

Each employee should feel responsible for the safe operation of a facility. There should be no fear of repri-mand should a safety concern be reported. Only when the channels of communication remain open andfree can a program based on PSM principles become and remain effective.

As safety issues arise in new facility design, HAZOP reviews, changes to the process, etc., there will beissues that are not easily resolved, or will involve interpretation of codes or standards. A method should bein place to handle such issues so that resolution at the lowest level of management is achieved.

Once implemented, the success of a program based on PSM principles should be evaluated on a periodicbasis to ensure the procedures achieve results. This can be in the form of random audits, routine reports tomanagement or direct communication with those involved. Findings from this feedback mechanism shouldbe incorporated into the policy statement to facilitate constant improvement of the PSM program. Issues thatare difficult to resolve often lead to input on ways that the PSM program could be improved.

3.1.2.1.1 Example: Liquefied Petroleum Gas (LPG), Mexico City, Mexico

On November 19, 1984, an 8 in. (200 mm) pipe line at a government-owned LPG terminal ruptured. The sup-ply was not shut off, and the vapor cloud was subsequently ignited 10 minutes later by a ground level burnpit. Additional LPG tanks and spheres BLEVEd (Boiling Liquid Expanding Vapor Explosion) due to expo-sure to excessive heat. Management and organizational factors reportedly were the major factors in thisincident. Reportedly, management at this facility had not taken action on recommendations from previousstudies. The deluge systems that were designed to cool the LPG vessels were deemed grossly inadequate.Vessel design was inadequate and the vessels lacked proper insulation. There was also no gas detectionsystem available at the facility. The loss estimate is in excess of $25 million property damage (currentvalues)1,2

3.1.2.1.2 References

1. Gertman, D.I., and Blackman, H.S., Human Reliability and Safety Analysis Data Handbook, John Wiley& Sons, New York (1994).

2. Mahoney, D., Ed, Large Property Damage Losses in the Hydrocarbon-Chemical Industries, A Thirty-yearReview, M&M Protection Consultants, Chicago (1995).

3.1.2.2 Process Safety Knowledge and Documentation

Process safety knowledge and documentation, which includes process safety information, is the basis forunderstanding the hazards of the process. This is achieved by acquiring process information and using thisknowledge while conducting process hazard analyses.

The CCPS defines process safety information as the data describing the process and its chemistry. Pro-cess safety knowledge, in general terms, includes both process safety information and the ability tounderstand and interpret the information. It also includes the tracking and storing of key initial design bases,records of critical design decisions, design standards, site and equipment drawings, accident investigationinformation, etc. This data can be used as a baseline for future changes.

Data on process hazards and material chemistry can be obtained from numerous sources including testing,manufacturer issued Material Safety Data Sheets (MSDS) (or equivalents), and literature sources.

Some examples of needed process safety information, and the sources where the information is found, followas an example of a new process under design.



A chemical company is proposing a process using flammable solvents, reactants, and catalysts to producea chemical intermediate for the pharmaceutical industry. The process will include a potentially exothermicreaction, mixing, distillation, and drying to produce a powdered product. Prior to conducting a process haz-ard analysis or determining levels of protection, information is needed on the various materials and the waythey may interact normally or abnormally.

The company may find information from the following sources:

a) Material Safety Data Sheets. These, if available, will give information on flammability (i.e., flash points),explosibility (i.e., explosive limits), toxicity, corrosiveness, and potential reactivity with other materials.

b) FM Global data sheets and National Fire Protection Association (NFPA) standards. Lists of hazardousmaterials are presented with fire and explosion information.

c) Public domain literature such as the Kirk Othmer Encyclopedia of Chemical Technology, Sax Danger-ous Properties of Industrial Materials, CRC Handbook of Chemistry and Physics and numerous othersimilar sources.

d) Proprietary industry or trade group research and testing reports.

e) Expert opinion such as engineers from the corporation, FM Global or outside consultants.

f) Intentional and systematic testing of the materials.

In the example, the final product of the new process is a powder with a possible dust explosion hazard. Thematerial is unique, and no known data on its properties can be found by conventional literature search. Todetermine hazardous properties such as minimum ignition energy, lower explosive limits, maximum rate ofpressure rise and possible overpressures produced should it explode, tests are conducted in a 20-liter spherein accordance with ASTME-1226, Standard Test Method for Pressure and Rate of Pressure Rise forCombustible Dust.

Information on the mixture within a reactor or other vessels is needed to determine potential for exothermicrunaway or other chemical instability. Laboratory-scale reactivity screening should be done before scalingup to pilot or full scale processing. This data can be obtained using a number of devices including theAccelerating Rate Calorimeter (ARC), the DIERS Vent Sizing Package (VSP) and others.

Site information is also developed during this stage. This may include meteorological data (for later vapordispersion modeling), geographic data for exposure to natural hazards, accident exposures from nearbyindustrial sites, and utility data such as reliability and adequacy of water, fuel, and power supplies.

After basic chemistry, physical, and thermodynamic properties of materials are developed and site charac-teristics are found, conclusions on different release and impact scenarios are qualitatively determined. Forexample, if a solvent is flammable, it will be qualitatively concluded that a spill can result in fire. If boiledand held under pressure, an indoor or outdoor flammable vapor explosion potential may exist. The catalystto be used might be known to overheat and produce equipment-damaging pressure if not refrigerated. Thesegeneric conclusions are all derived in the process safety information phase. However, the sequence ofevents by which the scenario and its consequences will be realized will not surface until a process hazardanalysis is conducted on the system in which the materials are used. Finally, the action steps, such as fixedmitigation, taken to reduce the quantified hazard or consequences will not surface until the process riskmanagement stage.

Under this activity, in addition to developing and maintaining basic process and material hazard informa-tion, it is necessary to include accumulation of all the design details, alternative process considerations, keydesign decisions and basic operation and maintenance plans.

Here, the corporation should develop rationale and responsibility for collecting and maintaining this data aswell as data on operating experience, accident investigations, causes and corrections as well as changesdeveloped and reviewed under the Management of Change processes (described later).

This collection of data will preserve initial design records (to ensure that replacements comply with designintent), reasons for key design decisions (aid to future projects and modifications) and provide a basis forunderstanding how the process should be operated. It also serves as a baseline for evaluating futurechanges.



The collection of this information provides the process safety knowledge needed in subsequent PSM steps(as well as a record of the original review process) so that the process can be started up and run through-out its intended life without an unanticipated incident or unprotected hazard. The information is documentedand made part of the overall process safety management package, which will eventually also include datafrom the process hazard analysis and process risk management steps. This is then used for employeetraining, future process changes, etc.

Enhancement of process safety knowledge is a subset of this element, and is sometimes added as a sepa-rate element of PSM. Over the life of the plant, new technology in process operation, inherent safety, or lossprevention techniques may be developed. While not known or cost effective during initial plant design, theymay become so later in the life of the plant. It is important for an organization to stay fully abreast of new tech-nology and apply it as appropriate. Use of a Management of Change procedure will ensure that latesttechnology and information will be available.

3.1.2.3 Process Safety Review (Process Hazard Analysis)

This element of PSM is often identified as Process Hazards Analysis (PHA), and should include the projectreview for new facilities or modifications to existing facilities that have a significant process or capital impact.Where no major changes occur, the review should be revisited on a regular basis. A suggested frequencywould be about every 5 years with longer intervals for less hazardous processes. The element also includesthe necessary design and pre-startup review of such projects to ensure that recommendations were, in fact,implemented.

The CCPS discusses staffing, hazard reviews, siting, plot plan, etc., in the context of phases of capitalprojects. As a supplement to the CCPS material, an HPR chemical plant should consider the following sectionsrelated to property and business interruption loss prevention.

Principles of loss prevention and risk management should guide plant siting decisions. These principles areusually defined in the corporate guiding principles or business objectives. Most sites can be made acceptableif sufficient funding is allocated to overcome deficiencies presented by the site selection.

Sites chosen should be selected to avoid or minimize exposures by perils of:

a) Fire.

b) Natural Hazards (flood, wind, lightning, snow, freezing, earthquake, volcano, etc.).

c) Explosion.

d) Transportation (aircraft, motor vehicle, rail, ship).

e) Pipeline or tank farm exposures.

Sites should feature:

a) Access for safe disposal of waste.

b) Access to fire fighting assistance (public or other).

c) Access to an adequate source of water to meet present and future demands.

d) Access to reliable security and emergency services.

e) Access to the site during adverse conditions (riot, traffic, etc.).

In addition to location of the plant site, equal consideration should be applied to the location of:

a) Process units.

b) Pipe racks.

c) Storage facilities.

d) Unloading facilities for rail cars, trucks and water craft

e) Flare stacks.

f) Utility plants.

g) Waste water treatment facilities.



h) Electrical power lines.

i) Process control rooms.

Once site selection is complete, the project should have sufficient funding to implement FM Global and/orcorporate loss prevention guidelines. In addition to basic project design and construction costs, financesshould:

a) Allow time for a thorough review of loss prevention aspects of the design and construction usingaccepted hazard analysis methods. Designs should use inherent safety and risk mitigation concepts.

b) Permit installation of proper loss prevention features affecting construction, protection, drainage,electrical equipment, freeze protection, etc.

3.1.2.3.1 Examples

3.1.2.3.1.1 The ABC chemical company proposes building a new polymerization plant at the site of an exist-ing chemical plant in the Gulf Coast area. It could be located in any of three different areas near the existingplant. The raw material (ethylene) is supplied to the main ABC plant, but the facilities will need to be enlargedto accommodate more ethylene. New facilities will need to be developed for storage of propane, butylene, andother future monomer feedstocks.

The ABC company has a license to use a new process to make the finished copolymers, but sizes and lay-out of major equipment have yet to be finalized. At this point, a team was created including specialists fromFM Global, ABC, and several design and construction engineering companies. Early meetings developeda time line for the construction, plan reviews, site visits, and pre-startup reviews, as well as a plan to conducta thorough hazard analysis.

Full HAZOP and What-if analyses were performed. FM Global specialists participated in the hazard analy-sis meetings, and provided an important perspective on damageability, available protection and mitigationmethods, and analysis of business interruption potentials.

A full site survey was conducted at all three sites with a team made up of various specialists including theFM Global engineer. Through this process, a site was chosen to minimize flood exposures, and the poten-tial for fire and explosion exposures presented by nearby plants, pipe racks and railways. Plans weremodified to include relocation of pipe racks, along with rerouting of rail sidings.

Through early team meetings, objectives from corporate guiding principles were interpreted to define objec-tives for limiting the maximum foreseeable loss, and normal loss expectancies. Through collaboration,specifications were developed for the plant construction, particularly control room construction, fire protec-tion water supply piping sizes and locations, pipe rack locations, drainage patterns, sprinkler valve houselocations, and feedstock and product delivery contingencies. These methods resulted in mitigation of VaporCloud Explosion (VCE) potentials (see Data Sheet 7-42, Guidelines for Evaluating the Effect of Vapor CloudExplosions Using a TNT Equivalency Method for additional information on VCE hazards).

Note: The level of FM Global participation can vary from project to project depending on the needs of allthe parties involved, contractor, insured, insurance company, etc.

3.1.2.3.1.2 XY Chemical Company planned and constructed a polymer manufacturing plant along the TexasGulf Coast. Design work was conducted at the home offices in the northeastern US using highly experi-enced personnel.

Project designs did not consider incident history and advice for this area relative to freeze protection. As aresult, the plant was built with numerous outdoor sprinkler systems as well as elements of the process andinstrumentation system with insufficient freeze protection.

As a result, the plant suffered a $2 million loss related to broken pipe, instrument lines, and loss of produc-tion in the 1983 and 1989 freezes. This pointed to a normal frequency of freezing weather in this area, worthyof protection. A cost estimate of $75,000 for correction of the deficiencies was developed in consultation withthe local FM Global specialist. Economic conditions dictated that these improvements be extended over aperiod of three years resulting in a need to prioritize the modifications.



If the concepts and guidelines of this data sheet had been used in siting of this plant, the freeze potentialand its frequency would have been identified. A loss potential of $2 million with an average 10-year recur-rence interval would have been mitigated. The cost at the time this plant was designed could have been muchlower.

3.1.2.4 Process Risk Management

Process risk management involves the identification, evaluation, control, or risk transfer of potential haz-ards that may be associated with existing operations, new projects, acquisitions, and customer supplieractivities.

Process risk management is the system whereby conscious risk improvement decisions are made basedon results and information obtained during the process knowledge and process hazard analysis stages. If haz-ard information data is available at very early stages of a plant design, inherent safety features can beincorporated into the design. Later in the design, passive, active, and procedural improvements and protec-tion are usually added. The need and level of fixed suppression systems such as sprinklers and delugesystems, building steel fireproofing, damage limiting construction, barriers, process controls, etc., are decidedin the process risk management phase of PSM. Fire safety professionals in partnership with the chemicalplant determine the level of protection needed to meet HPR status and loss exposure goals. Ultimately theexposure is improved through fixed protection and management systems, is transferred through insurance,or is completely avoided by eliminating the hazardous activity.

Data and information from process knowledge gathering and hazard analysis activities must be evaluatedas to economics and potential for risk reduction. Not all risk in a facility can be eliminated or reduced throughengineering. Process risk management ensures that a balance of inherent or engineered safety and risktransfer (i.e., insurance) is maintained and that all mandatory regulations, corporate standards, and indus-try and insurance guidelines are met. Process risk management requires screening, ranking, and engineeredassessment tools. A high level assessment, such as Quantitative Risk Analysis (QRA) may be needed tomake final decisions. The four tier safety strategy is still followed. Regardless of methods, documentation ofthe basis for risk decisions is important.

3.1.2.4.1 Case Study

ABC Chemical company is planning a facility to produce polyvinyl chloride (PVC) plastic using a licensed pro-cess. Production of this material will include use of vinyl chloride monomer (VCM), a liquefied gas, flammablesolvents, and reactive peroxide-based catalysts in a moderately high pressure, high temperature, continu-ous autoclave (single reaction vessel) system. The process will be located in a single process unit supportedby raw materials delivery and storage, in-process storage, combustible heat transfer media, heat, steam,power, and fuel utility systems, and final product handling, storage and transfer to market. The final prod-ucts will be solid extruded pellets, some of which will be custom made with plasticizers. The benzoyl peroxide(BP) catalyst is to be manufactured on site. The process will be constructed at a new site not previouslydeveloped.

In the process safety knowledge step the following technical information may be obtained based on a literaturesearch or documented testing:

flammability and explosivity characteristics of gases and liquids flammability and explosivity characteristics of heat transfer media reactivity data on catalysts combustibility and explosivity data on solid powder product reactivity of the PVC reaction at given process conditions reactivity and hazard of catalyst manufacture

The following site information might be obtained based on a site study and documented:

meteorological data (prevailing winds/speeds/atmospheric stability) freeze and snowfall/rainfall data flood data earthquake data windstorm data data on adequacy and reliability of utility services information on nearby hazardous exposures



General conclusions might be derived based on the above chemical and site information and qualitative analy-sis. At this stage, these conclusions are based on generic knowledge obtained from experts or from theliterature, and are used for establishing more definitive scenarios during a process hazard analysis. Detailedconsequence studies such as vapor cloud dispersion, explosion overpressure, or pool fire radiant heat effectsare conducted as part of the hazard analysis.

The following general conclusions are not meant to be all-inclusive but only to demonstrate types ofinformation and scenarios that could be developed during this step.

a) Flammable liquid spill fire potentials exist from delivery, storage, process vessel, and piping systemsfor raw and intermediate materials and for the heat transfer media system.

b) Vapor cloud explosion potentials exist from storage, process vessels, and piping systems using VCM.

c) Reactor, vessel, pumps, and piping failure potentials exist due to high pressure, corrosivity, andreactivity exposures.

d) BP manufacture requires potentially unstable hazardous materials.

e) Dust explosion potentials exist from plasticized product.

f) The plant is in a semi-tropical climate but is subject to periodic severe freezes.

g) The plant is in a potential hurricane zone.

h) Power supplies are subject to possible off-premises interruptions.

i) Public water supplies and emergency response are not available.

j) A plant with potential wide range explosion hazard abuts the site.

In the process hazard analysis step, the above data and design drawings (as complete as possible) are sub-jected to a systematic and critical examination to determine failure modes whereby incidents could occur.HAZOP, What If, Checklist, Failure Modes and Effects Analysis (FMEA), and more quantitative analysis meth-ods might be used. Vapor dispersion, explosion and radiant heat modeling, if needed, will be done duringthis stage. These examinations might reveal the following potential concerns and consequences:

a) The manufacture of peroxides on site presents many failure modes and several potentials for a per-oxide self initiation, with high damage potential, compared with the relatively small amounts of materialneeded.

b) Flammable spill fire and vapor release potentials cannot be completely eliminated through process con-trol or design, short of not producing the product. Steel structure is subject to severe radiant heat,confirmed by fire modeling.

c) VCM represents a vapor cloud explosion potential, and the process unit arrangement and congestionwill produce high overpressures throughout the plant, as confirmed by modeling.

d) Prevailing winds and distance indicate potential for vapor cloud from neighboring facility to enterprocess unit, confirmed by modeling.

e) A single large reaction autoclave is harder to control than a smaller unit. It also presents extreme liquidspill or vapor release potentials thus increasing protection system demands, and if damaged would shutdown all operations.

f) Plasticized plastic dust presents a dust explosion hazard, confirmed by laboratory testing.

g) A rare but possible sudden freeze could severely damage plant utilities.

h) A sudden power outage could cause loss of control of the reaction.

i) Many different release and failure modes of vessels, pumps, piping, and utility systems exist, but thesecan be mitigated through process control and design improvements.

j) Use of a large volume of combustible heat transfer material presents significant fire potential on a higherfrequency than other flammable materials, due to its high corrosivity, confirmed by loss history.



In the process risk management step all of the data collected and derived from the two prior steps is usedto make risk management decisions. In the example, these may include (but are not limited to) the followingdecisions, listed in order of a tiered preferential safety approach:

Inherent safety:

a) Replace combustible thermal oil system with water system.

b) Reduce production bottleneck by changing from one large reactor to several smaller reactors.

c) Reduce in-unit flammable inventories by eliminating product day tanks, large reboilers, large reactor,oversized piping, etc.

d) Purchase additional land to protect against off premises exposures

e) Refrigerate VCM bulk storage tanks to reduce vaporization.

f) Collect plastic dust in wet slurry to reduce dust hazard.

Passive mitigation:

a) Use a concrete frame or fireproof steel for process unit.

b) Space unit apart from support facilities and site boundaries.

c) Use open process unit for maximum explosion venting.

d) Limit and space equipment within unit to minimize congestion.

e) Lay out unit with flammable materials accessible on outer edge.

f) Install drainage systems.

g) Design process controls and interlocks to maximize reliability of process.

h) Design process vessels/piping to maximum expected pressure.

i) Blast proof control room and emergency services building.

j) Provide emergency containment systems.

Active mitigation:

a) Provide on site water system for fire protection.

b) Provide deluge sprinkler protection.

c) Provide combustible gas detection.

d) Inert and purge flammable storage, process and piping systems.

e) Provide reactor emergency quench system.

f) Provide reactor emergency venting.

g) Computerize process control.

h) Provide on-site emergency power supplies.

i) Design to hurricane codes.

j) Protect plant against freeze up.

Operational administrative controls:

a) Develop and train on site emergency fire response brigade.

b) Train and empower operators to take manual process control.

c) Provide ignition source control systems.

d) Provide backup manual reactor emergency quench system.

e) Provide natural hazard alert procedures.



Risk Avoidance:

a) Eliminate on-site manufacture of peroxide catalyst.

Risk transfer:

a) Accept inherent risk by retention of high insurance deductibles.

In the risk management process, there may be a need to revisit and re-analyze hazards several times priorto deciding on the level and type of mitigation or use of other risk tools such as elimination of hazard or risktransfer. In fact, risk management becomes a constant cycle of analysis, transfer and acceptance through-out the life of the facility. As the facility ages and changes are made, the risk will change. Keeping abreast ofthis aging and change process will ensure that the facility will achieve the risk management goals originallyaccepted.

3.1.2.4.2 HPR Requirements

The decision to meet or not meet HPR protection guidelines is determined during the process risk manage-ment stage. While achieving HPR status should always be the risk management goal, there may beconditions, especially in existing older plants, where this may not be economically or technically feasible.

There are minimum requirements for a facility to qualify as an HPR risk. These are briefly identified in Section2.1.2.1 and further discussed in Section 3.1.3, Concepts of Highly Protected Risk.

3.1.2.5 Management of Change

Management of Change (MOC) means evaluating every change to technology, facilities or personnel at theearliest possible stage for its potential impact on property loss prevention. The earliest possible stage is themoment an idea or proposed change becomes known. These changes can be emergency, permanent, tem-porary, recognized or unrecognized. The purpose of a management of change process is to prevent theunrecognized change.

Changes are made routinely throughout the life of a facility. These may vary from major highly visible projectsto daily routine maintenance activities. Changes can occur to technology, chemicals, products, equipment,and procedures. Any change from original design intent represents a deviation. If the impact of this devia-tion is not fully understood, the change, even if minor, can cause a significant incident. Appropriate processhazards management systems should be put into place to help ensure that hazards associated with a changeor deviation are identified and controlled.

Changes fall into three main categories: technology, facilities and personnel or organization.

Although some changes may be minor, with little likelihood of compromising loss prevention and processsafety, all changes have some potential for disruption.

3.1.2.5.1 Change in Technology

Change in technology arises whenever the process or mechanical design is altered. Examples are changesin feedstocks, catalysts, product specifications, byproducts or waste products, design inventory levels,instrumentation and control systems, or materials of construction.

Typical instances in which change in technology would likely occur include the following:

a) New projects that involve tie-ins or equipment modifications on existing units.

b) Projects to increase facility throughput or accommodate different feedstocks or products.

c) Significant changes in operating conditions, including pressures, temperatures, flow rates, or processconditions different from those in the original process or mechanical design.

d) Equipment changes including the addition of new equipment or modifications of existing equipment.These can include changes in alarms, instrumentation and control schemes.

e) Modifications of the process or equipment that cause changes in the facilitys relief requirements. Thesecan include increased process throughput, operation at higher temperatures, increased size of equipment,or the addition of equipment that might contribute to greater relief requirements.

f) Bypass connections around equipment that is normally in service.



g) Changes in operating procedures, including procedures for startup, normal shutdown, and emergencyshutdown.

h) Changes made in the process or mechanical design or in operating procedures that result from a PHAperformed as described in Section 3.1.2.3.

i) Introduction of new or different process additives (for example corrosion control agents, antifoulants,antifoam agents).

j) Corrective actions developed as a result of an accident investigation.

3.1.2.5.2 Changes in Facilities

Changes in facilities are those in which physical changes are made that would not necessarily appear onplant drawings, or piping and instrument diagrams (P&ID). Examples are: temporary connections, replacedcomponents that are not in kind, site modifications, transient storage, temporary structures, etc.

Specifically, these can include the following:

a) Temporary equipment (tanks, offices, drum storage, etc.).

b) Replacement equipment or machinery that differs from the original equipment.

c) Temporary piping, connections, hoses, or wiring.

d) Temporary software configurations, jumpers, shortened algorithms, bypassed controls.

e) Pipe clamps, braces, stands, wiring, ropes.

f) Temporary utility connections (steam, power, water, etc.)

g) An alternative supply of process materials, catalysts, or reactants, such as through drums or tankstemporarily located within the facility.

h) Temporary electrical equipment or connections.

These changes have the ability to affect design, construction, operation, maintenance, and decommissioning.

3.1.2.5.3 Changes in Personnel

Changes in personnel are those in which key responsibilities are shifted from a position of stability to insta-bility. Examples are retirement, promotion, other career changes and personal issues (sickness, death,leave-of-absence, etc.). These changes are ones in which continuity of responsibility may lapse.

Training and assignment of alternates is a key feature needed to mitigate lapses caused by these changes.Supervision must be skilled for early recognition of these changes, with an ability to plan in advance to miti-gate these changes. Goals of the company, business and operating unit must support prevention effortsassociated with these changes.

3.1.2.5.4 Examples

3.1.2.5.4.1 The Clean Air Act Amendments of 1990 require a 50% reduction of sulfur dioxide levels (SO2)in the U.S. by the year 2000. This act affects approximately 2,000 electric utilities. The method of choice tocontrol SO2 emissions probably will be the installation of wet scrubbers as they provide the highest levelof control. Along with the additional costs and plans for scrubber installations, the person(s) planning thesechanges need to look at the effect these installations will have on loss prevention. For instance, scrub-bers are subject to fires and explosions and they can affect furnace draft. Induced draft fans may have tobe upgraded, which, in some cases could increase the risk of implosions and boiler vibrations. To prevent cor-rosion of scrubbers, ducts and stacks, it may be necessary to use plastic or plastic-lined equipment, whichcould present a fire hazard.

A typical agreement between a company and the property insurance company requires that a loss preven-tion professional within the company be advised of all management of change activities in the plant. Thisindividual is then responsible for involving the specialist from FM Global to allow an opportunity for the changeto be evaluated in its earliest stages.



3.1.2.5.4.2 ABC is a manufacturer of commodity polymer using batch-scale polymerization of the monomer.Because of favorable opportunities in the market, ABC has plans to double the capacity of its seven-reactor plant in a two-phase expansion over the next 10 years. The first phase will include construction ofutilities and the footprint for a second seven-reactor manufacturing building. Initially, a building containingthree reactors will be built.

There is a close relationship between ABC and the FM Global specialist assigned to this plant. While theidea is being developed by senior management within ABC, meetings are held with the FM Global special-ist to discuss the effect this may have on loss prevention. ABC is guided by a principle that promotescontinuous improvement in all areas of operation including loss prevention and they call upon the expertiseof FM Global to provide guidance to meet this goal.

In consultation with the FM Global specialist, several opportunities are identified. These include ways to miti-gate VCE potentials, provide more cost efficient and effective water spray systems, and arrange theInstrumentation and Control features for increased reliability. In order to expand the process water featuresfor the new plant expansion, several pumping and distribution changes were needed. Opportunities wereidentified to add outlets and normally closed connections between the fire protection system and the pro-cess water supply system. This increased both the normal supply to the fire protection water system, and thesupply that would be available in a catastrophic event.

In consultations, an opportunity was identified to relate current maintenance issues for the older electronicheat detection systems on the water spray systems to a design specification needed for all the new waterspray systems. Review of maint