risk mangement

RISK MANAGEMENT AND PROCESS SAFETY Lecture 2

RISK MANAGEMENT

Hazard & Risks

Pooya Arjomandnia © 2015

1

LECTURE 2 PLAN:

• Some history – why risk management?

• Hazard and risk – the concepts

• Terminology, a way of thinking

• Risk perception


2

Books & Journals

Skelton, Bob – “Process Safety Analysis: an introduction” – chapters 1 & 2

Cameron I and Raman R. - “Process Systems Risk Management” – chapter 1

“Lee’s loss prevention in the process industries: hazard identification, assessment and control”, edited by Sam Mannan, free electronic resource at Curtin’s library – Ch. 1, 2 & Appendices

RESOURCES USED FOR DISCUSSIONS


3

NATURAL DISASTERS

© Ian Cameron RISK MANAGEMENT AND PROCESS SAFETY Lecture 2

4

INDUSTRIAL DISASTERS

Atofina, Toulouse


5

SOME MAJOR DISASTERS - CASE STUDIES

• Flixborough, UK, 1974

• PEMEX, Mexico City, 1984

• UCIL, Bhopal, India, 1984

• Piper Alpha, UK, 1988

• Deepwater Horizon, 2010

• Fukushima Daiichi, Japan, 2011


6

FLIXBOROUGH, UK 1974The Process

Manufacture of caprolactum via the oxidation of liquid cyclohexane. Reaction product contained 94% cyclohexane which was subsequently separated.

Reaction carried out in six reactors (20 tonnes each) in series, operating at 8.8 barg and 155ºC.

Heat of reaction removed via vaporization of cyclohexane which was recovered from the off-gas system by condensation. Atmosphere in reactors controlled via nitrogen supply

Safety valves (11 barg) vented vapour into the relief header of the flare system

Trip to operate if high oxygen level encountered in the off-gas.


7

FLIXBOROUGH, UK 1974Chronology of Events

27 March: crack located in 13mm steel plate of Reactor 5.• Decision to take Reactor 5 out of service.• A by-pass constructed between Reactors 4 and 6. Done with

500mm pipe. Openings were 710mm. Dog-leg design, because of different reactor levels. Bellows installed at each end. By-pass pneumatically tested to 9.0 barg.

29 May: Isolation valve leaking. Shutdown for repairs.1 June: Startup of plant. Reactors subjected to higher than

normal design pressure.early am: sudden rise to 8.5 barg in Reactor 1 during

startup late am: pressure reaches 9.1-9.2 barg at normal

operating temperature late pm: vapour release via pipe rupture4.53 pm: massive vapour cloud explosion (VCE)


8

FLIXBOROUGH, UK 1974

Extent of DisasterDeath and Injury

28 killed (within plant) 54+ injured

Plant and Equipment complete destruction of

processing facilities ($60-70 million)

Plant Environs 1821 houses badly damaged 167 shops damaged


9


(Lees, 1996)RISK MANAGEMENT AND PROCESS SAFETY Lecture 2

10


(Lees, 1996)RISK MANAGEMENT AND PROCESS SAFETY Lecture 2

11

FLIXBOROUGH, UK 1974Lessons from the Incident:

1. Inventory of Hazardous Materials large volumes stored on site

(1.5 million litres cyclohexane plus 450,000 litres of other highly flammables)

2. Design and location of control room and other buildings

18 out of 28 deaths were in the control room

3. Siting of Major Hazards higher casualties avoided due to relative isolation

4. Public Controls of Major Hazard Installations ACMH (Advisory Committee on Major Hazards) also CIMAH (Control

of Industrial Major Accident Hazards) regulations

5. Management Aspects safety versus production hazard analysis of modifications management safety system essential planning for emergencies


12

PEMEX, MEXICO CITY, 1984Extent of Disaster

Death and Injury 542 killed (mainly outside plant) > 7000 injured

Plant and Equipment majority of LPG installation destroyed

Plant Environs severe damage area out to 400m fragments out to 1200m

100 delivery trucks destroyed 200 houses destroyed 1800 houses damaged

200,000 evacuated


13

PEMEX, MEXICO CITY, 1984


14

PEMEX, MEXICO CITY, 1984The Facility

LPG storage and distribution centre, located in a north-eastern suburb of Mexico City.

Storage at San Juan Ixhuatepec was:

Surrounding residential area started 130m from storage tanksFeed via 3 underground lines (300mm) from refineries up to

500 km awayLPG distributed to local gas companies and others via

underground lines, cylinders and rail-tankers.

Type Number Capacity (tonnes)

Pressure (bar)

Total (tonnes)

bullet

bullet

sphere

sphere

44

4

4

2

50

90

575

1250

9

9

13.5

13.5

2200

360

2300

2500

54 7360


15

PEMEX, MEXICO CITY, 1984

Chronology of EventsSunday18 November, late pm: facilities almost empty.

Afternoon shift begins tank filling from refineries.Monday 19 November, early am: filling of bullets and 2

largest spheres completed; 2 smaller spheres about 50% full.Sudden pressure drop at pumping station 40 km away. Rupture of an 8 in. pipe between a sphere and cylinders5.20 am: escape of liquefied gas with deafening noise – 2m high cloud 200m x 150m5.40am: cloud ignited by flare at bottling plant. Flash fire and local overpressures5.45am: first major explosion (BLEVE)5.46 am: first small sphere explodes with 300m fireball. Raining LPG.up to 7.30am: 9 major explosions


16

PEMEX, MEXICO CITY, 1984Lessons from the Incident

Layout PEMEX facilities very confined cylinders very close and walled-in leading to increased

overpressuresLocation

closeness to major residential areas (130 metres) local authority planning strategies

Maintenance poor quality – gas detection and emergency isolation often postponed seldom recorded failure of the overall system of protection

Disaster Planning total confusion reigned inadequate disaster management


17

UCIL, BHOPAL, INDIA, 1984

Extent of the DisasterDeath and Injury

3000 fatalities >250,000 injured

(159 orphaned children, 169 widows, 1000 cases of blindness)

Plant and Equipment closure of facility

Plant Environs major long-term devastation of

local community


18


The Process

Phosgene stripping

MIC refinin

g

Pyrolysis

Reaction system

MIC storag

e

MIC derivativ

es

MIC destruction VGS/flare

Tails

Tails

Phosgene

Monomethylamine

Chloroform

Hydrogen chloride

Unit vents

Residues

Çrude

MIC

Product

Product


19


Chronology of EventsSunday 2 December

8.30pm: operator asked to wash piping around tank 610

10.55pm: pressure in tank 610 rises to 10 psig. Operator assumes it is due to nitrogen pressurization

11.30pm: operators sense eye irritation due to small amount of MIC

Monday 3 December

12.00 midnight: pressure continues to build. Water sprays used to cool tank but ineffective

12.30 am: pressure rises to full scale . Bursting disc and safety valve blows. MIC released via scrubber and vent (40 tonnes in total) – scrubbing, refrigeration & flare not working!

1.00am: alarm activated© Ian Cameron RISK MANAGEMENT AND PROCESS SAFETY Lecture 2

20

UCIL, BHOPAL, INDIA, 1984Lessons from the Incident

Storage of hazardous intermediates? is it necessary?

Non-adherence to recommended plant procedures

Inoperative safety systems vent gas scrubber flare stack water curtain refrigeration system spare storage tank

• Multinational safety standards

• common standards worldwide

• adequate training• Local Government

actions• local community

awareness• suitably planned

buffer zones• Sabotage of operations ?


21

PIPER ALPHA, UK, 1988

Extent of Disaster major oil platform

destroyed 167 deaths major oil production

disruption for Occidental Petroleum

Cullen Report leads to major off-shore safety system changes


22

PIPER ALPHA, UK, 1988

The Process platform operations separated fluid

from wells into gas, oil and condensate

oil pumped to Flotta Terminal, Orkneys

gas sent to MCP-01 platform for compression for discharge to St. Fergus

gas received from Tartan gas line link to Claymore

(Lees, 1996)

Pipeline connectionsRISK MANAGEMENT AND PROCESS SAFETY Lecture 2

23

PIPER ALPHA

Chronology of Events Condensate pump was taken out of service for maintenance by

day shift PSV of the pump was taken out of service; blind installed loosely

(bolts not tight) 21:45 – 2 condensate pumps tripped, one restarted by night shift

(not knowing what the day shift did) Leak and large amount of condensate released – vapor cloud 22:00 – first explosion 22:20 - rupture of gas riser from Tartan death in accommodation module 22:50 & 23:20 – third and fourth explosion 24:15 - platform Piper disappears


24

PIPER ALPHA

Lessons from the Incident quality of safety management – lack of control, poor permit to work systems quality of safety auditing isolation of plant for maintenance training of contractors – no proper training! disabling of protective systems by fire/explosion safe refuge for workers planning for emergencies – emergency induction not provided,

no drills of exercises to test emergency preparedness


25

Deepwater horizon, april 2010

Extent of the Disaster Drilling rig sank after

explosion and fire 11 fatalities Many injured

(126 total workers) Environment

major long-term devastation the largest offshore oil spill in

US history


26

Deepwater horizon Chronology of Events

20 April 2010 9:45: a geyser of seawater erupted from the marine riser onto the rig (73 m

into the air) Very soon: eruption of slushy combination of mud, methane gas and water The gas ignited into a series of explosions and firestorm Attempt to activate the blowout preventer failed and rig burned for 36 hours 22 April 2010 The rig sank The oil spill continued until 15 July when temporarily sealed by a cap Relief wells used to permanently seal the well 19 September 2010 – declared ‘effectively dead’!


27

Possible causes 2009 – ‘not required’ to

fill a ‘scenario for a potential blast’

Instructions to remove drilling mud from the riser prior to capping and replace with seawater

Declared the blowout preventer (BOP) ‘fail-safe’; Transocean listed 260 failure modes

2011 report – BP’s lack of safety culture

Disregarded ‘anomalous pressure test readings’ prior to explosion

The BOP had a ‘dead battery in its control pod’ and ‘leaks in its hydraulic test’

Maker of BOP

Flawed cementing job to cap the well just prior to blowout

The cement plug ‘was never set’

To be continued…RISK MANAGEMENT AND PROCESS SAFETY Lecture 2

28

Fukushima, Japan, march 2011

Extent of the Disaster Level 7 nuclear disaster

Equipment failures Nuclear meltdowns Release of radioactive

materials No deaths or cases of radiation

sickness


29

Fukushima Chronology of Events

Earthquake – loss of power supply; reactors 1-3 shut down Emergency diesel generators started up

Two tsunamis (8 min apart) Submerged and damaged the seawater pumps required for condenser and

cooling circuits Drowned the diesel generators, inundated the electrical switchgear and

batteries Damaged and obstructed roads

Reactors isolated from any heat sink Nuclear emergency declared Evacuation


30

Fukushima

Lessons from the Incident Seismic design – countermeasures for the external power supply

were inadequate Tsunami – the scale considered in design was inadequate; poor

design of critical safety systems Station blackout – safety guidelines only assumed short term

blackout Loss of ultimate heat sink Accident management – inadequate for station blackout; confusion;

inadequate responsibility system Hydrogen explosion – outside the containment vessel, not taken

into consideration Safety design approach - inadequate


31


How to conduct a simple incident safety and risk assessment 32

US CHEMICAL PROCESS LOSSESDistribution (%)

20.9

23.441.6

14.1

Cost (%)

5.1

66.2

20.6

8.1

Cost (%)

6.5

73.2

20.1

0.2

Distribution (%)

13.8

51.4

33.3

1.5

All Losses

Losses > $100 000

Windstorm

All other

Explosion

Fire


33

LOCATION OF LOSSES

Fire incidents (%)

38.5

33.5

28.2

Explosion incidents (%)

66.7

20.1

13.2

Other

Enclosed building

Open structure


34

CAUSE OF LOSSES

Distribution (%)

44.2

23.5

32.3

Cost (%)

85.9

6.18

Other explosions (including vapour cloud explosions)

Chemical reaction

Boiler and furnace explosion


35

LOSS ANALYSIS – REACTION & EXPLOSION

Cause Frequency (%)

Accidental reactiona 33.3

Uncontrolled reactionb 40.0

Decomposition of unstable materials 13.3

Other causes 13.4

aDue to accidental contact of material(s)

bIntended reactions which become uncontrollable

Type of Process Frequency (%)

Batch reaction 60.0

Continuous reaction 13.6

Recovery unit 6.6

Evaporation unit 6.6

Other 13.2


36

MOTIVATION FOR RISK MANAGEMENT

Regulatory requirements International, national and state

Common Law Duty of Care Avoiding criminal liability

Commercial incentives Business continuity Corporate reputation

Evaluating alternatives for design and location


37

HAZARD - DEFINITIONSHazard = a physical situation with a potential for: human injury,

damage to environment or both

Hazard analysis = the identification of undesired events that lead to materialisation of

hazard the analysis of the mechanisms by which these undesired events could

occur the estimation of the extent, magnitude & likelihood of any harmful

events

Skelton – chapter 1

KEY CONCEPTS

a potential for harm/loss NOT a realised harm/loss


38

HAZARDS – CONTRIBUTING FACTORSMaterial factors

toxicity (LD50, TLV, ERPG, …)

flammability (Flash point, Auto-ignition, UEL/LEL)explosion (deflagration, detonation)

Operational factorsprocess deviations timesequencehuman factors

Environmental factors ignition densityweather/meteorology

Cameron – chapter 1RISK MANAGEMENT AND PROCESS SAFETY Lecture 2

39KEY CONCEPTS

RISK - DEFINITIONS

Risk = the probability of occurrence of an event that could cause a specific level of harm to people, property, environment over a specified period of time

Process risk categories: Occupational risks - safety & risk of employees Plant property loss Environmental risk – s&h of public, heritage Liability risks - public, product, failure to service Business interruption risks Project risk – design, contract, delivery


40KEY CONCEPTS

RISK – DEFINITIONS Two dimensions:

Severity / magnitude of the loss Likelihood / probability of occurrence

Broad concept: Risk = Undesirable consequences x

Uncertainty Risk = Hazard / Protective measures Risk = Hazard + Outrage


41KEY CONCEPTS


42

risk mangement

Documents

process safety lecture

process industries

discussionsrisk management

bob process safety analysis

barg vented vapour

vapour release

normal design pressure

different reactor levels