Risk Analysis of A Fuel Storage Terminal Using HAZ PDF
Risk Analysis of A Fuel Storage Terminal Using HAZ PDF
Risk Analysis of A Fuel Storage Terminal Using HAZ PDF
Environmental Research
and Public Health
Risk Analysis of a Fuel Storage Terminal Using
José Luis Fuentes-Bargues 1, * , Mª Carmen González-Cruz 1 , Cristina González-Gaya 2
and Mª Piedad Baixauli-Pérez 3
1 Departamento de Proyectos de Ingeniería, Universitat Politècnica de València, Camino de Vera s/n,
46022 Valencia, Spain; [email protected]
2 Departamento de Ingeniería de Construcción y Fabricación, ETSII, UNED, C/Ciudad Universitaria s/n,
28040 Madrid, Spain; [email protected]
3 Universitat de València, Avda. de la Universidad s/n, 46100 Valencia, Spain; [email protected]
* Correspondence: [email protected]; Tel.: +34-96-387-7000 (ext. 85651)
Abstract: The size and complexity of industrial chemical plants, together with the nature of
the products handled, means that an analysis and control of the risks involved is required.
This paper presents a methodology for risk analysis in chemical and allied industries that is based on
a combination of HAZard and OPerability analysis (HAZOP) and a quantitative analysis of the most
relevant risks through the development of fault trees, fault tree analysis (FTA). Results from FTA allow
prioritizing the preventive and corrective measures to minimize the probability of failure. An analysis
of a case study is performed; it consists in the terminal for unloading chemical and petroleum
products, and the fuel storage facilities of two companies, in the port of Valencia (Spain). HAZOP
analysis shows that loading and unloading areas are the most sensitive areas of the plant and where
the most significant danger is a fuel spill. FTA analysis indicates that the most likely event is a fuel
spill in tank truck loading area. A sensitivity analysis from the FTA results show the importance of
the human factor in all sequences of the possible accidents, so it should be mandatory to improve
the training of the staff of the plants.
Keywords: risk; HAZard and OPerability analysis (HAZOP); Fault Tree Analysis (FTA); fuel; storage
1. Introduction
Technological and social development has led to an increase in the size and complexity of chemical
plants. At the same time, the existence of such plants and the transport of their products involve
certain risks that need to be controlled and minimised [1,2].
Risk is understood as the possibility that someone or something is adversely affected by
a hazard [3], while danger is defined as any unsafe situation or potential source of an undesirable
and damaging event [4]. Other definitions of risk are the measure of the severity of a hazard [5],
or the measure of the probability and severity of adverse effects [6].
In recent decades, interest in the safety of chemical industrial plants has greatly increased [2,7].
This has led to the development of a scientific discipline known as process safety that focuses on
the prevention of fires, explosions, and accidental chemical releases in chemical processing facilities [8].
This discipline has as objective to improve prevention in the facilities, learning from accidents and
from continuous analysis of the production process.
Directive 2012/18/EU (or Seveso III) [9] defines as a serious accident an event (such as a major
leak, fire, or explosion) resulting from an uncontrolled process during the operation of any plant and
producing a serious danger, whether immediate or delayed, to human health or the environment, inside
Int. J. Environ. Res. Public Health 2017, 14, 705; doi:10.3390/ijerph14070705 www.mdpi.com/journal/ijerph
Int. J. Environ. Res. Public Health 2017, 14, 705 2 of 26
or outside the plant, and involving one or more hazardous substances. Examples of serious accidents
in industrial processes include: Flixborough in Britain (1974), Seveso in Italy (1976), Bhopal in India
(1984), Enschede in the Netherlands (2000), Toulouse in France (2001) and Buncefield in Britain
(2005) [10–15]. In Spain, examples include an accident at the Repsol refinery in Puertollano (2003)
in which an explosion in a gas storage area killed nine workers and injured many others, as well as
causing property damage.
The complexity and severity of accidents at these plants requires the implementation of risk
management systems. The ISO 31000: 2010 [16] standard defines risk management as “coordinated
activities to manage and control an organisation with regard to risk” and comprises the following steps:
communication and consultation, establishing the context, risk assessment (identification, analysis,
and evaluation), risk treatment, monitoring, and review.
The purpose of this article is to show the procedure for risk analysis in chemical and allied
industries that is based on a combination of HAZard and OPerability analysis (HAZOP) and
a quantitative analysis of the most relevant risks through the development of fault trees, fault tree
analysis (FTA). HAZOP can identify possible fault root causes and their consequences and FTA
develops fault propagation pathways and provides a quantitative probability importance ranking of
fault causes. These results can guide the decision making of management staff to mitigate or avoid
potential process hazards. This working method is applied to a case study consisting of the terminal
for unloading chemical and petroleum products, and the fuel storage facilities of two companies,
in the port of Valencia (Spain).
This paper is organized as follows. Section 1 introduces the theme. Section 2 introduces the main
data of the chemical industry in Spain and the framework for risk assessment process of major
accidents. Section 3 introduces the methodology. Section 4 details a case study with the HAZOP
and FTA analysis. Section 5 presents the conclusions. Appendixs A–D present complementary
documentation of case study.
company which used in their process hazardous substances listed in the Appendix A or stored
hazardous substances listed in the Appendix B, or both, must develop (among other documents)
interior and exterior protection and emergency plans that include risk assessment.
During the implementation of Seveso I, there were more than 130 serious accidents in Europe
and new risks appeared due to technological advances. Consequently, the European Commission
introduced Directive 96/82/EC (called Directive Seveso II) [20] in 1996. This directive classified plants
into “not affected”, “low risk” and “high risk” according to the quantities of dangerous substances
present. Seveso II was revised in Directive 2012/18/EU or Seveso III [9] with the aim of increasing
levels of protection for people, property, and the environment.
In Spain, in 2016, according to data from the Directorate General for Civil Defence [21],
there were 422 high risk plants subject to the Seveso directive and 470 low risk plants. The geographical
distribution is similar to that for turnover: Catalonia was first with 101 high risk plants (23.9%),
Andalusia with 70 (16.6%), the Valencian Community with 39 (9.2%) and the Basque Country with
28 (6.6%).
According to a study by Planas et al. [2], there have been 89 accidents in Spain since the beginning
of the twentieth century. Some 44% of these accidents occurred during transport, the most serious
accident occurring at Los Alfaques campsite in July 1978 where 217 people died. The second major
source of accidents were processing areas (19%); and the third source were storage areas. Explosions
occurred in 49% of accidents, leaks in 37% and fires in 24%.
The chemical industry has implemented improvements in process safety and environmental
protection with four strategies: inherent safer design; risk assessment processes; use of instrumented
safety systems; and the implementation of safety management systems. In the risk assessment
process, the HAZOP method is the technique most used to identify risks [2]. HAZOP studies
evolved from the Imperial Chemical Industries (ICI) as a “Critical Examination” technique formulated
in the mid-1960s. One decade later, HAZOP was published formally as a disciplined procedure to
identify deviations to the process industries by Kletz in 1978 [22], and some publications [23], corporate
guidelines, standards (IEC 61882 [24]) and national guidance notes (Nota Técnica Prevención (NTP)
238 [25]) were developed after.
3. Methodology
Risk assessment is the process of identifying, analysing, and evaluating the hazard posed by
an industrial plant and the main aim is the prevention and mitigation of accidents in potentially
hazardous facilities [26,27].
The phase of hazard identification is the process in which hazards are identified and recorded.
The analysis phase involves developing an understanding of the hazard and providing information
for evaluation. The evaluation phase involves comparing the estimated hazard levels with predefined
criteria to define the importance of the level of hazard and decide whether it is necessary to address
the hazard—as well as the most appropriate strategies and methods of hazard treatment [8].
Choosing the appropriate risk assessment techniques is a difficult decision that will depend on
factors such as the complexity of the problem, the methods for analysis of the amount of information
available, the need for quantitative data, and available resources [28]. Often, authors combine some
techniques with the purpose of blending, i.e., to take advantage of the strengths of each method whilst
compensating for their weaknesses.
In this paper, the methodology used is based on the combination of HAZOP analysis and
a quantitative analysis of the most relevant hazards by FTA. HAZOP is a qualitative technique
that carries out a structured analysis of the process and allows identifying the deviations that may take
place with regard to the intended functioning, as well as their causes and consequences. HAZOP does
not try to provide quantitative results but, in many situations, it is necessary to rank the identified
hazards, mainly to prioritize the actions to mitigate them because this decision depends of the risk level.
For this purpose, HAZOP is combined with other techniques; in these cases, quantitative techniques
Int. J. Environ. Res. Public Health 2017, 14, 705 4 of 26
such as FTA. It can identify the potential causes and the ways of failure and can assess quantitatively
Int. J.probability of development
Environ. Res. Public Health 2017, 14,of
705the accident. The blending of the two techniques was defined 4 of as
positive because minimize the uncertainty [29–31].
There are
There are many
many examples
examples of of blending
blending HAZOP
HAZOP and FTA in
and FTA in the
the literature:
literature: Demichela
Demichela et al. [32]
et al. [32]
developed the
developed the Recursive
Recursive Operability
Operability Analysis
Analysis (ROA),
(ROA), linking
linking HAZOP
HAZOP results
results and
and FTA
FTA development;
Cozzani et
Cozzani et al.
al. [33]
[33] developed
developed aa specific
specific methodological
methodological approachapproach to to analyse
analyse the
the risk
risk from
from hazardous
materials in
materials in marshalling
marshalling yards;yards; Casamirra
Casamirra et et al.
al. [34]
[34] integrated
integrated HAZOP,
and Failure
Failure Mode
Mode and and
Effect Analysis (FMEA) to assess the safety of a hydrogen refuelling
Effect Analysis (FMEA) to assess the safety of a hydrogen refuelling station; and Kim et al. [35] station; and Kim et al. [35]
combined HAZOP and FTA to carry out safety assessment of hydrogen
combined HAZOP and FTA to carry out safety assessment of hydrogen fuelling stations at Korea. fuelling stations at Korea.
The methodology
The methodology(Figure (Figure 1) begins
1) begins withwith a detailed
a detailed study ofstudy of the industrial
the industrial process and process
substances used. Subsequently, an historical analysis of accidents is
used. Subsequently, an historical analysis of accidents is made—which is the study and analysis made—which is the study and
of accidentsof accidents
in similar in similar
plants to plants to identify
identify risk and riskcauses.
and causes.
This This
stagestage is performed
is performed by by referring
referring to
to specialised
specialised scientific
scientific publications
publications andliterature
and literaturereview.
information, aa HAZOP
analysis is
analysis is conducted.
conducted. After AfterthetheHAZOP
sessions, thethe
possiblefault causes
fault andand
causes consequences
consequences of theof
the deviations
given deviations fromfromthe the
design are are
design identified. These
identified. datadata
These allow, according
allow, to the
according criteria
to the of the
criteria of
HAZOP team, identifying the initiating events, modelling the fault propagation
the HAZOP team, identifying the initiating events, modelling the fault propagation process, and finally process, and finally
building the
building thefault
faulttreetree analysis.
analysis. Subsequently
Subsequently a quantitative
a quantitative analysisanalysis is performed
is performed and resultsandobtained
rank risksrank
and risks
allowand allow prioritizing
prioritizing the corrective
the corrective and/or preventive
and/or preventive measures.measures.
the guide to verify the operating conditions and detect design errors or potentially abnormal operating
conditions (Figure
Int. J. Environ. 2). Health 2017, 14, 705
Res. Public 5 of 27
Figure 2. 2. HAZardand
HAZard andOPerability
OPerability analysis
Table 1. HAZard and OPerability analysis (HAZOP) guide word method. Source: ISO 31010: 2011
Table 1. HAZard and OPerability analysis (HAZOP) guide word method. Source: ISO 31010: 2011 [27].
Guide Word
Guide Word MeaningMeaning Example of Deviation
Example of Deviation
NO Absence of the variable to which it applies No flow in line
LESS Absence of thereduction
Quantitative variable to which it applies Less No
flowflow in line
MORE Quantitative increase Higher temperature
LESS Quantitative reduction Less flow
OTHER Partial or total replacement Other substances were added
INVERSE Opposite function Quantitative increase
to design intention Higher
Return flow temperature
Qualitative decline. Only part of what should
PART OF Partial or total replacement Part of volume Other substances
required were
by recipe was added
happen occurs
Qualitative increase. function to design
More is produced thanintention
In addition of the amount Return flow
of water of the process
intended was added
Qualitative decline. Only part of what Part of volume required by recipe
should happen occurs was added
3.2. Fault Tree Analysis
Qualitative increase. More is produced In addition of the amount of water
FTA is a technique to identify and analyse factors that may contribute
than intended ofto anprocess
the unwanted
event (called the “top or main event”). Causal effects are identified deductively and organised in a
logical manner and shown using a tree diagram that describes the causal factors and their logical
relationships (Table 2) with respect to the top event.
Int. J. Environ. Res. Public Health 2017, 14, 705 6 of 26
Table 2. Symbols used in fault trees. Source: ISO 31.010:2011 [27] and Vesely et al. [37].
Logic gate AND The output event happens only if all input events happen
Table 2. Symbols used in fault trees. Source: ISO 31.010:2011 [27] and Vesely et al. [37].
Int. J. Environ. Res. Public Health 2017, 14, 705 Failure of a component that has no identifiable6primary
of 27
Basic event
Symbol Meaning cause. It is the highestDescription
level of detail in the tree
Table 2. Symbols used
Logic inAND
gate fault trees.
The Source: ISO
output event 31.010:2011
Failure of aonly[27]
if alland
component Vesely
input eventset
with al. [37].cause undeveloped
a primary
Environ. Res. Public Health 2017, 14, 705 Undeveloped event 6 of 27
Symbol Meaning because of lack of information
Logic gate OR The output event occurs if any of the input events happen
Table 2. Symbols used
Logic inAND
gate fault trees.
The Source: ISO 31.010:2011
output event happens only[27] and
ifAallfault Vesely
input ethappen
events al. [37]. because of one or more antecedents
ealth 2017, 14, 705 Intermediate event
Failure of a component 6 through
that hasofno27identifiable primary cause. It is the highest level of
Basic event causes acting logic gates
bol Meaning Description
detail in the tree
Logic gate OR The output event occurs if any of the input events happen
used in
mbols Logic fault
gate AND trees. Source: ISO 31.010:2011
Undeveloped [27]
The output event happens only if allFailure and Vesely
input events et al. [37].
of6 aofcomponent
27 with a primary cause undeveloped because of lack of information
A fault treeevent can be used
Failure qualitatively
of a component that has tonoidentify potential
identifiable causes
primary cause. and
It is the the ways
highest levelinofwhich failure
Basic event Description
(the top event) detail or
occurs in the
Intermediate tree A fault event
quantitatively, or that occurs
both, to because of
calculate one
theor more antecedents
probability of causes
the topacting through
event fromlogic
Logic gate OR The output event occurs if any of the input events happen
t trees.The
ND Source:
outputISO event31.010:2011
Undeveloped [27]if and
only all Vesely
input et al.
events [37].
happen gates
the probabilities ofFailure causal of events.
a component with a primary cause undeveloped because of lack of information
Failure of a component that has no identifiable primary cause. It is the highest level of
Basic event Description
The stages
A faultfortree can be used of
the application this technique
qualitatively are:
to identify potential causes and the ways in which failure
The output event occurs detail in
Intermediate the tree
if any of the inputA fault event
events that occurs because of one or more antecedents causes acting through logic
ent happens only
Undeveloped if all input
events top event)
happen occurs
gates or quantitatively, or both, to calculate the probability of the top event from the
Failure (1) Failure
Define of athe top event.
component with a primary cause
It isundeveloped because
of of lack of information
event of a componentprobabilities
that has no identifiable
of causal primary cause.
events. the highest level
detailif in
ent occurs Atree
Intermediate fault
the(2) tree
input can
fault be stages
event used
that ofqualitatively
occurs fault
the tree: toFrom
of one identify
or moreofthe potential
thistop event,
antecedents causes
causesare: and
acting theimmediate
through ways
logic in which
causes failure
of the failure
event(the top event) occurs
gates or
are quantitatively,
established and or
it both,
is to
possible calculate
to the
identify probability
how these of the
failures top
can event
occur from
at the levels or
that ofhasa component
no identifiablewith a primary
primary cause
cause. It isundeveloped
the highest levelbecause
of of lack of information
probabilities of (1)causal
in Define
basic the top
events. event.
Aeefault tree event
can be thatused qualitatively
(2) Constructionone to identify
of the potential
fault tree: causes
From and
actingthe thelogic
top ways the
event, in which failure
set of possible immediate acauses of the failure
A fault occurs because
The stages
(3) for the of
or more
of this
aim to find are: through
the minimum faults, establishing mathematical
op event)
a primaryor quantitatively,
cause modes
undeveloped orbecause
are both, to
of calculate
lack ofand the
it is
information probability
possible to of the top
identify howevent
thesefrom the can occur at basic levels or
formulation from the relationships established in the fault tree. To achieve this, the “OR” gates
abilities of(1) Define
causal the topin
events. event.
basic events.
thatused qualitatively
because of oneto identify
orare replaced potential
the causes
“+” and
sign thelogic
(not ways in but
addition which failure
a union of conjunctions) andofthe
The stages(2)forConstruction
the application
(3) ofantecedents
of this
Qualitativefault tree:
are:theThe topaimevent,
to thethe
find possible
minimum immediate
set causes
of faults, thegates
“AND” by
failurea mathematical
or quantitatively, or both, the to
“x” calculate
sign the probability
(equivalent to the of the top event
intersection of from the
conjunctions). Boolean algebra is used.
modes are established formulation and fromit is possible
the to identifyestablished
relationships how these failures in the can tree.
fault occurTo at achieve
basic levels this,orthe “OR” gates
Define the top event. (4) events.
vely to identify potential
in basic causes
areFrom and evaluation:
replaced the by ways the in From
“+” which the frequency of failure of basic events, the probable frequency
(not addition but acauses
union of of conjunctions) and the gates “AND” by
e applicationof
Construction of the
of tree:
an are:
accident theistop event,
calculated the
(if it occurs) immediate the failure
y, or both,(3) to calculate
Qualitative theevaluation:
the “x” sign of (equivalent
The the
aim top toevent from
findtothethe the as well
intersection setofofas faults,
the most critical
conjunctions). Boolean
fault routes (i.e., the most
a mathematical
algebra is used.
modes are established and it is possible
probable among tocombinations
identify howofthese failuresevents
susceptible can occur that atmay
basic levels
cause theortop event).gates
ent. formulation from the relationships established in the fault tree. To
(4) Quantitative evaluation: From the frequency of failure of basic events, the probable frequency of achieve this, the “OR”
n basic events. evaluation enables a complete risk analysis before implementing and prioritising actions to
he hisfault
tree: are are:replaced
From the topby event,
anthe thesign
accident possible
is (not immediate
calculated (if butcauses
a union ofas thewell
of failure
conjunctions) and critical
the gates “AND” by
Qualitative evaluation: The improve aim to
the find the
safety minimum
and set itofof
the establishing
as the
routes (i.e., the most
shed and it is the possible
“x” sign to identify
probable howamong these
to failures
the intersection
combinations can occur
of of at basic levels
susceptible or that
events algebra
may is used.
cause the top event). Quantitative
ormulation from the relationships analysis canestablished
performed in the to fault
checkof tree.
the To achieve
effect thethis,
ofbasic basic the “OR”ingates
events the global risk assessment.
(4) Quantitative evaluation:
evaluation enables the frequency
a of
complete failure
risk analysis of events, the probable frequency of
om the top event,
re replaced by thethe “+”possible
These (not immediate
data addition
allow causes
but a union
prioritizing theof failure
the conjunctions) andbefore
theand implementing
gates “AND” bythe and prioritising actions to
ation: The aim antoaccident
find the isminimum
improve set(if
the of itfaults,
safety occurs)
and as preventive
well asaof
reliability the measures
themost critical
(i.e., thecontrol
complementarymost process.
ssible to identify how these failures can occur at
he “x” sign (equivalent to the intersection of conjunctions). Boolean algebra is used.basic levels or
the relationships probableestablished
among in
analysis the can
combinationsfaultbetree. of To
performed achieve
susceptible to this,
check the
the “OR”
that may
effect gates
of cause
the the top
basic event).
events in Quantitative
the global risk assessment.
Quantitative evaluation: 4. Application
From the to a Case Study:
frequency of failure TheofChemical
basic events, Terminal at the Port
the probable of Valencia
frequency of
he “+” sign (not addition but
evaluation enablesa union
These adata ofallow
risk analysis
prioritizing andthe the gatesimplementing
preventive “AND” by
measures and the
and prioritising
efforts of actions
the risk to control process.
on find the minimum
accident is calculated set of faults,
(ifapplication establishing
it occurs) as a mathematical
as the most is critical fault routes (i.e., the
improve The
valent to the intersection theofsafety
conjunctions). of the
and reliability Booleanofalgebra the system performed
is used. under study. for the A jetty andmost
complementary pipe work of the chemical
established in the
among combinations fault tree. To
of achieve
susceptible this, the
events that “OR” gates
may cause the at topthe
event). Quantitative
uation: From analysis terminal,
the frequency can4. asperformed
beof well
Application asofthe
athe events,
Case Study: storage
thethe probable
The offacilities,
the frequency
Chemical basicTerminal
events Port
of inatof
Port ofto These
risk storage facilities
valuationbut a union
enables a of conjunctions)
complete risk and
analysis gates
before “AND”
implementing by and prioritising actions
lculated (if itThese are
occurs) dataowned wellby
asallow as two
the companies:
prioritizing mostthe critical Terminales
fault routes
preventive measures Portuarias
(i.e.,and thethe SLefforts
most (TEPSA) of theandriskPetróleos de Valencia SA
control process.
mprove of conjunctions).
safety(PTROVAL) Boolean
and reliability algebra
of the system is ofused.
theunder study.
combinations of susceptible The
events application
[38,39]. thatBothmaycompanies
cause methodology
the work in theA
top event). is complementary
Quantitative for the
storage, sensitivity
jetty and
loading, andpipe work ofofthe
distribution chemical
nalysis can of
be failure
performed of terminal,
basicto events,
check as theeffect
well probable
as the of thefrequency
connected basic of facilities,
storage in the global
at therisk
of Valencia. These storage facilities are
es a complete 4. Application to a Case
analysis beforeStudy: into The two Chemical
implementing groups: Terminal
prioritising and at actions
oil. Porttoof Valencia
hese as wellallow asprioritizing
the most owned critical
the fault
by under routes
two companies: measures (i.e., the
and most
the efforts
Terminales Portuarias of the risk control process.
SL (TEPSA) and Petróleos de Valencia SA
ty and reliability of the system study. A complementary sensitivity
susceptible events The application
that (PTROVAL)
may cause of the the methodology
top event).
[38,39]. Both is performed
companies work forin thethejetty and pipestorage,
reception, work ofloading,
the chemicaland distribution of
to check as thewelleffectas of the
the basic events
connected storage in facilities,
the global at risk
the assessment.
Port of Valencia. These storage facilities are
sk analysis
plication to abefore implementing
Case Study: liquid The and
products—divided prioritising
Terminal into actions
at the
two Portto
groups: of Valencia
chemicals and oil.
prioritizing the preventive measures and the efforts of the risk control process.
y of the ownedsystem by under twostudy.companies: Terminales Portuarias
A complementary sensitivity SL (TEPSA) and Petróleos de Valencia SA
The application of the methodology is performed for the jetty and pipe work of the chemical
ck the effect (PTROVAL)
of the basic [38,39].
4.1. Both
Identification companies
the global
of Port
Products work
risk in the reception, storage, loading, and distribution of
as wellThe Chemical
as the connected Terminal
the atoftheValencia
Port of Valencia. These storage facilities are
preventive liquid products—divided
measures and the effortsinto of the two risk groups:
control chemicals
process. and oil.
d by two companies: Terminales TEPSA stores Portuarias SL (TEPSA)gasoline,
and distributes and Petróleos diesel, de Valenciaand
methanol, SA other chemicals in smaller
Int. J. Environ. Res. Public Health 2017, 14, 705 7 of 26
As aa result
result of
of this
this analysis,
analysis, itit can
can bebe seen
seen that,
that, in
in the
the areas
loading and
unloading liquid
products (Systems 1 and 3), the greatest danger is the possibility of
products (Systems 1 and 3), the greatest danger is the possibility of an uncontrolled an uncontrolled spill. The occurrence
spill. The
of this eventofisthis
occurrence closely
eventlinked to the
is closely effectiveness
linked of the staff
to the effectiveness responsible
of the for handling
staff responsible the tasks.
for handling the
Relative to System 2, the risk of a fuel loss in the pipelines and leakage or fuel loss in
tasks. Relative to System 2, the risk of a fuel loss in the pipelines and leakage or fuel loss in the storage the storage tanks
noteworthy. The latter
is noteworthy. Theevent
eventbe caused
could by overfilling
be caused or a partial
by overfilling or arupture of the tank.
partial rupture Special
of the tank.
attention must be given to such events because they can cause fires and explosions
Special attention must be given to such events because they can cause fires and explosions that may that may have more
have moreconsequences for the plantfor
serious consequences and theitsplant
staff.and its staff.
Table Systems,subsystems,
System Sub-System
Sub-System Nodes
1.1.1 Docking ship at terminal
Connection ship 1.1.1 Docking ship at terminal
1.1 Connection ship 1.1.2 Extension of marine loading arm
1.1 terminal 1.1.2 Extension of marine loading arm
terminal 1.1.3 Joining
1.1.3 Joiningofofmarine
11 Unloadingship
Unloading ship 1.2.1 Opening of valves
1.2.1 Opening of valves
1.2.2 Product movement
1.2 Transfer to tanks 1.2.2 Product movement
1.2 Transfer to tanks 1.2.3 Closure of valves
1.2.3 Closure of valves
1.2.4 Cleaning
2.1.1 Opening tank valves
2.1.1 Opening tank valves
Storage of product in 2.1 Filling tanks 2.1.2 Filling tank
2 Storage of product 2.1 Filling tanks 2.1.2 Filling tank
2 2.1.3 Closing
in tanks 2.1.3 Closingtank
2.2 Product storage 2.2.1 Product storage
2.2 Product storage 2.2.1 Product storage
Arrival at loading 3.1.1 Positioning of tank truck
Arrival at loading 3.1.1
3.1.2 Positioning
Flexible hose of tank truckto tank truck
Loading product in tank 3.1
3 station 3.1.2
3.2.1 Flexible tank
Opening hose truck
valvesto tank truck
Loading product
3 3.2 Transfer from tanks 3.2.2 Transfer
in tank truck 3.2.1 Openingand filling
tank truckofvalves
Transfer from 3.2.2 Transfer and filling of tank
3.2 3.2.3 Valve closure
3.2.3 Valve closure
ID ID Sub-
Id Nodes Guide Word Parameter
System System
1.1.1 Wrong/More Mooring/Speed
1.1.2 Other/No/Less Direction/Movement/Safety
Element/Connection/Electrical Isolation
1.1.3 Other/No/No/Less
1.2.1 No/Less/More/More/More Flow/Flow/Speed/Static Electricity/Corrosion
More- Pressure/Maintenance/Flow/Static
Less/Less/Less/More/Yes/More Electricity/Collision/Corrosion
Int. J. Environ. Res. Public Health 2017, 14, 705 9 of 26
ID System ID Nodes Guide Word Parameter
1.1.1 Wrong/More Mooring/Speed
1.1.2 Other/No/Less Direction/Movement/Safety
1 Element/Connection/Electrical
1.1.3 Other/No/No/Less
Isolation /Safety
1.2.1 No/Less/More/More/More
1.2.2 More-Less/Less/Less/More/Yes/More
1.2.3 Yes/More/More-Less/More/More
1.2.4 No/Less Cleaning/Pressure
2.1.1 No/Less/More/More/More
2.1.2 More/More Level/Static electricity
2.1.3 Yes/More/More-Less/More/More
2.2 2.2.1 Yes/More/More/Less
Entry into the loading
3.1.1 Wrong/Wrong/Different bay/Manoeuvrability at the loading
bay/Loading position
3.1.2 Less/Less Connection/Safety
3.2.1 No/Less/More/More/More
Level/Connection/Stop filled/Static
3.2.2 More/No/Yes/More/Less
3.2.3 Yes /More/More-Less/More/More
ID: Identity.
Int. J. Environ. Res. Public Health 2017, 14, 705 10 of 26
4.4. Fault
Fault Tree
Tree Analysis
By using
using HAZOP
HAZOP analysis,
analysis, four
four events
events were
were extracted
extracted for analysis using
for analysis using the
the fault
fault tree
tree technique.
These events or top events were:
These events or top events were:
Top event (1): Fuel
Fuel spill
spill in
in ship-terminal
ship-terminal unloading area.
Top event (2): Fuel leak in pipelines.
Fuel leak in pipelines.
Top event
event (3):
(3): Fuel
Fuel spill
spill in
in storage
storage tank.
Top event (4): Fuel spill in tank truck loading
event (4): Fuel spill in tank truck loading area.
The faults and relationships for each top event have been identified and a logical combination
The faults and relationships for each top event have been identified and a logical combination
of incidents has been deduced that can trigger unwanted events. In this way, each tree contains
of incidents has been deduced that can trigger unwanted events. In this way, each tree contains
information about how the combination of certain faults leads to overall failure (Figure 4). Appendix
information about how the combination of certain faults leads to overall failure (Figure 4). Appendix B
B presents the fault trees of the other top events.
presents the fault trees of the other top events.
Figure 4.
Figure 4. Top
Top event
event fault
fault tree
tree (1).
Once the fault trees have been made, the mathematical expressions are defined ant the
Once the fault trees have been made, the mathematical expressions are defined ant the probability
probability values are calculated according to the Boolean algebra related to FTA (Tables 6 and 7).
values are calculated according to the Boolean algebra related to FTA (Tables 6 and 7).
Int. J. Environ. Res. Public Health 2017, 14, 705 12 of 26
From these equations and data on the frequency of failures of basic events, a quantitative
assessment of the trees enables a calculation of the probability of the occurrence of the top event
(year−1 ). The procedure for calculating the top event (1) is shown in Table 7. In the four analysed
top events, some 19 basic events are defined and fault frequencies were determined using data
from the Spanish National Institute on Health and Safety at Work [45] and research on fuel
storage [12,41,46,47]. In the Appendix C similar tables are developed for the others top events.
In Table 8, the results of failure frequency for each of the top events and their ways of failure
are presented. A column called “Importance” has been added in order to show the importance of
the failure frequency of the events (and also of their ways of failure) developed through the fault tree
technique. The results indicate that the top event (4) “Fuel spill in tank truck loading area” has a failure
rate of 1.7 events/year, i.e., 85% of the events developed through the fault tree technique. There are two
ways a top event (4) can be generated: the first is via a “connection leak” with an importance of 80.28%
and the second is via “leak caused by broken hose” which accounts for 5.02% of importance. If the basic
events are analysed, the main causes for a connection leak are a bad hose connection and a response
failure following the detection of an emergency (incorrect staff response, failure of the acoustic alarm,
or seizure of the manual closure valve).
The next most significant source of risk for the overall failure sequence is “connection leakage”
in the top event (1) “Fuel spill in ship-terminal unloading area” (with a failure frequency of
0.17 events/year). This event occurs following a loss of product (caused by a bad connection of
the loading arm or damaged parts) together with human error. The probability of occurrence is low
since it is one of the most complex operations and involves very strict protocols.
Int. J. Environ. Res. Public Health 2017, 14, 705 13 of 26
A sensitivity analysis has been performed (see Appendix D) in order to check the effect of the
Int. J. Environ. Res. Public Health 2017, 14, 705
14 of 27
events in the global risk assessment. In the top event (1) (Table 9 and Figure 5), the basics events with
more influence
0.0862 0.0375in the sequence
0.1696 of the accident
0.2070 0.0862are in order of importance: operator
0.0373 0.1698 distracted, operator
0.0857 badly
failure, 0.0375 0.1695 loading
connecting 0.2069 arm and0.0857
collision against0.0373 0.1698
jetty during manoeuvres. In the0.2071
top event
(2) are9corrosion,
operator A
distracted and with the same importance vehicles collision and fatigue
0.0090 0.0375 0.1698 0.2073
In the top
(3) are operator
failure and with equal importance the failure of the sensor level
and the
0.0089 failure
0.0375 of response
0.1698 of the
0.2073 shut-off valve. In the top event (4) are hose incorrectly connected,
after with equal
0.0088 0.0375 importance,
0.1698 the acoustic signal failure and the sticking of the manual shut-off valve,
and 0.0375 level
in the fourth 0.1698 0.2073 failures. These results show the importance in all the sequences of
the operator
0.0087 0.0374 0.1698 0.2073
the failure or distraction
0.1698 0.2073
of the operators, so it should be mandatory a plan for training
the staff of 0.0374
0.0086 the plants. Planning
0.1698 of the maintenance actions of the facility must take into account both
the general0.0374
0.0086 results from
0.1698the 0.2073
risk assessment and the results from the sensitivity analysis.
0.2200 Event 1
Top Event (year-1)
0.2150 Event 2
Event 3
Event 4
Event 5
0.2000 Event 6
0.1950 Event 7
Event 8
Event 9
- 0.1000 0.2000 0.3000 0.4000 0.5000 0.6000 0.7000 0.8000 0.9000 1.0000
Event (year-1)
5. Conclusions
In this paper, a methodology that combines HAZOP analysis and FTA is used. HAZOP analysis
identifies the risks and their possible causes and consequences. FTA, based on the HAZOP analysis,
represents the fault propagation pathways and produces a qualitative and quantitative assessment
of the sequences of events that can lead to accidents or serious failures. Results from FTA allow
Int. J. Environ. Res. Public Health 2017, 14, 705 14 of 26
5. Conclusions
In this paper, a methodology that combines HAZOP analysis and FTA is used. HAZOP analysis
identifies the risks and their possible causes and consequences. FTA, based on the HAZOP analysis,
represents the fault propagation pathways and produces a qualitative and quantitative assessment
of the sequences of events that can lead to accidents or serious failures. Results from FTA allow
prioritizing the preventive and corrective measures in order to minimize the probability of failure.
An analysis of case study about a fuel storage terminal is performed. HAZOP analysis shows that
loading and unloading areas are the most sensitive areas of the plant and where the most significant
danger is a fuel spill—tasks that can produce such an event are closely supervised by staff. Tasks related
to transferring fuel from ships to tanks and storage tanks are the most automated and so the influence of
personnel is reduced—although the consequences are more serious if an accident occurs. FTA analysis
Int. J. Environ. Res. Public Health 2017, 14, 705 15 of 26
indicates that the most likely event is “Fuel spill in tank truck loading area” and the sequence of
events that would most likely cause such an event is a “connection leakage” caused by improper
hose connection and a failure of emergency systems. A sensitivity analysis of the FTA results shows
the importance of the human behaviour in all sequences of the possible accidents. A slight increase or
decrease of the frequency of failure of human operations generate an important increase or decrease,
respectively, of the frequency of failure of the top event, so corporation’s prevention plans must
increase the training of the staff, develop of automatic control measures and develop or improve
control procedures to check the human operations.
In future research, we will apply a similar analysis to other type of plant, as LNG plants or storage
of chemical products at a process plant, in order to improve the use of the combined method and to
compare results from the risk assessments. In this way, we will build a database of HAZOP cases and
FTA analysis and could improve the maintenance plans of the various types of plants.
Acknowledgments: This paper was funded by the Universitat Politècnica de València and UNED, both of Spain.
Author Contributions: Mª Piedad Baixauli Pérez and José Luis Fuentes-Bargues conceived, designed and
performed the experiments. Cristina González-Gaya analysed the state of the art about Major Hazards.
José Luis Fuentes-Bargues wrote the paper and Mª Carmen González-Cruz and Cristina González-Gaya revised
the document.
Conflicts of Interest: The authors declare no conflict of interest.
Products Origin of
Date Location Description
Involved Accident
Explosion of a tank of 1400 m3 containing crude oil. The roof
2010 Oil Explosion was ejected several meters away and the tank’s base slightly lifted.
(France) [44]
The most probable ignition source is an electrostatic discharge.
In the plant of the Caribbean Petroleum Corporation (a storage,
distribution, and fuel blending service) the failure of the sensor
Bayamón (Puerto Gasoline, Diesel, system for filling a gas tank caused a fuel spill that triggered a series
2009 Spill
Rico) [43] Kerosene of explosions and fires. The disaster affected 18 tanks, destroyed 50%
of the plant, and caused considerable damage to the environment
and the local area.
Accident took in the facilities of company Vest Tank AS, on the
Sløvâg industrial area. The first explosion took place in a tank where
the base–shell weld ruptured and the upper part of the tank was
launched up in the air and landed in the north-eastern corner of Tank
Farm II. Subsequent explosions and fires destroyed the other tank
Sløvâg (Norway) farm. There were no casualties in the accident. This accident
2007 Gasoline Fire
[44] occurred during purification of coker gasoline (reduction of the
content of mercaptans). The investigation found that addition of
hydrochloric acid during the process reduced the solubility of
mercaptans in the solution, leading to the build-up of a flammable
mixture. Air filter with activated carbon placed on the roof absorbed
mercaptans, leading to a self-ignition and the explosion.
An explosion occurred at Umbria Oil plant near Spoleto, Italy,
when five workers were welding a structure on the roofs of several
tanks. Firstly, one tank containing raw pomace oil exploded, rising
up of about 10 m. This first explosion led to a pool fire that spread
2006 Spoleto (Italy) [43] Oil Explosion
in the tanks’ park. One hour later, two other tanks exploded, with
rupture of the bottom welding, ejecting missiles of 10 tons 80 m away
near warehouses storing by-products and packaging materials.
Four workers lost their life in this accident.
The explosion at Partridge-Raleigh Oilfield was caused by sparks of
2006 Petroleum Explosion the welding of pipes that joined tanks. Three workers died and other
(USA) [44]
suffered serious injuries.
In the storage terminal known as “Buncefield depot” 300 tons of
gasoline overflowed in a storage tank because of a high-level device
failure and the failure of safety device that close the filling valves and
2005 Gasoline Spill raise the alarm. Fire broke out when the gasoline vapour cloud
(England) [13,43]
ignited. The ignition source may have been a backup generator,
or a spark produced by a vehicle. In total, 20 storage tanks
(containing 13.5 million litres each) burned for several days.
LNG: Liquefied Natural Gas.
Int. J. Environ. Res. Public Health 2017, 14, 705 16 of 26
Products Origin of
Date Location Description
Involved Accident
The steam boiler of the LNG production plant exploded, triggering
a second, more massive vapour-cloud explosion and fire.
Skikda (Algeria)
2004 LNG Explosion The explosions and fire destroyed a portion of the LNG plant and
caused 27 deaths, 74 injuries, and material damage outside the
plant’s boundaries.
Puertollano (Spain) An explosion in a naphtha tank in the refinery resulted in an intense
2003 Naphta Explosion
[10] fire that spread to six other tanks containing 8600 m3 of gasoline.
In a Conoco-Phillips plant a diesel tank exploded with 900 m3 of fuel,
triggering a fire that involved three other liquid fuel storage tanks.
Oklahoma (USA)
2003 Diesel Explosion The cause of the incident was the generation of a volatile mix inside
the tank after it was emptied. The likely source of ignition
was an electrical discharge from a nearby line.
Kansas (USA) A worker who was checking the level of oil in a storage tank at night
2001 Crude petroleum Fire
[10,12] lit a match. The flame ignited vapours and caused a huge explosion.
Hampshire (United A crack in the bottom of a storage tank of crude oil (caused by
2000 Crude petroleum Leak
Kingdom) [10] corrosion) caused a catastrophic spill of crude oil.
In the tank farm of Ashdod Oil Refinery the explosion of a 15,000 m2
gasoil tank caused loss of one worker. The investigation concluded
that a non-complete gasoil stripping with hydrogen at the exit of
1997 Ashdod (Israel) [12] Gasoil Leak
gasoil hydro treating unit caused penetration of hydrogen inside
the tank. The source of ignition was most likely electrostatic spark
initiated by synthetic rope used to get samples out the tank.
During a welding operation near the wastewater tank that contained
a layer of flammable liquid, sparks ignited flammable vapours at
Rouseville (USA)
1995 Wastewater Tank Explosion openings in the tank. The deflagration caused the tank to fail at
the bottom seam and shoot into the air. Five workers died and fire
ignited other tanks and caused loud explosions.
A Danish petroleum tanker with 22,000 tons of naphtha on board
collided with the REPSOL wharf in Tarragona during docking.
The collision broke three pipes on the wharf containing naphtha,
Port of Tarragona Naphta, fuel oil
1993 Fire fuel oil, and crude oil—fire quickly broke out and produced a thick
(Spain) [12] and crude oil
smoke. The combustion wastes contaminated nearby beaches.
REPSOL estimated that damage to the wharf totalled the equivalent
of €18 million.
Santander (Spain) A fire started during cleaning operations in an empty oil tank at
1988 Diesel Fire
[12] a CAMPSA (now CLH) plant.
A fire started in an enlarged Shell terminal holding up to 43,000 m3
of Class B oil products (gasoline and kerosene among others) and
Lyon (France) Gasoline and Class D products (asphalt). Nearly 7000 m3 of products were burned,
1987 Fire
[10,12] kerosene two people dead, and 16 were seriously injured. The causes are
unknown, although it is known that changes were being made to
the wiring system.
A fire caused by a fuel oil leak in an ESSO Pappas terminal set 10 of
the 12 storage tanks ablaze. The fire lasted eight days, extended over
Thessaloniki 75% of the total area of the terminal, and destroyed the stationary
1986 Fuel-oil Leak
(Greece) [41] fire-fighting system, as well as the systems controlling pumps and
loading. The fire started during maintenance work after a leak
in a tank went undetected.
At an AGIP plant a cloud of gasoline vapour exploded and damaged
nearby houses. Windows broke up to 600 meters away. Tanks of
Port of Naples gasoline, kerosene, and diesel were set on fire. The incident resulted
1985 Gasoline Spill
(Italy) [41,43] in four deaths and 170 injuries. Twenty-four of the 32 storage tanks
were affected. The probable cause was an accident when unloading
a ship or a storage tank overflow.
An overfilled floating roof tank spilled 1300 barrels of gasoline.
New Jersey (USA) The resulting explosion destroyed two storage tanks and
1983 Gasoline Spill
[41] a neighbouring terminal. A cloud of vapour was blown to a nearby
incinerator and set it on fire as well.
In the river port area, a fire started in the storage area with 24 diesel
and fuel oil storage tanks of between 1500 and 4700 m3 capacity.
1979 (Germany) Gasoil Fire
The accident occurred during the renovation of thermal insulation of
the storage tanks.
A fire broke out in a plant with eight large tanks of petroleum
products. Two of the gasoline storage tanks caught fire as well as
Stockton (USA) Gasoline and various tanks containing additives. All stocks of foam within 90 km
1978 Leak
[10,12] additives were used. The origin was a leak from a gasoline tank that produced
a cloud of vapour which travelled about 220 m and came into contact
with a water heater in a nearby yard.
LNG: Liquefied Natural Gas.
Int. J. Environ. Res. Public Health 2017, 14, 705 17 of 26
Figure A1. Top event fault tree (2).
Appendix C.
C. Qualitative
Quantitative Top
Top Events
0.0090 Event 2
Int. J. Environ. Res. Public Health 2017, 14, 705 Event 3
0.0085 Event 323 of 27
0.0080 Event 4
0.0080 Event 4
0.2042 0.0070 0.0617 0.0123 0.0740 0.0862 0.0629 0.0123 0.0751
Event 6
0.1992 0.0065 0.0613 0.0123 0.0735 0.0857 0.0628 0.0123 Event 7
0.0065 Event 7
Event 5 0.0060 B C A Event 6 B C A
0.00239 0.0060 0.0630 0.01246 0.07547 0.0024 0.0630 0.01246 0.07547
0.00234 0.0055 0.0630 0.01241 0.07542 0.0023 0.0630 0.01241 0.07542
- 0.1000 0.2000 0.3000 0.4000 0.5000 0.6000 0.7000 0.8000 0.9000 1.0000
0.00229 0.0630
- 0.01236
0.1000 0.075370.4000 0.5000
0.2000 0.3000 0.0023 0.0630
0.6000 0.7000 0.8000 0.90000.01236
1.0000 0.07537
0.00224 0.0630 0.01231 Event 0.0022
0.07532 Event (year-1) 0.0630 0.01231 0.07532
0.00219 0.0630 0.01226 0.07527 0.0022 0.0630 0.01226 0.07527
0.00214 0.0630 0.01221 0.07522 0.0021 0.0630 0.01221 0.07522
Figure A4. Sensitivity Analysis for the Top event (2). Events 1 to 7.
0.00209 0.0630 Figure
Figure A4.Sensitivity
0.01216 0.07517Analysis
Sensitivity for the
for theTop
event (2).Events
0.0630 Events 1 to
7. 7.
to 0.07517
0.00204 0.0630 0.01211 0.07512 0.0020 0.0630 0.01211 0.07512
0.00199 0.0630 0.01206 0.07507 0.0020 0.0630 0.01206 0.07507
Sensitivity Analysis Top Event (2)
Event 7 B C Sensitivity
A Analysis
Event 8 Top EventB (2) C A
0.00457 0.0105 0.0630 0.01246 0.07547 0.00195 0.0630 0.01246 0.07547
0.00452 0.0100 0.0630 0.01241 0.07542 0.00190 0.0630 0.01241 0.07542
0.00447 0.0100 0.0630 0.01236 0.07537 0.00185 0.0630 0.01236 0.07537
0.00442 0.0095 0.0630 0.01231 0.07532 0.00180 0.0630 0.01231 0.07532
Event 1
0.00437 0.0090 0.0630 0.01226 0.07527 0.00175 0.0630 0.01226 Event 1
Event 9 0.0070 B C A
Table Analysis
A9. Sensitivity Top
Analysis forEvent
the Top(3)
event (3).
Table A9. Sensitivity Analysis for the Top event (3).
Top Event (3) Leak in Storage Tank
Top Event (3) Leak in Storage Tank
0.0900 Equations System A = B + C = (2 × 1) + (3 × 1) + (4 × 1) + 5 + 6 + 7 + 8 + 9
Equations System A = B + C = (2 × 1) + (3 × 1) + (4 × 1) + 5 + 6 + 7 + 8 + 9
Event 1 B C A Event 2 B C A
Event 1 B C A Event 2 B C A
0.0850 0.0774 0.0123 0.0896 0.4320 0.0648 0.0123 0.0770
0.1077 0.0774 0.0123 0.0896 0.4320 0.0648 0.0123 0.0770 1
0.1027 0.0738 0.0123 0.0860 0.4270 0.0643 0.0123 0.0766
0.1027 0.0738 0.0123 0.0860 0.4270 0.0643 0.0123 0.0766
Event 2
Top Event (year-1)
Event 1
Top Event (year-1)
1.7200 Event 2
Event 3
Event 4
1.7000 Event 5
Event 6
Event 7
1.6800 Event 8
- 0.1000 0.2000 0.3000 0.4000 0.5000 0.6000 0.7000 0.8000 0.9000 1.0000
Event (year-1)
Figure SensitivityAnalysis
A7.Sensitivity Analysisfor
Top event
event (4).
1. Tixier,
Tixier, J.;
J.; Dusserre,
Dusserre, G.; G.; Salvi,
Salvi, O.;
O.; Gaston,
Gaston, D. D. Review
Review of 62 analysis methodologies
methodologies of of industrial
industrial plants.
plants. J.J. Loss
Prev. Process Ind. 2002, 15, 291–303.
Prev. Process Ind. 2002, 15, 291–303. [CrossRef]
2. Planas,
Arnaldos, J.;J.;
Muñoz, M.; M.;
Pastor, E.; Vílchez,
Pastor, J.A. Historical
E.; Vílchez, evolution
J.A. Historical of process
evolution safety
of process
and major-accident
safety and major-accident hazardshazards
prevention in Spain.
prevention Contribution
in Spain. of the of
Contribution pioneer Joaquim
the pioneer Casal. Casal.
Joaquim J. LossJ.Prev.
Process Ind. 2014,
Prev. Process Ind.28, 109–117.
2014, 28, 109–117. [CrossRef]
3. Woodruff,
Woodruff, J.M. J.M. Consequence
Consequence and and likelihood
likelihood in in risk
risk estimation:
estimation: AAmattermatterofofbalance
balancein inUKUK health
health and
and safety
345–353. [CrossRef]
4. Reniers,G.L.L.;
Reniers, G.L.L.;Dullaert,
Dullaert,W.; W.; Ale,
Ale, B.J.M.;
Soudan,K. K.Developing
Developingan anexternal
Hazwin. LossPrev.
2005,18,18, 127–138. [CrossRef]
5. Høj,N.P.;
Høj, N.P.;Kröger,
Kröger,W. W.Risk
analysesofof transportation
transportation ononroadroadandand railway
railway from from a European
a European perspective.
perspective. Saf.
Sci. Sci. 2002, 40, 337–357. [CrossRef]
40, 337–357.
6. Haimes,Y.Y.
Haimes, Modelling, Assessment
Y.Y. Risk Modelling, Assessment and and Management,
Management, 3rd 3rd ed.;
ed.; John
John Wiley
Wiley &
& Sons
Sons Inc.:
Inc.: San
Francisco,CA, CA,
USA, 2009.
7. Marhavilas,P.K.;
Marhavilas, P.K.; Koulouriotis,
Koulouriotis, D.; D.; Gemeni,
Gemeni,V. V. Risk
Risk analysis
analysis and
and assessment
methodologiesin inthe
On aa review,
On review, classification
classification andand comparative
comparative study study of of the
the scientific
scientific literature
literature of
of the
the period 2000–2009. J.J. Loss
period 2000–2009. Loss
Prev. Process
Prev. ProcessInd. Ind.2011,
477–523. [CrossRef]
8. Center for
Center for Chemical
Chemical Process
Process Safety
Safety (CCPS). Guidelinesfor
(CCPS). Guidelines for Engineering
Designforfor Process
Process Safety,
Safety, 2nd
2nd ed.;
American Institute of Chemical Engineers: New
American Institute of Chemical Engineers: New York, NY, USA, 1993. York, NY, USA, 1993.
9. EuropeanUnion.
European Union.Directive
Directive 2012/18/EU
2012/18/EU of theof European
the European Parliament
Parliament and
and the the Council
Council of 4th of July
4th of July
2012 on2012the
on the of
control control of major-accident
major-accident hazards hazards
dangerous dangerous
substances, substances,
amendingamending and subsequently
and subsequently repealing
directive directiveOff.96/82/EC. Off. J.2012,
J. Eur. Union Eur.1–37.
Union 2012, 1–37.
10. Persson,H.;
Persson, H.;Lönnermark,
Lönnermark,A. Tank Fires:
A.Tank Fires: Review
Review of of Fire
Fire Incidents
1951–2003;SP SPSwedish
Testing andand
Research Institute: Borås, Sweden,
Research Institute: Borås, Sweden, 2014. 2014.
11. Hailwood,M.;
Hailwood, M.;Gawlowski,
Gawlowski,M.; M.;Schalau,
Schalau,B.; B.; Schönbucher,
Schönbucher,A. A. Conclusions
Conclusionsdrawndrawnfromfrom thethe Buncefield
Buncefield and and
Naples incidentsregarding
regardingthe the utilization
utilization of of consequence
consequence models.
models. Chem.Chem.
Eng.Eng. Technol.
Technol. 2009,2009, 32, 207–231.
32, 207–231.
12. [CrossRef]
Casal, J.; Montiel, H.; Planas, E.; Vílchez, J.A. Análisis del Riesgo en Instalaciones Industriales; Edicions UPC:
12. Casal, J.; Montiel,
Barcelona, Spain, 1999.H.; Planas, E.; Vílchez, J.A. Análisis del Riesgo en Instalaciones Industriales; Edicions UPC:
(In Spanish)
13. Barcelona,
Batista Abreu, Spain, 1999. (In
J.; Godoy, Spanish)
L.A. Investigación de causas de explosiones en plantas petrolíferas: El accidente de
13. Batista Abreu,
Buncefield. Rev.J.; Godoy,
Int. DesastresL.A.Nat.
Accid. Infraest. de Civ.
causas de9,explosiones
2009, 187–202. (Inen plantas petrolíferas: El accidente
14. Rev. Int. Desastres Nat. Accid. Infraest. Civ.
Willey, R.J.; Hendershot, D.C.; Berger, S. The accident in Bhopal: Observations(In
de Buncefield. 2009, 9, 187–202. 20Spanish)
years later. Process. Saf. Prog.
14. Willey, R.J.; Hendershot,
2007, 26, 180–184. D.C.; Berger, S. The accident in Bhopal: Observations 20 years later. Process. Saf. Prog.
15. 2007, 26, 180–184.
Homberger, [CrossRef]
E.; Reggiani, G.; Sambeth, J.; Wipf, H.K. Seveso Accident, its nature, extent and consequences.
Ann. Occup. Hyg. 1979, 22, 327–370.
Int. J. Environ. Res. Public Health 2017, 14, 705 25 of 26
15. Homberger, E.; Reggiani, G.; Sambeth, J.; Wipf, H.K. Seveso Accident, its nature, extent and consequences.
Ann. Occup. Hyg. 1979, 22, 327–370. [PubMed]
16. International Standard Organization (ISO). Risk Management. In Principles and Guidelines on Implementation;
ISO 31000:2010; ISO: Geneva, Switzerland, 2010.
17. Federación Empresarial de la Industria Química Española (FEIQUE). Estadísticas\Radiografía Económica del
Sector Químico 2016. Available online: www.feique.org/pdfs/Radiografia_Economica_del_sector_2016.pdf
(accessed on 17 January 2017). (In Spanish)
18. Federación Empresarial de la Industria Química Española (FEIQUE). Estadísticas de Seguridad\Informe
de Siniestrabilidad 2013. Available online: www.feique.org/pdfs/informeseguridad2015.pdf (accessed on
17 January 2017). (In Spanish)
19. European Union. Directive 82/501/CEE of the Council of 24 June 1982 on the major accident hazards of
certain industrial activities. Off. J. Eur. Union 1982, 1, 1–18.
20. European Union. Directive 96/82/EC of 9 December 1996 on the control of major-accident hazards involving
dangerous substances. Off. J. Eur. Union 1996, 1, 13–33.
21. Dirección General de Protección Civil (DGPC). ¿Qué Hacemos?/Riesgos: Prevención y
Planificación/Tecnológicos/Químicos/Distribución. Available online: www.proteccioncivil.es/riesgos/
quimicos/distribucion (accessed on 17 January 2017). (In Spanish)
22. Kletz, T.A. What you don’t have can’t leak. Chem. Ind. 1978, 6, 287–292.
23. Kletz, T.A. HAZOP and HAZAN. In Identifying and Assessing Process Industry Hazards, 4th ed.; IChemE:
Rugby, UK, 1999.
24. International Electrotechnical Commission (IEC). Hazard and Operability Studies (HAZOP Studies)—Application
Guide; IEC 61882:2001; IEC: Geneva, Switzerland, 2016.
25. National Institute of Health and Safety at Work (NIHSW). Papers Prevention. Nº 238: HAZOP at Processing
Facilities. Available online: www.insht.es/InshtWeb/Contenidos/Documentacion/FichasTecnicas/NTP/
Ficheros/201a300/ntp_238.pdf (accessed on 13 July 2015). (In Spanish)
26. Dunjó, J.; Fthenakis, V.; Vílchez, J.A.; Arnaldos, J. Hazard and operability (HAZOP) analysis. A literature
review. J. Hazard. Mater. 2009, 173, 19–32. [CrossRef] [PubMed]
27. Demichela, M.; Camuncoli, G. Risk based decision making. Discussion on two methodological milestones.
J. Loss Prev. Process Ind. 2014, 28, 101–108. [CrossRef]
28. Mitkowski, P.T.; Bal, S.K. Integration of Fire and Explosion Index in 3D Process Plant Design Software.
Chem. Eng. Technol. 2015, 38, 1212–1222. [CrossRef]
29. Bendixen, L.; O’Neill, J.K. Chemical plant risk assessment using HAZOP and fault tree methods.
Plant Oper. Prog. 1984, 3, 179–184. [CrossRef]
30. Ozog, H. Hazard identification, analysis and control: A systematic way to assess potential hazards helps
promote safer design and operation of new and existing plants. Chem. Eng. 1985, 92, 161–170.
31. Ozog, H.; Bendixen, L. Hazard identification and quantification: The most effective way to identify, quantify,
and control risks is to combine a hazard and operability study with fault tree analysis. Chem. Eng. Prog.
1987, 83, 55–64.
32. Demichela, M.; Marmo, L.; Piccinini, N. Recursive operability analysis of a complex plant with multiple
protection devices. Reliab. Eng. Syst. Saf. 2002, 77, 301–308. [CrossRef]
33. Cozzani, V.; Bonvicini, S.; Spadoni, G.; Zanelli, S. Hazmat transport: A methodological framework for
the risk analysis of marshalling yards. J. Hazard. Mater. 2007, 147, 412–423. [CrossRef] [PubMed]
34. Casamirra, M.; Castiglia, F.; Giardina, M.; Lombardo, C. Safety studies of a hydrogen refuelling station:
Determination of the occurrence frequency of the accidental scenarios. Int. J. Hydrogen Energy 2009, 34,
5846–5854. [CrossRef]
35. Kim, E.; Lee, K.; Kim, J.; Lee, Y.; Park, J.; Moon, I. Development of Korean hydrogen fuelling station codes
through risk analysis. Int. J. Hydrogen Energy 2011, 36, 13122–13131. [CrossRef]
36. International Standard Organization (ISO). Risk Management. In Risk Assessment Techniques; ISO 31010:2011;
ISO: Geneva, Switzerland, 2011.
37. Vesely, W.E.; Goldberg, F.F.; Roberts, N.H.; Haasl, D.F. Fault Tree Handbook; NUREG-0492; Nuclear Regulatory
Commission: Rockville, MD, USA, 1981.
Int. J. Environ. Res. Public Health 2017, 14, 705 26 of 26
38. Segovia Andújar, R. Proyecto de Ejecución de Nueva estación de descarga de productos inflamables
en el muelle norte del puerto de Valencia. In Autoridad Portuaria de Valencia; Ministerio de Fomento:
Madrid, Spain, 2006. (In Spanish)
39. Terminales Portuarias SL (TEPSA). Declaración Ambiental y Responsabilidad Social Corporativa.
Available online: www.tepsa.es (accessed on 14 July 2015). (In Spanish)
40. Boletín Oficial del Estado. Royal Decree 1254/1999 of 16 July, on the Control of Major-Accident Hazards
Involving Dangerous Substances; Boletín Oficial del Estado: Madrid, Spain, 1999; Volume 172, pp. 27167–27180.
(In Spanish)
41. Chang, J.I.; Lin, C.C. A study of storage tank accidents. J. Loss Prev. Process Ind. 2006, 19, 51–59. [CrossRef]
42. Aneziris, O.N.; Papazoglou, I.A.; Konstantinidou, M.; Nivolianitou, Z. Integrated risk assessment for LNG
terminals. J. Loss Prev. Process Ind. 2014, 28, 23–35. [CrossRef]
43. Batista Abreu, J.; Godoy, L.A. Investigación de causas de explosiones en una planta de almacenamiento
de combustible en Puerto Rico. Rev. Int. Desastres Nat. Accid. Infraest. Civ. 2011, 11, 109–122. (In Spanish)
44. Taveau, J. Explosion of Fixed Roof Atmospheric Storage Tanks, Part 1: Background and Review of Case
Histories. Process Saf. Prog. 2011, 30, 381–392. [CrossRef]
45. National Institute of Health and Safety at Work (NIHSW). Papers Prevention. Nº 333: Probabilistic Risk
Analysis: Fault Tree Analysis. Available online: www.insht.es/InshtWeb/Contenidos/Documentacion/
FichasTecnicas/NTP/Ficheros/301a400/ntp_333.pdf (accessed on 14 July 2015). (In Spanish)
46. Ronza, A.; Carol, S.; Espejo, V.; Vílchez, J.A.; Arnaldos, J. A quantitative risk analysis approach to port
hydrocarbon logistics. J. Hazard. Mater. 2006, 128, 10–24. [CrossRef] [PubMed]
47. International Association of Oil and Gas Producers (IAOGP). Storage Incident Frequencies. In Risk Assessment
Data Directory; Report No. 434-3; OGP: London, UK, 2010. Available online: http://www.ogp.org.uk/pubs/
434-03.pdf (accessed on 16 July 2015).
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access
article distributed under the terms and conditions of the Creative Commons Attribution
(CC BY) license (http://creativecommons.org/licenses/by/4.0/).