SAND2011-0548P

Process Safety Overview

Bangkok, Thailand
1 March 2011

SAND No.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin

Company,
for the United States Department of Energy’s National Nuclear Security Administration
under contract DE-AC04-94AL85000.
 Key acronyms

PSM = process safety management

SDS = safety data sheet
RAGAGEPS = recognized and
generally accepted good engineering practices
 Process safety resources

D. A. Crowl and J. F. Louvar 2001. Chemical

Process Safety: Fundamentals with Applications,
2nd Ed.,
Ed. Upper Saddle River, NJ: Prentice Hall.
 Process safety resources

CCPS 2007a. Center for Chemical Process Safety,

Guidelines for Risk Based Process Safety,
Safety NY:
American Institute of Chemical Engineers.
 Process safety resources

CCPS 2008a. Center for Chemical Process Safety,

Guidelines for Hazard Evaluation Procedures,
Third Edition,
Edition NY: American Institute of Chemical
Engineers.
 Process safety resources

CCPS 2008b. Center for Chemical Process Safety,

Incidents that Define Process Safety,
Safety NY:
American Institute of Chemical Engineers.
 Process safety resources

Johnson et al. 2003. Essential Practices

for Managing Chemical Reactivity Hazards,
Hazards
NY: American Institute of Chemical Engineers,
accessible free after registration on www.knovel.com.
 Process safety resources

CCPS 2001. Center for Chemical Process Safety,

“Reactive Material Hazards: What You Need To
Know,”
Know NY: American Institute of Chem. Engineers,
www.aiche.org/uploadedFiles/CCPS/Resources/SafetyAlerts/reactmat.pdf.
 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
3. The basic anatomy of process safety incidents
4. Overview of process safety strategies
5. Taking advantage of past experience
6. Defense in depth / layers of protection
7. Elements of process safety management
 Process Safety Overview

1. What is “Process Safety”?

 “Process Safety”

= the absence of loss and harm

resulting from fires, explosions
and hazardous material releases
at process facilities.

(Event-focused definition)
 “Process Safety”

= the absence of loss and harm at

process facilities by
(a) identifying process hazards,
(b) containing and controlling them,
(c) countering abnormal situations
with effective safeguards.

(Activity-focused definition)
 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
 Some major process incidents

• Flixborough, UK (June 1974)

– Partial oxidation of cyclohexane
– Catastrophic failure of temporary piping
– 30 tonnes of hot cyclohexane released in 30 s
– Vapor cloud explosion
– 28 fatalities, 53 injuries; 1800+ houses damaged;
plant destroyed
– 18 of those fatally injured were in control room
– Hastened passage of UK “Health and Safety at
Work Act”
 Some major process incidents

• Seveso, Italy (July 1976)

– Runaway reaction
– 2 kg of dioxin release from relief system
– Over 17 km2 affected
– Locally grown food banned for several months
– Several inches of topsoil removed, incinerated
– 80,000 animals died or slaughtered
– Plant shut down and destroyed
– EU “Seveso Directive” prompted

See CCPS 2008b for details of these incidents

 Some major process incidents

• Mexico City, Mexico (November 1984)

– Large LPG / fuels storage facility
– Fires, vessel ruptures, boiling-liquid-expanding-
vapor explosions (BLEVEs)
– Initiating cause unknown
– 600 fatalities, 7000 injuries
– Horizontal tanks rocketed as far as 1200 m away
– Fixed fire protection destroyed by blasts
– Fuels terminal destroyed
 Some major process incidents

• Bhopal, India (December 1984)

– Pesticide production facility
– Water introduced into methyl isocyanate storage
– MIC toxic vapor release from vent system
– 2000 to 3000 early fatalities; ~200,000 injuries
– Plant shut down; Union Carbide eventually sold
– Seveso II, EPA Risk Management Program prompted
 Some major process incidents

• Toulouse, France (September 2001)

– Ammonium nitrate storage at fertilizer plant
– Explosive decomposition initiated; cause unknown
– Equivalent blast energy 20-40 tons of TNT
– 30 fatalities; 2500+ injuries; US$ 2 billion in losses
 Some major process incidents

• Texas City, Texas (March 2005)

– Refinery isomerization unit
– One valve not opened during unit re-start
– Release of hot flammable material from blowdown
– Ignition and vapor cloud explosion
– 15 fatalities, 170+ injuries; BP losses and impacts
Photo credit: U.S. Chemical Safety & Hazard Investigation Board
 Some major process incidents

• Buncefield, UK (December 2005)

– Petrol (gasoline) tank farm
– Storage tank overflow
– Ignition, vapor cloud explosion and fires
– 40+ injuries; 20+ tanks destroyed
– Consequences could have been much worse

See www.buncefieldinvestigation.gov.uk/index.htm for details

 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
3. The basic anatomy of process safety incidents
 Process Safety Incident Anatomy

Preface
This presentation is adapted from course materials and from
presentations used for several years for process safety lectures at the
University of Cincinnati and The Ohio State University, with updates
to reflect terminology used in the Third Edition of Guidelines for
Hazard Evaluation Procedures (CCPS 2008a).
 Incident - Definition

Incident:
An unplanned event or sequence of events
that either resulted in, or had the potential
to result in, adverse impacts.
 Major Process Industry Incidents

• Fires – Fatalities
• Explosions – Injuries
• Toxic Releases – Environ. Damage
– Property Damage
– Evacuations
– Business Losses
– Plant Closings
– Fines, Lawsuits
 – Fatalities
Loss – Injuries
– Environ. Damage
Events – Property Damage
– Evacuations
– Business Losses
– Plant Closings
– Fines, Lawsuits
 Loss
Impacts
Events
 Key Definition

Loss Event:
Point of time in an abnormal situation when
an irreversible physical event occurs that has
the potential for loss and harm impacts.
– CCPS 2008a Glossary
 Key Definition

Loss Event:
Point of time in an abnormal situation when
an irreversible physical event occurs that has
the potential for loss and harm impacts.
– CCPS 2008a Glossary

Examples:
• Hazardous material release
• Flammable vapor or dust cloud ignition
• Tank or vessel overpressurization rupture
 Key Questions

•Why do Loss Events happen?

•How do Loss Events happen?
•What must be done to avoid them?
 WHY do Loss Events happen?

• We choose to handle dangerous

process materials and energies
– To make a living
– To provide society with desirable
products

• As long as we choose to handle them,

a potential for loss events exists
 Analogy

• We choose to handle dangerous

animals at the Zoo
– To make a living
– To provide society with desirable
experiences
• As long as we choose to handle them,
a potential for loss events exists
– Things can be done to reduce their
likelihood and severity to negligible or
tolerable levels
 “Process Safety”

The absence of loss and harm at

process facilities by
(a) identifying process hazards,
(b) containing and controlling them,
(c) countering abnormal situations
with effective safeguards.
 Process Hazard - Definition

Presence of a
stored or connected
material or energy with
inherent characteristics
having the potential for
causing loss or harm.
 Three Types of Process Hazards

• Material hazards
• Energy hazards
• Chemical interaction hazards
 Three Types of Process Hazards

• Material hazard:
hazard A contained or
connected process material with one or
more hazardous characteristics
• Energy hazard
• Chemical interaction hazard
 Inherent Characteristics

Presence of a
stored or connected
material or energy with
inherent characteristics
having the potential for
causing loss or harm.
 Material Hazards

Inherently hazardous characteristics:

Flammability Instability

Toxicity Corrosivity
E.g., Flammable/Combustible Materials

Inherent Characteristics:
• Flash point (volatility)
• Heat of combustion
• Ease of ignition
– Flammability limits
– Minimum ignition energy
– Autoignition temperature
 NFPA 704
Summary
of Material
Hazards for
Emergency
Response

Flammability

Health Instability

Special
 SDSs

Safety Data Sheets

• More complete summary of hazards
• Required to be accessible in workplace
• All hazardous materials on-site
• Available from suppliers, internet sources
• Give only basic chemical reactivity info
• Often inconsistent from source to source
 Hazard Identification

• NFPA 704 diamonds and SDSs only give

properties of individual hazardous materials
– Hazardous energies not identified
– Hazardous chemical interactions not identified
– Connected hazards may not be identified
 Three Types of Process Hazards

• Material hazard
• Energy hazard:
hazard Some form of physical
energy contained within or connected to the
process with the potential for loss or harm
• Chemical interaction hazard
 Process Hazard

Presence of a
stored or connected
material or energy with
inherent characteristics
having the potential for
causing loss or harm.
Form of Energy with Injury Potential
(examples)
Electrical (voltage, capacitance)
Mechanical (spring, machine parts)
Kinetic (moving or rotating mass)
Positional (elevated part or equipment)
Hydraulic (liquid under pressure)
Pneumatic (gas/vapor under pressure)
Chemical–Health Hazard (NFPA 2 to 4)
Chemical–Flammables (NFPA 3 or 4)
Chemical–Combustibles (NFPA 2)
Chemical–Reactive (NFPA 2 to 4)
Thermal–Hot Material (steam, hot oil)
Thermal–Cryogenic Fluid (liquid N2)
LOCKOUT/TAGOUT ENERGY CONTROL PROCEDURE Page 1 of 1

Drawing No. X-100-101

Equipment Name Methanol Flowmeter
Location Bldg 1, Inside dike wall

Form of Energy with Injury Potential Connected Energy Source and Residual and/or
(examples) Magnitude Stored Energy?
Electrical (voltage, capacitance)
Mechanical (spring, machine parts)
Kinetic (moving or rotating mass)
Positional (elevated part or equipment)
Hydraulic (liquid under pressure) MeOH pump discharge, 3 bar g
Pneumatic (gas/vapor under pressure)
Chemical–Health Hazard (NFPA 2 to 4) MeOH, up to 10,000 liters Yes
Chemical–Flammables (NFPA 3 or 4) MeOH, up to 10,000 liters Yes
Chemical–Combustibles (NFPA 2)
Chemical–Reactive (NFPA 2 to 4)
Thermal–Hot Material (steam, hot oil)
Thermal–Cryogenic Fluid (liquid N2)
...
ISOLATE CONNECTED ENERGY SOURCES
Energy Isolating Device #1 Ball Valve
Location Between MeOH transfer pump and flowmeter
Use of Device Close valve
LOTO Lockout and tagout Initials
LOCKOUT/TAGOUT ENERGY CONTROL PROCEDURE Page 1 of 1

Drawing No. X-100-101

Equipment Name Methanol Flowmeter
Location Bldg 1, Inside dike wall

...
ISOLATE CONNECTED ENERGY SOURCES
Energy Isolating Device #1 Ball Valve
Location Between MeOH transfer pump and
flowmeter
Use of Device Close valve
LOTO Lockout and tagout Initials
...
BLEED OFF RESIDUAL OR STORED ENERGIES

Bleed-Off Procedure:
Drain residual flammable liquid into grounded catch pan.
Initials

VERIFY ISOLATION AND DEENERGIZATION

Verification Procedure:
Visually check for pockets of flammable liquid while
disassembling.
Initials
 Three Types of Process Hazards

• Material hazard
• Energy hazard
• Chemical interaction hazard:
Presence of materials with the potential for
loss or harm upon their interaction in an
unintentional or uncontrolled manner
 Reactive Interactions
Example Compatibility Chart for an Acetic Anhydride Handling Facility

Will These Two Acetic Acetic Cooling Sulfuric 50% Lube Cleaning
Materials React? Acid Anhydride Water Acid Caustic Oil Solution
Acetic Acid
Acetic Anhydride Reactive
Not
Cooling Water Reactive
reactive
Concentrated
Reactive Reactive Reactive
Sulfuric Acid
50% Caustic Reactive Reactive Reactive Reactive
Not Not Not
Lube Oil Reactive Reactive
reactive reactive reactive
Cleaning Solution Find out what the cleaning solution contains, then determine reactions

From CCPS 2001

 Process Hazard

Presence of a
stored or connected
material or energy with
inherent characteristics
having the potential for
causing loss or harm.
 Degree of Hazard

• More hazardous material

greater degree of hazard
• Farther from zero energy state
greater degree of hazard
Form of Energy with Injury Potential Zero Energy
(examples) State

Electrical (voltage, capacitance) 0 volts

Mechanical (spring, machine parts) Sprung
Kinetic (moving or rotating mass) At rest
Positional (elevated part or equipment) Ground
level
Hydraulic (liquid under pressure)
0 bar gage
Pneumatic (gas/vapor under pressure)
0 barg, 0 m3
Chemical–Health Hazard (NFPA 2 to 4)
Nontoxic
Chemical–Flammables (NFPA 3 or 4) Non-
Chemical–Combustibles (NFPA 2) flammable
Chemical–Reactive (NFPA 2 to 4) Nonreactive
Thermal–Hot Material (steam, hot oil) Ambient
Thermal–Cryogenic Fluid (liquid N2) Ambient
 Key Questions

•Why do Loss Events happen?

•How do Loss Events happen?
•What must be done to avoid them?
 HOW Do Loss Events Happen?

• Anatomy of an Incident
• Unsafe act & condition precursors
Incident Sequence: Initiating Cause

• (Hazard)
• Cause
• Deviation
• Loss Event
• Impacts
Process Hazard

Presence of a
stored or connected
material or energy with
inherent characteristics
having the potential for
causing loss or harm.
 Normal Operation

Hazards During normal operation,

all hazards are contained
and controlled…
 Normal Operation

Hazards During normal operation,

all hazards are contained
and controlled, but they
are still present.
Incident Sequence: Initiating Cause

• (Hazard)
• Cause
• Deviation
• Loss Event
• Impacts
 Initiating Cause
Every incident starts with an initiating cause
(also called an initiating event or just a “cause”.

Hazards Example initiating causes:

– Feed pump fails off
– Procedural step omitted
– Truck runs into process piping
– Wrong raw material is received
– Extreme low ambient temperature
 Initiating Cause

Once an initiating cause occurs,

normal operation cannot continue without
a process or operational response.
Hazards
Incident Sequence: Deviation

• (Hazard)
• Cause
• Deviation
• Loss Event
• Impacts
 Deviation

The immediate result of an initiating cause

is a deviation.
deviation

Hazards
Deviation
– No Flow
– Low Temperature
– High Pressure
– Less Material Added
– Excess Impurities
– Transfer to Wrong Tank
– Loss of Containment
– etc.
 Abnormal Situations

• Most engineering focuses on designing a

process to work:
(normal situation)

• We must also consider how a process can fail,

starting with an
“abnormal situation”
 Deviation

A deviation is an abnormal situation,

outside defined design or operational parameters.

Hazards
Deviation
– No Flow
– Low Temperature
– High Pressure (exceed upper limit of normal range)
– Less Material Added
– Excess Impurities
– Transfer to Wrong Tank
– Loss of Containment
– etc.
Incident Sequence: Loss Event

• (Hazard)
• Cause
• Deviation
• Loss Event
• Impacts
 Loss Event

A loss event will result if a

deviation continues uncorrected
and the process is not shut down.
Hazards
Deviation Loss Event
 Loss Event

Loss events are generally irreversible

process material/energy releases.
Hazards
Deviation Loss Event
– Release
– Fire
– Explosion
 Loss Event: Step Change in System Entropy
System Entropy

Time
Normal
Operation Deviation Loss Event
– Release
– Fire
– Explosion
 Loss Event

Loss events may also be related

to production or equipment failures.
Hazards
Deviation Loss Event
– Release
– Fire
– Explosion
– Unscheduled shutdown
– Ruined batch
– Compressor failure
Incident Sequence: Impacts

• (Hazard)
• Cause
• Deviation
• Loss Event
• Impacts
 Impacts

Impacts are the losses and injuries

that can result from a loss event.

Hazards
Deviation Loss Event
Impacts
– Injury / Fatality
– Property Damage
– Environmental Damage
 Impacts

There are often other,

less tangible impacts as well.

Hazards
Deviation Loss Event
Impacts
– Injury / Fatality
– Property Damage
– Environmental Damage
– Business Interruption
– Market Share Loss
– Reputation Damage
 Incident Sequence Without Safeguards

Hazards
Deviation Loss Event
Impacts
 HOW Do Loss Events Occur?

• Anatomy of an Incident
• Unsafe act & condition precursors
Unsafe Act & Condition Precursors
 Pyramid Principle of Process Safety

Reducing the
frequency of
precursor events
and near misses...
 Pyramid Principle of Process Safety

… will reduce the

likelihood of a
major loss event
 Key Questions

•Why do Loss Events happen?

•How do Loss Events happen?
• What must be done to avoid Loss Events?
 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
3. The basic anatomy of process safety incidents
4. Overview of process safety strategies
What
5. Taking advantage of past experience must
6. Defense in depth / layers of protection be
done
7. Elements of process safety management
 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
3. The basic anatomy of process safety incidents
4. Overview of process safety strategies
 Overview of Process Safety Strategies

• Inherent - Hazard reduction

• Passive - Process or
equipment design features
that reduce risk without active Generally
More
functioning of any device Reliable /
Effective
• Active - Engineering controls

• Procedural - Administrative
controls
 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
3. The basic anatomy of process safety incidents
4. Overview of process safety strategies
5. Taking advantage of past experience
 Taking Advantage of Past Experience

“Those who cannot remember the past are

condemned to repeat it.” - George Santayana

• Learnings from past (usually bad) experiences

have been embodied in various forms:
– Regulations – Handbooks
– Codes – Guidelines
– Industry standards – Procedures
– Company standards – Checklists
– “Best practices” – Supplier Recommendations
 Taking Advantage of Past Experience

• One term commonly used for non-regulatory codes

and standards is “RAGAGEPS”
• From U.S. OSHA’s Process Safety Management
Standard (Process Safety Information element):
29 CFR 1910.119(d)(3)(ii) The employer
shall document that equipment complies
with recognized and generally accepted
good engineering practices.
 Taking Advantage of Past Experience

• One term commonly used for non-regulatory codes

and standards is “RAGAGEPS”
• Example: International consensus standard IEC 61511
[ANSI/ISA-84.00.01 (IEC 61511 Mod)], “Functional Safety:
Safety Instrumented Systems for the Process Industry Sector”
 RAGAGEPS

Recognized and Generally Accepted

Good Engineering Practices
– Take advantage of wealth of experience
– Pass on accumulated knowledge
– Reduce recurrence of past incidents
– Enable uniformity of expectations
– Reduce liabilities when followed
 Example 2: Anhydrous Ammonia

• Regulatory Requirements:
E.g., U.S. OSHA Standard 29 CFR 1910.111,
“Storage and Handling of Anhydrous Ammonia”

• Industry Standards
– CGA G-2, “Anhydrous Ammonia”
– ANSI/CGA K61.1, “American National Standard
Safety Requirements for the Storage and Handling
of Anhydrous Ammonia”

• Other standards apply to specific applications,

e.g., ammonia refrigeration
 RAGAGEPS Alphabet Soup

• US OSHA • ASHRAE
• US EPA • IIAR
• IEC • ASTM
• NFPA • API
• ASME • AIChE/CCPS
• ISA • IRI
• UL • Chlorine Institute
• FM • SOCMA
• CGA • etc.
 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
3. The basic anatomy of process safety incidents
4. Overview of process safety strategies
5. Taking advantage of past experience
6. Defense in depth / layers of protection
 Defense in Depth / Layers of Protection

• Also called “Safety Layers”

• Multiple layers may be needed,
since no protection is 100% reliable
• Each layer must be designed to be effective
• Each layer must be maintained to be effective
• Some layers of protection are contain and
control measures
• Other layers of protection are safeguards
“Layers of
Protection”
between
hazards and
receptors
HAZARD
=
“Defense
In Depth”
HAZARD
 Defense in Depth / Layers of Protection

• Also called “Safety Layers”

• Multiple layers may be needed,
since no protection is 100% reliable
• Each layer must be designed to be effective
• Each layer must be maintained to be effective
• Some layers of protection are contain and
control measures
• Other layers of protection are safeguards
 Contain & Control

Contain Operational Mode: Normal operation

& Control Objective: Maintain normal operation;
keep hazards contained and controlled
Hazards
Examples of Contain & Control:
– Basic process control system
– Inspections, tests, maintenance
– Operator training
• How to conduct a procedure or operate a
process correctly and consistently
• How to keep process within established limits
– Guards, barriers against external forces
– Management of change
Contain &
Control

HAZARD
 Key Definition

Safeguard:
Any device, system, or action that would
likely interrupt the chain of events
following an initiating cause or that
would mitigate loss event impacts.
– CCPS 2008a Glossary
 Two Types of Safeguards

Preventive Mitigative

Hazards Regain control

or shut down

Deviation Mitigated

Loss Event
Impacts
Unmitigated
 Preventive Safeguards

Preventive

Hazards Regain control

or shut down

Deviation

Loss Event
Impacts
 Preventive Safeguards

Preventive Operational Mode: Abnormal operation

Objective: Regain control or shut down;

Regain control keep loss events from happening
or shut down
Examples of Preventive Safeguards:
– Operator response to alarm
Loss Event – Safety Instrumented System
– Hardwired interlock
– Last-resort dump, quench, blowdown
– Emergency relief system
Preventive
Safeguards

HAZARD
 Mitigative Safeguards

Preventive Mitigative

Hazards Regain control

or shut down

Deviation Mitigated

Loss Event
Impacts
Unmitigated
 Mitigative Safeguards

Mitigative Operational Mode: Emergency

Objective: Minimize impacts

Examples of Mitigative Safeguards:

Mitigated
– Sprinklers, monitors, deluge
– Emergency warning systems
– Emergency response
Impacts – Secondary containment; diking/curbing
– Discharge scrubbing, flaring, treatment
Unmitigated – Shielding, building reinforcement, haven
– Escape respirator, PPE
 Mitigative
Safeguards

HAZARD
 Contain & Control: Before Initiating Cause

Contain
Preventive Mitigative
& Control
Hazards Regain control
or shut down

Deviation Mitigated

Loss Event Impacts

Unmitigated
 Safeguards: After Initiating Cause
Safeguards
Contain
Preventive Mitigative
& Control
Hazards Regain control
or shut down

Deviation Mitigated

Loss Event Impacts

Unmitigated
 Process Safety Overview

1. What is “Process Safety”?

2. Opposite of process safety: Major incidents
3. The basic anatomy of process safety incidents
4. Overview of process safety strategies
5. Taking advantage of past experience
6. Defense in depth / layers of protection
7. Elements of process safety management
 Elements of a comprehensive PSM program

• Management systems • Pre-startup safety

• Employee participation reviews

• Process safety • Mechanical integrity

information • Safe work practices
• Process hazard • Management of change
analysis • Emergency planning and
• Operating procedures response
• Training • Incident investigation
• Contractor safety • Compliance audits
 PSM elements addressed in this course

• Management systems • Pre-startup safety

• Employee participation reviews

• Process safety • Mechanical integrity

information • Safe work practices
• Process hazard • Management of change
analysis • Emergency planning and
• Operating procedures response
• Training • Incident investigation
• Contractor safety • Compliance audits