major hazard facilities major accident identification and risk assessment

Major Hazard Facilities

Major Accident Identification and Risk Assessment

2

• This seminar has been developed in the context of the MHF regulations to provide:

– An overview of MA identification and risk assessment– The steps required for MA recording– Examples of major accidents identified– The steps required for a risk assessment– Examples of risk assessment formats

Overview

3

• AFAP - As far as (reasonably) practicable• BLEVE – Boiling liquid expanding vapour explosion• BPCS – Basic process control system• DG - Dangerous goods • Employer - Employer who has management control of the

facility• Facility - any building or structure which is classified as an

MHF under the regulations• HAZID - Hazard identification• HSR - Health and safety representative • LOC - Loss of containment• LOPA – Layers of protection analysis• MHF - Major hazard facility • MA - Major accident• SIS – Safety instrumented system

Some Abbreviations and Terms

4

• Regulations• Definition - Major accident (MA)• MA identification issues• Approaches to MA identification• MA recording• Pitfalls

Topics Covered In This Presentation

5

• Definition of a risk assessment• Approaches• Risk assessment • Likelihood assessment• Consequences• Risk evaluation and assessment• Summary• Sources of additional information• Review and revision

Topics Covered In This Presentation

6

• Hazard identification (R9.43)• Risk assessment (R9.44)• Risk control (i.e. control measures) (R9.45, S9A 210)• Safety Management System (R9.46)• Safety report (R9.47, S9A 212, 213) • Emergency plan (R9.53) • Consultation

Occupational Health and Safety (Safety Standards) Regulations 1994

Regulations

7

a) All reasonably foreseeable hazards at the MHF that may cause a major accident; and

b) The kinds of major accidents that may occur at the MHF, the likelihood of a major accident occurring and the likely consequences of a major accident.


Regulations

Regulation 9.43 (Hazard identification) states:The employer must identify, in consultation with employees,contractors (as far as is practicable) and HSRs:

8

Regulation 9.44 (Risk assessment) states:If a hazard or kind of major accident at the MHF is identified

under regulation 9.43, the employer must ensure that any risks associated with the hazard or major accident are assessed, in consultation with employees, contractors (as far as is practicable) and HSRs.

The employer must ensure that the risk assessment is reviewed: a) Within 5 years after the assessment is carried out, and

afterwards at intervals of not more than 5 years; andb) Before a modification is made to the MHF that may

significantly change a risk identified under regulation 9.43; and

c) When developments in technical knowledge or the assessment of hazards and risks may affect the method at the MHF for assessing hazards and risks; and

d) If a major accident occurs at the MHF.


Regulations

9

Regulation 9.45 (Risk control) states:The employer must, in consultation with employees, contractors

(as far as is practicable) and HSRs, ensure that any risk associated with a hazard at the MHF is:

a) eliminated; orb) If it is not practicable to eliminate the risk – reduced as far as

practicable.The employer must:

a) Implement measures at the MHF to minimise the likelihood of a major accident occurring; and

b) Implement measures to limit the consequences of a major accident if it occurs; and

c) Protect relevant persons, an at-risk community, and the built and natural environment surrounding the MHF, by establishing an emergency plan and procedures in accordance with regulation 9.53.


Regulations

10

Major Accident

A major accident is defined in the Regulations as:

A sudden occurrence at the facility causing serious danger or harm to:

– A relevant person or– An at-risk community or– Property or– The environment

whether the danger or harm occurs immediately or at a later time

Definition

11

• Unless ALL possible MAs are identified then causal and contributory hazards may be overlooked and risks will not be accurately assessed

• Likewise, controls cannot be identified and assessed• Identification of MAs must assume control measures are

absent/unavailable/not functional

That is:

WHAT COULD HAPPEN IF CONTROL MEASURES WERE NOT APPLIED AND MAINTAINED ?

MA Identification Issues

12

MAs can be identified in three different areas

These are:• Process MAs• MAs arising from concurrent activities• Non-process MAs


13

Process MAs• These are MAs caused by hazards which are associated with

upsets in the process, or failure of equipment in the process, etc

MAs arising from concurrent activities• Typical concurrent operations which must be considered are:

- Major shutdowns/start ups- Other activity on site- Activities adjacent to the facility


14

Non-Process MAs

• MAs created by non-process hazards that could cause release of Schedule 9 materials

• Non-process hazards may typically include the following: aircraft crashing; dropped objects; extreme environmental conditions (earthquake, cyclone, high winds, lightning); non-process fires (e.g. bush fire); vehicles and road transport; heat stress


15

• Collate appropriate – Facility information– Incident data/histories

• To ensure a thorough understanding of : – The nature of the facility – Its environment– Its materials– Its processes


16

• Develop/select a structured method for determining what types of MA can occur:

– Loss of containment– Fire– Explosion– Release of stored energy– Where they can occur– Under what circumstances

• Define and document any restrictions applied to the above


17

Examples of tools which might be used include:

• Analysis of Schedule 9 materials and DG properties• Use of HAZID techniques• Review of existing hazard identification or risk assessment

studies• Analysis of incident history – local, industry, company and

applicable global experience

MA Identification – Tools Usage

18

• It may be efficient to treat similar equipment items handling the same Schedule 9 materials together - as often they have similar hazards and controls

• Further, to ensure correct mitigation analysis, the equipment grouped together should contain similar materials at similar process conditions, resulting in similar consequences on release

Approach to MA Identification

19

• For consistency of analysis, all MAs should be defined in terms of an initial energy release event

• This can be characterised as a loss of control of the Schedule 9 material

• As an example, in the case of a hydrocarbon release from one vessel leading to a jet fire that subsequently causes a BLEVE in a second vessel, the MA should be defined in terms of the initial hydrocarbon release from the first vessel


20

• Review HAZID studies to identify initiating events for each MA • Review to ensure all hazards have been identified• Special checklists should be developed to assist with this

process• Further hazards may be identified from:

Discussions with appropriate subject experts Review of incident data Review of the records from a similar system


21

• A structured approach is important• It can then link equipment management strategies and systems • Record the key outputs in a register

For each MA, the register should record the following information:• Equipment that comprises the MA• Group similar items into one MA• Description• Consequences

MA Recording

22

• Consider all Schedule 9 materials - regardless of quantity• Screen out incidents that do not pose a serious danger or

harm to personnel, the community, the environment or property

• Screening should only be on the basis of consequence not likelihood

– i.e. Events should not be screened out on the basis of likelihood or control measures being active

– Consequence modelling should be used as justification for screening decisions

• External influences need to be considered, for example, potential for a power failure to cause a plant upset leading to an MA

MA Recording

23

MA Reference No.

MA Description Equipment Included

LPG-PU23-00110

LOC - pumps LPG transfer pumps (P254/A)

TKF-SA10 LOC – finished flammable product release from tank farm

Flammable storage tanks A202, A205,A206, B21, C55

A26 Ignition of material Extruders E21/E22/D54

The following are examples of MA recording details

Example – MA Recording

Major Hazard Facilities

Risk Assessment

25

What is Risk?

• Regulatory definition (per Part 20 of the Occupational Health and Safety (Safety Standards) Regulations 1994) : “Risk means the probability and consequences of occurrence of injury or illness”

• AS/NZS 4360 (Risk Management Standard)“the chance of something happening that will have an impact on objectives”

• Risk combines the consequence and the likelihood

RISK = CONSEQUENCE x LIKELIHOOD

26

Hazard versus Risk

27

Risk Assessment Definition

• Any analysis or investigation that contributes to understanding of any or all aspects of the risk of major accidents, including their:

– Causes– Likelihood– Consequences– Means of control– Risk evaluation

28

The Risk Assessment Should…

• Ensure a comprehensive and detailed understanding of all aspects for all major accidents and their causes

• Be a component of the demonstration of adequacy required in the safety report - e.g. by evaluating the effects of a range of control measures and provide a basis for selection/rejection of measures

29

Approach

• The MHF Regulations respond to this by requiring comprehensive and systematic identification and assessment of hazards

• HAZID and Risk Assessment must have participation by employees, as they have important knowledge to contribute together with important learnings

• These employees MAY BE the HSRs, but DO NOT HAVE TO BE

• However, the HSRs should be consulted in selection of appropriate participants in the process

30

Approach

Qualitative Assessment

HazardIdentification

Quantitative Risk Assessment Asset Integrity Studies

Plant Condition Analysis Human Factors Studies

Consequence AnalysisLikelihood Analysis

Technology Studies

Detailed Studies

Types of Risk Assessment

31

Causes

• From the HAZID and MA evaluation process, pick an MA for evaluation

• From the hazard register, retrieve all the hazards that can lead to the MA being realised

• In a structured approach, list all of the controls currently in place to prevent each of the hazards that lead to the MA being realised

• Examine critically all of the controls currently in place designed to prevent the hazard being realised

32

• As an example, from hazard register, MA - A26

Ignition of materials

(MA - A26)

Causes

33

Causes


(MA - A26)

Hazard Scenario

1

Hazard Scenario

2

Hazard Scenario

3, etc

List all possible causes of the accident (identified during HAZID study)

34

Causes


(MA - A26)

Hazard Scenario

1

Hazard Scenario

2

Hazard Scenario

3, etc

Prevention control

C1-1Prevention

control C1-2

Prevention control

C2-1

Prevention control

C3-1

List all prevention controls for the accident (identified during HAZID study)

35

• Likelihood analysis can involve a range of approaches, depending on the organisation’s knowledge, data recording systems and culture

• This knowledge can range from:- In-house data - existing data recording systems and operational

experience- Reviewing external information from failure rate data sources

• Both are valid, however, the use of in-house data can provide added value as it is reflective of the management approaches and systems in place

Likelihood Assessment

36

• A “Likelihood” is an expression of the chance of something happening in the future - e.g. Catastrophic vessel failure, one chance in a million per year (1 x 10-6/year)

• “Frequency” is similar to likelihood, but refers to historical data on actual occurrences


37

Likelihood Analysis can use:

• Historical– Site historical data

– Generic failure rate data

• Assessment– Workshops (operators and maintenance personnel)– Fault trees– Event trees

– Assessment of human error


38

• A qualitative approach can be used for assessment of likelihood

• This is based upon agreed scales for interpretation purposes and for ease of consistency

– For example, reducing orders of magnitude of occurrence

• It also avoids the sometimes more complicated issue of using frequency numbers, which can be difficult on occasions for people to interpret

Likelihood Assessment – Qualitative Approach

39

Category Likelihood

A Possibility of repeated events

(once in 10 years)

B Possibility of isolated incidents

(once in 100 years)

C Possibility of occurring sometimes

(once in 1,000 years)

D Not likely to occur, (once in 10,000 years)

E Rare occurrence (once in 100,000 years)

Likelihood Assessment – Qualitative Approach

40

• A fault tree is a graphical representation of the logical relationship between a particular system, accident or other undesired event, typically called the top event, and the primary cause events

• In a fault tree analysis the state of the system is to find and evaluate the mechanisms influencing a particular failure scenario

Likelihood Assessment – Fault Trees

41

• A fault tree is constructed by defining a top event and then defining the cause events and the logical relations between these cause events

• This is based on:- Equipment failure rates- Design and operational error rates- Human errors- Analysis of design safety systems and their intended function

Likelihood Assessment – Fault Trees

42

AND OR

PSV does not relieve

Process pressure

rises

Control fails high

PSV too small

Set point too high

PSV stuck closed

Fouling inlet or outlet

Pressure rises

Process vessel over pressured

AND

Likelihood Assessment – Fault Trees Example

43

• This information can be obtained from:- American Institute of Chemical Engineers Process Equipment

Reliability Data- Loss Prevention in the Process Industries- E&P Forum- UK Health and Safety Executive data - and other published reports

(Refer to Sources of Additional Information slides for references)

Likelihood Assessment – Generic Failure Rate Data

44

• Human error needs to be considered in any analysis of likelihood of failure scenarios

• The interaction between pending failure scenarios, actions to be taken by people and the success of those actions needs to be carefully evaluated in any safety assessment evaluation

• Some key issues of note include:– Identifying particular issue– Procedures developed for handling the issue– Complexity of thought processing information required

Likelihood Assessment – Human Error

45

Type of Behaviour Error Probability

Extraordinary errors: of the type difficult to conceive how they could occur: stress free, powerful cues initiating for success.

10-5 (1 in 100,000)

Error in regularly performed, commonplace, simple tasks with minimum stress (e.g. Selection of a key-operated switch rather than a non key-operated switch).

10-4 (1 in 10,000)

Errors of omission where dependence is placed on situation cues and memory. Complex, unfamiliar task with little feedback and some distractions (e.g. failure to return manually operated test valve to proper configuration after maintenance).

10-2 (1 in 100)

Highly complex task, considerable stress, little time to perform it e.g. during abnormal operating conditions, operator reaching for a switch to shut off an operating pump fails to realise from the indicator display that the switch is already in the desired state and merely changes the status of the switch.

10-1 (1 in 10)

Likelihood Assessment – Human Error

46

• Used to determine the likelihood of potential consequences after the hazard has been realised

• It starts with a particular event and then defines the possible consequences which could occur

• Each branching point on the tree represents a controlling point, incorporating the likelihood of success or failure, leading to specific scenarios

• Such scenarios could be:– Fire– Explosion– Toxic gas cloud

• Information can then used to estimate the frequency of the outcome for each scenario

Likelihood Assessment – Event Trees

47

Event tree example – LPG Pipeline Release

Likelihood Assessment – Event Trees

48

• Most scenarios will involve at least one of the following outcomes:

– Loss of containment– Reactive chemistry– Injury/illness– Facility reliability– Community impacts – Moving vehicle incidents– Ineffective corrective action – Failure to share learnings

Consequences

49

• Consequence evaluation estimates the potential effects of hazard scenarios

• The consequences can be evaluated with specific consequence modelling approaches

• These approaches include:- Physical events modelling (explosion, fire, toxic gas consequence

modelling programs)- Occupied building impact assessment

Consequences

50

Consequences - Qualitative Evaluation

• A qualitative evaluation is based upon a descriptive representation of the likely outcome for each event

• This requires selecting a specific category rating system that is consistent with corporate culture

51

Consequences - Qualitative Descriptors Example

Consequence descriptors

Insignificant Minor Moderate Major Catastrophic

Health and Safety Values

A near miss, first aid injury

One or more lost time injuries

One or more significant lost time injuries

One or more fatalities

Significant number of fatalities

Environmental Values

No impact No or low impact

Medium impactRelease within facility boundary

Medium impact outside the facility boundary

Major impact event

Financial Loss Exposures

Loss below $5,000

Loss $5,000 to $50,000

Loss from $50,000 to $1M

Loss from $1M to $10M

Loss above $10M

52

• Consequence analysis estimates the potential effects of scenarios

• Tools include:- Potential consequences (event tree)- Physical events modelling (explosion, fire and/or gas dispersion

consequence modelling programs)- Load resistance factor design (building design)

Consequences – Quantitative Evaluation

53

Explosion Overpressure (kPa)

Effects

7 (1 psi) Results in damage to internal partitions and joinery but can be repaired.

21 (3 psi) Reinforced structures distort, storage tanks fail.

35 (5 psi) Wagons and plant items overturned, threshold of eardrum damage.

70 (10 psi) Complete demolition of houses, threshold of lung damage.

Example: Impact of Explosions

Note: Calculations can be undertaken to determine probability of serious injury and fatality

Consequences - Qualitative Evaluation Example

54

Example - Overpressure Contour - impact on facility buildings

7 kPa

14 kPa

21 kPa35 kPa

Release scenario location

Consequences - Qualitative Evaluation Example

55

• Risk evaluation can be undertaken using qualitative and/or quantitative approaches

• Risk comprises two categories - frequency and consequence• Qualitative methodologies that can be used are

- Risk matrix- Risk nomograms

• Semi – quantitative techniques- Layers of protection analysis- Risk matrix

• Quantitative - quantitative techniques

Risk Evaluation

56

Qualitative Assessment

Semi-Quantitative Assessment

Quantitative Assessment

Simple, subjective, low resolution, high uncertainty, low cost

Detailed, objective, high resolution, low uncertainty, increasing cost

Risk Assessment - What Type?

57

• Greater assessment detail provides more quantitative information and supports decision-making

• Strike a balance between increasing cost of assessment and reducing uncertainty in understanding

• Pick methods that reflect the nature of the risk, and the decision options

Risk Assessment – Issues For Consideration

58

• Stop once all decision options are differentiated and the required information compiled

• Significant differences of opinion regarding the nature of the risk or the control regime indicate that further assessment is needed

Risk Assessment – Issues For Consideration

59

• Qualitative risk assessment can be undertaken using the following

- Risk nomogram- Risk matrix

• Both approaches are valid and the selection will depend upon the company and its culture

Risk Assessment - Qualitative

60

• A nomogram is a graphical device designed to allow approximate calculation

• Its accuracy is limited by the precision with which physical markings can be drawn, reproduced, viewed and aligned

• Nomograms are usually designed to perform a specific calculation, with tables of values effectively built into the construction of the scales

Risk Assessment - Risk Nomogram

61

Most nomograms are used in situations where an approximate answer is appropriate and useful

PracticallyImpossible

Conceivable butVery Unlikely

Remotely Possible

Unusual butPossible

Quite PossibleCould Happen

Might well beExpected at Sometime

LIKELIHOOD

Continuous

FrequentDaily

OccasionalOnce per Week

UnusualOnce per Month

RareFew per year

Very Rare,Yearly or Less

EXPOSURE

TIE

LIN

E

NoticeableMinor Injury / First Aid>$1k Damage

ImportantDisability>$10k Damage

SeriousSerious Injury>$100k Damage

Very SeriousFatality>$1M Damage

DisasterMultiple Fatalities>$10M Damage

CatastropheMany Fatalities>$100M Damage

POSSIBLECONSEQUENCES

500

400

300

200

100

80

60

40

20

10

0

Very High RiskConsider

DiscontinuingOperation

High RiskImmediateCorrectionRequired

SubstantialRisk

CorrectionRequired

Risk must be

Reduced

SFARP

Risk

Acceptable if

Reduced SFARP


62

Advantages and Disadvantages

• Accuracy is limited • Designed to perform a specific calculation• Cannot easily denote different hazards leading to an MA• Typically not used by MHFs


63

• Hazards can be allocated a qualitative risk ranking in terms of estimated likelihood and consequence and then displayed on a risk matrix

• Consequence information has already been discussed, hence, information from this part of the assessment can be used effectively in a risk matrix

• Risk matrices can be constructed in a number of formats, such as 5x5, 7x7, 4x5, etc

• Often facilities may have a risk matrix for other risk assessments (eg Task analysis, JSA)

Risk Assessment - Risk Matrix

64

• Results can be easily presented- In tabular format for all MAs- Within a risk matrix

• Such processes can illustrate major risk contributors, aid the risk assessment and demonstration of adequacy

• Care needs to be taken to ensure categories are consistently used and there are no anomalies

• Australian/New Zealand Standard, AS4360, Risk Management 1999, provides additional information on risk matrices


65

E Rare occurrence,

(1 x 10-5 per year)

D Not likely to occur,

(1 x 10-4 per year)

C Possibility of occurring sometimes, (1 x 10-3 per year)

B Possibility of isolated incidents, (1 x 10-2 per year)

A Possibility of repeated events, (1 x 10-1 per year)

Lik

elihood

Financial Loss Exposures

Environmental Values

Health and Safety Values

Significant RiskSignificant RiskModerate RiskLow RiskLow Risk

High RiskSignificant RiskModerate RiskLow RiskLow Risk

High RiskHigh RiskSignificant RiskModerate

RiskLow Risk

High RiskHigh RiskSignificant RiskSignificant

RiskModerate Risk

High RiskHigh RiskHigh RiskSignificant

RiskSignificant

Risk

Loss of above $10,000,000

Loss from $1,000,000 to $10,000,000

Loss from $50,000 to $1,000,000

Loss $5,000 to $50,000

Loss below $5,000

Major impact event

Medium impact outside the facility boundary

Medium impact.

Release within facility boundary

No or low impact

No impact

Significant number of fatalities

One or more fatalities

One or more significant Lost Time Injuries (LTI)

One or more Lost Time Injuries (LTI)

A near miss, First Aid Injury (FAI) or one or more Medical Treatment Injuries (MTI)

54321

CatastrophicMajorModerateMinorInsignificant

ConsequencesRisk matrix example (AS4360)


66

Advantages

If used well, a risk matrix will:

• Identify event outcomes that should be prioritised or grouped for further investigation

• Provides a good graphical portrayal of risks across a facility• Help to identify areas for risk reduction• Provide a quick and relatively inexpensive risk analysis• Enable more detailed analysis to be focused on high risk

areas (proportionate analysis)


67

Disadvantages

• Scale is always a limitation regarding frequency reduction - it does not provide an accurate reduction ranking

• Cumulative issues and evaluations are difficult to show in a transparent manner

• There can be a strong tendency to try and provide a greater level of accuracy than what is capable


68

• One tool is a layer of protection analysis approach (LOPA) • It is a simplified form of risk evaluation • The primary purpose of LOPA is to determine if there are

sufficient layers of protection against a hazard scenario• It needs to focus on:

– Causes of hazards occurring– Controls needed to minimise the potential for hazards occurring – If the hazards do occur, what mitigation is needed to minimise

the consequences

Risk Assessment - Semi-Quantitative Approach

69

Diagrammatic Representation - LOPA

• Analysing the safety measures and controls that are between an uncontrolled release and the worst potential consequence

Risk Assessment - Semi-Quantitative Approach (LOPA)

70

The information for assessment can be presented as a bow-tie diagram

Hazards Controls

Preventative Controls

Controls

Mitigative Controls

MA

Cau

ses

Out

com

es

Consequences


71

Advantages and Disadvantages

• Risk evaluation can be undertaken using a bow-tie approach • A procedural format needs to be developed by the company to

ensure consistency of use across all evaluations• External review (to the safety report team) should be

considered for consistency and feedback• Correct personnel are needed to ensure the most applicable

information is applied to the evaluation approach


72

• Quantitative assessments can be undertaken for specific types of facilities

• This is a tool that requires expert knowledge on the technique and has the following aspects:

– It is very detailed – High focus on objective – Detailed process evaluations– Requires a high level of information input – Provides a high output resolution– Reduces uncertainty

• Frequency component can be questionable as generic failure rate data is generally used

• Provides understanding on the high risk contributors from a facility being evaluated

Risk Assessment - Quantitative

73


Typical result output from such an assessment is individual risk contours

10 10-5 -6

10-7

10-6

TownCenter

Hospital

Racecourse

Light Rail Reserve

Residentual

School

Sports Complex

School

Figure 13: Sample Risk Plot - VRJ QRA Risks are in chances permillion per year

VRJ Risk Engineers Pty Ltd

Example shown is for land use planning

74

• Time consuming• Expensive• Expert knowledge is required• Not suitable for every MHF site• Process upsets (such as a runaway reaction) cannot be easily

modelled as an initiating event using standard equipment part counts - incorporation of fault tree analysis required

• Use of generic failure rate data has limitations and does not take into consideration a specific company’s equipment and management system strategies


75

• A risk assessment provides an understanding of the major hazards and a basis for determining controls in place

• Risk assessments can involve significant time and effort

• Operations personnel and managers could cause, contribute to, control or be impacted by MAs

• Hence they should be involved in the risk assessment

• HSRs may or may not take part, but must be consulted in relation to the process of HAZID & Risk Assessment

• They should also be involved in resolution of any issues that arise during the studies, including improvements to methods and processes

Summary

76

• Employer must review (and revise) Hazard Identifications, Risk Assessments and Control Measures to ensure risks remain reduced to AFAP:

– At the direction of the Commission– Prior to modification– After a major accident– When a control measure is found to be deficient– At least every 5 years– Upon licence renewal conditions

Review and Revision

77

The following are a few sources of information covering risk assessment

• Hazard and Operability Studies (HAZOP Studies), IEC 61882, Edition 1.0, 2001-05

• Functional Safety – Safety Instrumented Systems for the Process Industry Sector, IEC 61511, 2004-11

• Fault Tree Analysis, IEC 61025, 1990-10• Hydrocarbon Leak and Ignition Data Base, E&P Forum,

February 1992 N658• Guidelines for Process Equipment Reliability Data, Center for

Chemical Process Safety of the American Institute of Chemical Engineers, 1989

Sources of Additional Information

78

• Offshore Hydrocarbon Release Statistics, Offshore Technology Report – OTO 97 950, UK Health and Safety Executive, December 1997

• Loss Prevention in the Process Industries , Lees F. P., 2nd Edition, Butterworth Heinemann

• Layer of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 2001

• Nomogram, Wikipedia, the free encyclopaedia

Sources of Additional Information

79

Questions?

80

Cause Hazard Independent Preventative Protection Layers Mitigative Protection Layers

Loss of cooling tower water to condenser once every 10 years

Catastrophic rupture of distillation column with shrapnel, toxic release

Columns condenser, reboiler and piping maximum allowable working pressures are greater than maximum possible pressure from steam reboiler

Logic in BPCS trips steam flow valve and steam RCV on high pressure or high temperature. No credit since not independent of SIS.

High column pressure and temperature alarms can alert operator to shut off the steam to the reboiler (manual valve)

Logic in BPCS trips stream flow valve and steam RCV on high pressure or high temperature (dual sensors separate from DCS).

Pressure safety valve opens on high pressure

Example LOPA Assessment – Spreadsheet Format

81

MA-1

MA-2

Example Example Bowtie Assessment – System Format

major hazard facilities major accident identification and risk assessment

Documents

risk assessment slide

mhf regulations

risk assessment r9

identification of mas

kind of major accident

risk assessment states

assessment of hazards

regulations regulation